

Surreptitiously Weakening Cryptographic Systems - privong
http://eprint.iacr.org/2015/097

======
swordswinger12
This paper is great and contains some really interesting historical examples
of backdoored crypto. For example, Lotus Notes 4 circumvented export controls
by using a 64-bit key but taking the first 24 bits and encrypting them with a
public key available to the NSA, thus meeting the 40-bit limit.

~~~
PeterWhittaker
I'm not sure I'm at liberty to cite explicitly another example, but I will
allude to it: At the time when only 512-bit-RSA was permitted for general
export, export a 1024-bit-RSA based system by ensuring that each time public
key encryption is performed, a 512-bit key pair is generated, the wrapped
symmetric key included with the payload, and the 512-bit key pair discarded.

Removed in later versions, AFAIK, as regulations relaxed, e.g., with the
advent of Wassenaar.

~~~
yuhong
SSL 3.0 and TLS 1.0 did this (with a ServerKeyExchange message), with the
limit being 512-bit for 40-bit export cipher suites and 1024-bit for the
56-bit export cipher suites. This is another reason why it is unfortunate that
the 56-bit export cipher suites was disabled in OpenSSL in 2006.

~~~
PeterWhittaker
Wow, timely: [http://www.washingtonpost.com/blogs/the-
switch/wp/2015/03/03...](http://www.washingtonpost.com/blogs/the-
switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-
users-researchers-discover/) and
[https://news.ycombinator.com/item?id=9139273](https://news.ycombinator.com/item?id=9139273)

------
xnull2guest
I'm upset that the paper didn't include known 'sidedoors' designed in to get
Windows Device Encryption (Bitlocker) keys, nor the controversy over remote
TPM attestation, nor the 12 bit keyspace that Apple provides the user through
its Secure Enclave.

