Re: P1363, name "RSA"

[Sameer Parekh]

If RSA failed to attempt to protect their trademark in 1996,
then they will have no luck trying to protect their trademark now. If,
in fact, RSA did not claim trademark protection in 1996 then there is
absolutely no way any court will grant RSA any trademark protection
for RSA now and in the future.
I'm not a lawyer, but you don't need to be a lawyer to know
how to protect a trademark, and RSA did exactly the *wrong* thing to
protect their trademark.

It appears that in the first letter RSA is granting a license
to IEEE to use the word "RSA" in the context of the document. In doing
so, RSA is trying to claim that they actually have an enforceable
trademark on the term RSA. So they are not telling IEEE not to use the
"RSA" term. They are granting a license to IEEE to use the RSA term,
which license is of course not necessary.
The second letter grants a more broad license, because the
pcommunity was upset with the license granted in the first letter. The
correct response, however, is not to complain that the 2nd, more broad
license is not broad enough, but to realize that no license, implicit
or explicit, is necessary to use the mark RSA to describe the
algorithim.

Things like this have happened before, and the cryptography
community has won. I'm surprised that the community is rolling over so
fast this time. Has everyone gone soft in expectation of the patent
expiring? Has everyone forgotten about the fact that SSL is now
deployed worldwide in full-strength capability *hinges* upon the fact
that a non-RSA-source version of RC4 was in widespread use?

-- 
sameer

Re: RSA patent on ECC

[Vin McLellan]

At 10:28 AM 4/9/99 -0400, P. J. Ponder wrote:
>RSA has a note on their web site about a patent issued April 7, 1999,
>which provides a memory efficient means of converting between polynomial
>basis and normal basis stored numbers.
>
>http://www.rsa.com/pressbox/html/990407.html

 The actual patent is:

B.S. KALISKI JR. and Y.L. YIN. Methods and Apparatus for Efficient Finite
Field Basis Conversion. U.S. Patent No. 5,854,759, December 29, 1998.

The press release is actually quite informative in suggesting the
potential of this technique for bridging between two ECC vendor/user
communities.  

   Some may prefer to read  the paper submitted to IEEE P1363 by Burt
Kaliski (Chief Scientist at RSA Labs, and Chair of P1363) and  Lisa  Yin
(with Ron Rivest and Matt Robshaw, one of the inventors of RC6).  See:


Title:  Storage-efficient finite field basis conversion 
Authors:  Burton S. Kaliski, Jr. and Yiqun Lisa  Yin
Abstract:

" The problem of finite field basis conversion is to convert from the
representation of a field element in one  basis to the representation of the
element in another basis. This paper presents new algorithms for the
problem that require much less storage than previous solutions. 

   " For the finite field GF(2m), for example, the  storage requirement
of the new algorithms is only O(m) bits, compared to O(m2) for previous
solutions. With the new algorithms, it is possible to extend an
implementation in one basis to support other bases with little additional
cost, thereby providing the desired interoperability in many cryptographic
applications. "

  "Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
  _A Thinking Man's Creed for Crypto  _vbm

 * Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]>*
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548

Re: P1363, name "RSA"

[Roger Schlafly]

I was the one who originally raised the issue regarding whether a
standard should use the name "RSA", so I thought I'd explain the
history.  See, eg, the Aug. 96 P1363 minutes
http://grouper.ieee.org/groups/1363/minutes/Aug96.txt
where I argued in vain that "RSA" should be replaced by a more
generic term such as "Composite Modulus".  No one agreed with me.
The RSADSI legal dept. sent a slide showing all of its claimed
trademarks, and "RSA" was conspicuously absent.  RSADSI apparently
saw it to be in its interests to get the name "RSA" into standards
and disclaim any trademarks on it.

Eventually, after much discussion, P1363 changed the family name
"RSA" to "IF", for "Integer Factorization".  (The name "IF" was not
my choice -- I argued that it was not descriptive, but no one agreed
with me.)  Also, as a result of my objections, ANSI X9.31 changed
its name from "RSA" (digital signature algorithm) to "rDSA".

Just as P1363 was going to ballot, SDTI/RSADSI suggested that
we avoid the term "RSA" in order to help RSADSI get trademark
protection in the future.
http://grouper.ieee.org/groups/1363/letters/SecurityDynamics.jpg

This week, SDTI/RSADSI issued a new letter, purportedly to
clarify its position.
http://grouper.ieee.org/groups/1363/letters/SecurityDynamics2.jpg
However, the new letter seems to be a departure from its previous
postion in that it says:

"The RSA trademark is a valuable asset of RSA Data Security, Inc."

