RC4 and Lotus Notes

[aliver () xexil com]

        While developing something boring using the Lotus C API for Linux.
I noticed while using valgrind that functions like NSFNoteDecrypt()  and
NSFNoteIsSignedOrSealed() are still making use of RC4 encryption with a
256 bit key even when I use "strong" encryption settings in it's lame
windows MegaGUI. IIRC, RC4 is known to have some weaknesses in it's key
scheduling that have yielded some interesting results (WEP, Winnt, etc..).
        I'm pretty sure my libnotes.so is up to date. Am I misinformed
about the choice of crypto in Lotus Notes? Anyone know of plans to change
this? I guess it doesn't matter since nobody is masochistic enough to work
on a brute forcer for something as nasty as LN. It's what you call
"security-through-being-so-disgusting-no-one-will-play-with-you" or "the
hagfish method."

aliver


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html