This page has also been translated into Russian here
and into Polish here

NSA's Backdoor Key from Lotus-Notes

Before the US crypto export regulations were finally disolved the export version of Lotus Notes used to include a key escrow / backdoor feature called differential cryptography. The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key. The NSA would then only have the small matter of brute-forcing the remaining 40 bits to get the plaintext, and everyone else would get a not-that-great 64 bit key space (which probably already back then NSA would have had the compute power to brute force also, only at higher cost).

Anyway as clearly inside the application somewhere would be an NSA public key that the NSA had the private key for, I tried reverse engineering it to get the public key.

In doing this I discovered that the NSA public key had an organizational name of "MiniTruth", and a common name of "Big Brother". Specifically what I saw in my debugger late one night, which was spooky for a short moment was:

O=MiniTruth CN=Big Brother

Literary note: for those who have not read Orwell's prescient "1984" the Ministry of Truth was the agency who's job was propaganda and suppression of truths that did not suit the malignant fictional future government in the book, and "Big Brother" was the evil shadowy leader of this government. The whole book is online here.

The NSA's Public Key

I put this together some years after the reverse-engineering stint, so there could be errors, but this is from my notes, the raw public key modulus from the debugger:

  8D9D6213D3EF03A7 A5CEAE99B8E9FF06
  12E58ECAAB2939FE 72B41833B8B947A0
  DF8111B561CE67FB 50844623CF88338C
  E7BC80C5ECC31276 6075E13E12E956F6
  59954F68B04F0FEA B6B82EFEC4E07BD8
  4BC41FE3123AF70C 31688BCD5895BB00

I figured it was in little endian format by trial and error; other formats were easy to factor. So the big endian hex representation is:

e = 3 n = \ 00BB9558CD8B68310CF73A12E31FC44BD87BE0C4FE2EB8B6EA0F4FB0684F9559\ F656E9123EE175607612C3ECC580BCE78C3388CF23468450FB67CE61B51181DF\ A047B9B83318B472FE3929ABCA8EE51206FFE9B899AECEA5A703EFD313629D8D

where the modulus is 760 bits, and the public key formatted as a PGP key is (of course I made this user id up -- you can edit it to whatever you choose it's of course not self-signed):

Type Bits/KeyID Date User ID pub 760/13629D8D 1998/10/25 Director, NSA <> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQBsAzYyeuIAAAEC+LuVWM2LaDEM9zoS4x/ES9h74MT+Lri26g9PsGhPlVn2VukS PuF1YHYSw+zFgLznjDOIzyNGhFD7Z85htRGB36BHubgzGLRy/jkpq8qO5RIG/+m4 ma7OpacD79MTYp2NAAIDtB5EaXJlY3RvciwgTlNBIDxkaXJuc2FAbnNhLmdvdj4= =aoSi -----END PGP PUBLIC KEY BLOCK-----

and here's what pgpacket has to say about the contents of that key:

--------------------------- Packet Type:Public Key Packet Length:108 Version Byte:3 Key Created:25 Oct 1998 01:12:02 Valid forever Algorithm:1 (RSA) N:0xBB9558CD8B68310CF73A12E31FC44BD87BE0C4FE2EB8B6EA0F4FB0684F9559F6\ 56E9123EE175607612C3ECC580BCE78C3388CF23468450FB67CE61B51181DFA0\ 47B9B83318B472FE3929ABCA8EE51206FFE9B899AECEA5A703EFD313629D8D E:0x03 Key ID: 0xA703EFD313629D8D --------------------------- Packet Type:User ID Packet Length:30 User ID:"Director, NSA <>"
Comments, html bugs to (Adam Back) at <>