Ie, it now claims a trademark on "RSA".  OTOH, it says that in
the earlier letter they said that they "do not intend to rely on our 
trademark rights in the RSA brand the prevent the use of ... the 
terms 'RSA public key', ...".  But what the earlier letter actually
says is "The terms 'RSA public key' ... may be similarly affected
by such protection."

It is not clear to me exactly what protection SDTI/RSADSI is
seeking, or how such protection would affect someone using
a phrase like "RSA public key" in commerce.

At 04:58 PM 4/9/99 -0400, Vin McLellan wrote:
> SDTI, RSA's parent firm, for which I have been a consultant for
> many years, never said they were going to restrict the use of
> the term RSA by real people, or even members of standards groups. 

Huhh?  The whole purpose of trademarks is to allow a company
to monopolize a commercial name.  If SDTI is claiming a trademark
on "RSA", then it is trying to restrict real people regarding
use of the name.  It has also asked our standards group not to use
the "RSA" name.

I think it is a little late (and silly) for SDTI/RSADSI to claim
a trademark on "RSA" at this point.  The term "RSA" was put
into P1363 with active encouragement from RSADSI and with 
disavowals of trademark coverage.  It seems fairly clear to me
that someone should be able to implement P1363 techniques
without worrying about a trademark claim from SDTI/RSADSI.

BTW, the history of public key is a fascinating digression.
Does anyone have the actual quote in which Bobby Inman
claimed that the NSA invented public key cryptography
before the Stanford/MIT groups?  He may have merely said
that the NSA knew about public key, in which case it would
have been a true statement based on what we now know about
GSEG and the likely cooperation between GSEG and NSA.

Roger Schlafly
P1363 Secretary

Re: P1363: Re: The name of "RSA"

[Michael J. Markowitz]

At 04:58 PM 4/9/99 -0400, Vin McLellan wrote:
>
>The discussion of alternative names for "RSA" has been an amazing
>and entertaining carnival, spawned by a wildly exaggerated interpretation of
>a 3/1/99 SDTI letter to the P1363 working group.  SDTI, RSA's parent firm,
>for which I have been a consultant for many years,  never said they were
>going to restrict the use of the term RSA by real people, or even members of
>standards groups. 

Vin:

1) the interpretation *by* the working group -- which, in the end,
is all that matters -- has not been exaggerated... and our response 
needs to be appropriate and consistent with our responsibility for 
the standard

2) that should be "RSADSI's parent firm" not "RSA's parent firm"  
(your slip is noted with appreciative humor)

3) SDTI may not have said *they* would "restrict the use of RSA by 
real people," but RSADSI has a history of doing exactly that going
back at least 12 years (yes, Schlafly and I are real people as well 
as members of P1363); a legitimate fear is that, once the patent
expires, this will be the preferred means of stifling competition

4) the P1363 working group has no reason to believe that SDTI will 
be any less litigious in the future than RSADSI was in the past... 
in fact, there is considerable recent evidence to the contrary.

> The RSA brand name  issue, as SDTI sees it,  is whether commercial
>competitors will be allowed to mislead consumers as to who crafted a module
>of implementation code.  

I find it simply amazing that you presume to speak for SDTI (as not 
even Margaret Seif seems to be doing that very well), but since you've
assumed that role...

>anyone curious about SDTI's actual claims about RSA as a brand
>name should check out SDTI's new letter to IEEE at:


I've checked out this letter and I'm still curious... and confused.  
It says "... we ... accept that ANY party creating a product which
conforms with the P1363 standard will be able to state that the
product incorporates the RSA algorithm..."  (emphasis mine)

Since you're speaking for SDTI now, was it in fact Margaret's intent
to provide Schlafly and me with relief from that particular clause 
of our 1987 Consent Agreement that has since barred us from using 
the dreaded three letters in ANY commercial context?

Looks like we may see yet another letter clarifying this last one...
if only to add the list of individuals and corporations SDTI wants
to explicitly prohibit from using their "trademark."  Warning: that
list may look suspiciously like the list of entities who have
not licensed BSAFE.

-mjm


==
Michael J. Markowitz, VP R&D   Email: [EMAIL PROTECTED]
Information Security Corporation   Voice: 847-405-0500
1011 Lake Street, Suite 212Fax:   847-405-0506
Oak Park, IL  60301WWW:   http://www.infoseccorp.com   

RSA retracts its trademark issue over "RSA".

