Full Disclosure mailing list archives
RC4 and Lotus Notes
From: aliver () xexil com
Date: Mon, 21 Apr 2003 08:42:21 -0600 (MDT)
While developing something boring using the Lotus C API for Linux. I noticed while using valgrind that functions like NSFNoteDecrypt() and NSFNoteIsSignedOrSealed() are still making use of RC4 encryption with a 256 bit key even when I use "strong" encryption settings in it's lame windows MegaGUI. IIRC, RC4 is known to have some weaknesses in it's key scheduling that have yielded some interesting results (WEP, Winnt, etc..). I'm pretty sure my libnotes.so is up to date. Am I misinformed about the choice of crypto in Lotus Notes? Anyone know of plans to change this? I guess it doesn't matter since nobody is masochistic enough to work on a brute forcer for something as nasty as LN. It's what you call "security-through-being-so-disgusting-no-one-will-play-with-you" or "the hagfish method." aliver _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RC4 and Lotus Notes aliver (Apr 21)
- Re: RC4 and Lotus Notes HAYAKAWA Hitoshi (Apr 21)
- Re: RC4 and Lotus Notes Derek Atkins (Apr 21)
- <Possible follow-ups>
- Re: RC4 and Lotus Notes aliver (Apr 21)