(old note contd.) lotus-notes NSA key as PGP key

Tue Mar 19 10:16:40 EST 2002

--- begin forwarded text

Status:  U
Date: Tue, 19 Mar 2002 01:30:13 +0000
From: Adam Back <adam at cypherspace.org>
To: Cypherpunks <cypherpunks at lne.com>
Subject: (old note contd.) lotus-notes NSA key as PGP key
User-Agent: Mutt/1.2.2i
Sender: owner-cypherpunks at lne.com

I was looking for a file in my collection of archived stuff recently
and came across my attempts to reverse engineer the NSA's RSA public
key out of lotus notes.  I think I never did publicly post the RSA key
that I found.

So here it is as a PGP key, the name associated with this key in Lotus
Notes visible under the debugger was:

	O=MiniTruth CN=Big Brother

where O is X.500 naming for Organization, and CN for Common Name (the
key owners name).

The PGP key is:

Type Bits/KeyID    Date       User ID
pub   760/13629D8D 1998/10/25 Director, NSA <dirnsa at nsa.gov>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQBsAzYyeuIAAAEC+LuVWM2LaDEM9zoS4x/ES9h74MT+Lri26g9PsGhPlVn2VukS
PuF1YHYSw+zFgLznjDOIzyNGhFD7Z85htRGB36BHubgzGLRy/jkpq8qO5RIG/+m4
ma7OpacD79MTYp2NAAIDtB5EaXJlY3RvciwgTlNBIDxkaXJuc2FAbnNhLmdvdj4=
=aoSi
-----END PGP PUBLIC KEY BLOCK-----

It's a 760 bit RSA key with a public exponent of 3.

I found it a little odd that it was 760 bits rather than 768 bits, but
I think I got the endianness and encoding right as the number is not
trivially factorizable (I left a computer running pollard-rho for a
few weeks at the time and didn't come up with anything).  One possible
explanation for 760 bits rather than 768 bits is the 768 bit 32 bit
aligned area of memory ended with with a 0 byte, and ASN.1 encoding
for big integers is to include a leading 0 if the most significant bit
of the number is otherwise a 1 (to prevent it being considered a
negative number).  I know it's not prime as it fails primality checks,
but I think it's fairly unlikely is that a randomly chosen number (if
there is a mistake in the reverse engineering or interpretation of the
encoding) would be both composite and that hard to factor.

More details about the key at:

	http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html

(A quick google shows that this was probably originally reported
around Sep 99.)

I wonder how many copies of export versions of lotus notes and
similarly us export weakened products are still being used unknowingly
by users.

Adam

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com