[John Gilmore]

Date: Wed, 7 Apr 1999 10:00:43 -0400 (EDT)
From: Leonid Reyzin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: P1363: Follow-up trademark letter on our web site

--
This is a stds-p1363 broadcast.  See the IEEE P1363 web  page
(http://grouper.ieee.org/groups/1363/)  for more information,
including how to subscribe/unsubscribe.
--

Security Dynamics Technologies, Inc. has sent a follow-up letter to the
P1363 working group regarding trademark protection of the RSA name.  The
new letter is now also available from our patents page
http://grouper.ieee.org/groups/1363/patents.html or directly at
http://grouper.ieee.org/groups/1363/letters/SecurityDynamics2.jpg

Re: references to password sniffer incident

[Bill Frantz]

I know of three systems that have been attacked in the last month or so.
One was attacked by social engineering the password out of an user.
Another was attacked by installing NETBUS on an user's machine.  The third
was attacked by having the attacker subscribe himself to the mailing list
used to distribute passwords.  (Mailing list!)

With this being the state of the art in protection, why bother with
intercepts, cryptoanalysis etc?



-
Bill Frantz   | Macintosh: Didn't do every-| Periwinkle -- Consulting
(408)356-8506 | thing right, but did know  | 16345 Englewood Ave.
[EMAIL PROTECTED] | the century would end. | Los Gatos, CA 95032, USA

Re: references to password sniffer incident

[Peter Gutmann]

Dominick LaTrappe <[EMAIL PROTECTED]> writes:
 
>While on the topic of password-sniffing anecdotes from conferences --
>
>At the 2600-coordinated Beyond HOPE conference (NYC, 1997), it was made very
>clear to users that passwords transmitted in-the-clear would be sniffed.  To
>hammer home the point, one participant in the Tiger Teaming panel singled-out
>an unlucky telnet user, announcing a domain name and hinting at the password
>over the loudspeaker system.  It got a pretty good laugh from the audience.
>
>Perhaps that the kind of shock factor that's necessary to get people (certain
>people, anyhow) thinking realistically about security.  We even considered
>sniffing passwords and hooking up a line printer in a central location.
>nah! :)
 
A while back at a trade show attended by large numbers of banks, one of the
vendors considered running a sniffer to display the traffic on the show LAN
just to demonstrate to attendees how easy it was to get at this sort of
information.  In the end they decided that while it would make an effective
demo, it would also probably be the last time they attended the show if they
ran it.  The general response to this sort of thing from attendees was "Our
data doesn't go across the network as text, it's all encoded" (meaning it was
all bundled up using something like X.12), which ignored the fact that the
70-80% of breaches which are internal would be by people who know the format
anyway, and the remaining 20-30% wouldn't take more than 5 minutes to figure it
out (decoding X.12 isn't exactly rocket science, you can mostly do it just by
looking at the records).  To give an idea of the kind of data which would be
transmitted in this manner, one attendee mentioned that the average single
transaction they handled was $10M and the typical daily transaction amount was
$10B (although obviously they weren't running this sort of stuff on the show
LAN).
 
Peter.
 

Re: The name of "RSA"

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Vin McLellan writes:
> 
> The discussion of alternative names for "RSA" has been an amazing
> and entertaining carnival, spawned by a wildly exaggerated interpretation of
> a 3/1/99 SDTI letter to the P1363 working group.  SDTI, RSA's parent firm,
> for which I have been a consultant for many years,  never said they were
> going to restrict the use of the term RSA by real people, or even members of
> standards groups. 

Vin, the original letter 
(http://grouper.ieee.org/groups/1363/letters/SecurityDynamics.jpg)
specifically suggested that the algorithm identifiers be renamed, and
noted that "the terms 'RSA public key,' 'RSA private key,' and 'RSA
key pair' may similarly be affected by such protection".  That sure
sounds to me as if they were claiming trademark protection in a way
that could affect implementors.  The second letter, which you cite below,
suggests that they backed down, after seeing the public response.  I personally
don't think anything was taken out of context or misinterpreted.

