lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: aliver at xexil.com (aliver@...il.com)
Subject: Re: RC4 and Lotus Notes

> Which version are you using international version or USA version?
> The latter uses more bits for keys.

I'm coding with the libraries from Domino 6.0.1 domestic (USA) version,
under Linux. I think the international versions use RC2 with some
hideously small key sizes. After a few long nights of debugging I can say
for sure that the buffer used for the RC4 key is in Notes is 256 bits. I'm
not sure how they handle the IV, key re-use, and other factors that'd help
the Fluhrer, Mantin, Shamir attack. This is Lotus Notes we are talking
about, so the answer is probably "poorly". I've only got the libraries,
not the source, so I can't tell WTF is going on, really.
	Ah well, I'm not too concerned with it since my app just decrypts
the message regardless of how it was encrypted then hands it to a local
Linux MDA (in this case, procmail). I'll probably try out gpgme to
re-crypt the message if it was originally encrypted in the user's lotus
notes account.

aliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