Full Disclosure mailing list archives
Re: RC4 and Lotus Notes
From: aliver () xexil com
Date: Mon, 21 Apr 2003 11:22:03 -0600 (MDT)
Which version are you using international version or USA version? The latter uses more bits for keys.
I'm coding with the libraries from Domino 6.0.1 domestic (USA) version, under Linux. I think the international versions use RC2 with some hideously small key sizes. After a few long nights of debugging I can say for sure that the buffer used for the RC4 key is in Notes is 256 bits. I'm not sure how they handle the IV, key re-use, and other factors that'd help the Fluhrer, Mantin, Shamir attack. This is Lotus Notes we are talking about, so the answer is probably "poorly". I've only got the libraries, not the source, so I can't tell WTF is going on, really. Ah well, I'm not too concerned with it since my app just decrypts the message regardless of how it was encrypted then hands it to a local Linux MDA (in this case, procmail). I'll probably try out gpgme to re-crypt the message if it was originally encrypted in the user's lotus notes account. aliver _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RC4 and Lotus Notes aliver (Apr 21)
- Re: RC4 and Lotus Notes HAYAKAWA Hitoshi (Apr 21)
- Re: RC4 and Lotus Notes Derek Atkins (Apr 21)
- <Possible follow-ups>
- Re: RC4 and Lotus Notes aliver (Apr 21)