Hi Mat, Ted:
RC5 was invented by MIT Prof Ron Rivest in 1994 for RSA Security, and RSA
received a US patent for RC5 in May of 1997. RSA licenses RC5 separately
-- as well as part of its BSAFE SDKs (including the BSAFE Crypto-C Micro
Edition, and BSAFE SSL-C Micro Edition:.) See: <http://tinyurl.com/aeosg>.
RSA never patented or otherwise restricted the use of Rivest's hashes: MD2,
MD4, and MD5. Over the years, however, the integrity of each of these has
been undermined by advances in cryptanalytic research. As far back as
1996, RSA Labs publicly urged developers to use the 160-bit SHA-1 hash,
instead of MD5, and to plan for the migration of existing MD5
implementations.
Further research into MD5 vulnerabilities has led RSA to bluntly and
repeatedly declare MD5 "broken" and insecure.
I don't know what your alternative are in OpenSSL, but reports earlier this
year about a new attack on the 160-bit SHA-1 by Xiaoyun Wang, Yiqun Lisa
Yin, and Hongbo Yu led many developers to shift to SHA-256 (and to call for
a major AES-style development effort to explore alternative constructs for
one-way functions.)
RSA Labs, for which I've been a consultant for many years, published a
couple of summary notes on the SHA-1 developments
at:<http://www.rsasecurity.com/rsalabs/>
Hope this helps.
Suerte,
_Vin
--------- in response to ---------------------------------------------
Ted Mittelstaedt <tedm_at_toybox.placo.com> wrote:
md5 is not patented. des and 3des the patent expired. Blowfish was
originally published
not patented. That's all I know. With Cisco IPSec work just about all
configs use md5, sha,
des and 3des and Cisco isn't known for liking to pay royalties to
anyone. If I were you I
would stick with md5, des and 3des.
Ted
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kramer, Mat
Sent: Monday, July 11, 2005 1:34 PM
To: openssl-users@openssl.org
Subject: Algorithm licensing
Hello,
We are using OpenSSL in an embedded device. I have been told that some
of the cipher suites include patented algorithms that must be
licensed. The OpenSSL FAQ is intentionally vague about what algorithms
are protected, although it recommends a specific configuration to remove
RC5, IDEA and MDC2. Are these the only three that are protected? Is
there anywhere I can find out definitively what algorithms are protected?
Thanks,
-Mat
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