> 
>  The RSA brand name  issue, as SDTI sees it,  is whether commercial
> competitors will be allowed to mislead consumers as to who crafted a module
> of implementation code.  The theater generated around this topic has been
> amazing, but  anyone curious about SDTI's actual claims about RSA as a brand
> name should check out SDTI's new letter to IEEE at:
> 
> 
> Peter Wayner of the NYT did a great job in his 12/24/97 feature, but
> John Young's invaluable Cryptome website still  has a copy of James Ellis
> 1987 paper  --  "The History of Non-Secret Encryption" --  available in
> vanilla html and PS at:  
> 
>  GESG, the British communications intelligence agency,  published
> the Ellis paper ten years after it was written, on  Dec. 14, 1997, shortly
> after Mr. Ellis died.
> 
> In his paper, Ellis dates his own insight that secure cryptographic
> communications was possible with no prior exchange of secrets between
> parties from the late 1960s, with the first internal CESG publication on the
> topic dated January, 1970:   " J H Ellis, The Possibility of Secure
> Non-Secret Digital Encryption, CESG Report, January 1970."
> 
> With the generosity and courtesy typical of the most creative minds
> in modern crypto, Mr. Ellis gives full credit to Clifford Cocks for
> developing the  first workable version of this concept -- an apparent
> special-case version of RSA, first described in an internal GESG pub on
> 20/11/73 -- and to Malcolm Williamson, who developed an apparent  analogue
> to the Diffie-Hellman PKC  (first described in an internal GESG pub on
> 21/1/74) a  few months later.
> 
> Except for the 1987 Ellis paper, the  original GESG documents cited
> above are unavailable, apparently still classified by the British government.

The current archive (http://www.cesg.gov.uk/about/nsecret.htm) now has
four papers in both html and PDF format.
> 
> There is yet another -- or possibly more than one (it's a big world,
> after all)  -- unpublished  "secret history of public key cryptography" in
> the armored archives which hold the secrets of the various  national
> intelligence agencies.  

I wonder what the Russian archives might hold.
> 
> In the US, the former Director of the National Security Agency,
> Bobby Ray Inman, years ago claimed that public key cryptography was
> originally invented within the NSA. The NSA has never published anything to
> outline or date their original research in this area, although crypto
> historian David Kahn has repeatedly pressed them to do so. 

As I understand it, Kahn is now the official NSA historian, which makes him
an insider.  An outsider might try to FOIA such documents...

Re: The name of "RSA"

[Vin McLellan]

 John David Galt <[EMAIL PROTECTED]> queried the Cryptography  List:

>> Can anyone tell us the names of the original British inventors of public key?
>> Granted that R, S, & A didn't plagiarize, but if they no longer want their
>> names used this way, perhaps their predecessors should get the honor >>
instead!

The discussion of alternative names for "RSA" has been an amazing
and entertaining carnival, spawned by a wildly exaggerated interpretation of
a 3/1/99 SDTI letter to the P1363 working group.  SDTI, RSA's parent firm,
for which I have been a consultant for many years,  never said they were
going to restrict the use of the term RSA by real people, or even members of
standards groups. 

 The RSA brand name  issue, as SDTI sees it,  is whether commercial
competitors will be allowed to mislead consumers as to who crafted a module
of implementation code.  The theater generated around this topic has been
amazing, but  anyone curious about SDTI's actual claims about RSA as a brand
name should check out SDTI's new letter to IEEE at:


Steven M. Bellovin <[EMAIL PROTECTED]> responded to Mr. Galt:

>The best current summary is in >
http://www.nytimes.com/library/cyber/week/122497encrypt.html
>The British paper no longer appears to be on the CESG web site.

Peter Wayner of the NYT did a great job in his 12/24/97 feature, but
John Young's invaluable Cryptome website still  has a copy of James Ellis
1987 paper  --  "The History of Non-Secret Encryption" --  available in
vanilla html and PS at:  

 GESG, the British communications intelligence agency,  published
the Ellis paper ten years after it was written, on  Dec. 14, 1997, shortly
after Mr. Ellis died.

In his paper, Ellis dates his own insight that secure cryptographic
communications was possible with no prior exchange of secrets between
parties from the late 1960s, with the first internal CESG publication on the
topic dated January, 1970:   " J H Ellis, The Possibility of Secure
Non-Secret Digital Encryption, CESG Report, January 1970."

With the generosity and courtesy typical of the most creative minds
in modern crypto, Mr. Ellis gives full credit to Clifford Cocks for
developing the  first workable version of this concept -- an apparent
special-case version of RSA, first described in an internal GESG pub on
20/11/73 -- and to Malcolm Williamson, who developed an apparent  analogue
to the Diffie-Hellman PKC  (first described in an internal GESG pub on
21/1/74) a  few months later.

Except for the 1987 Ellis paper, the  original GESG documents cited
above are unavailable, apparently still classified by the British government.

There is yet another -- or possibly more than one (it's a big world,
after all)  -- unpublished  "secret history of public key cryptography" in
the armored archives which hold the secrets of the various  national
intelligence agencies.  

In the US, the former Director of the National Security Agency,
Bobby Ray Inman, years ago claimed that public key cryptography was
originally invented within the NSA. The NSA has never published anything to
outline or date their original research in this area, although crypto
historian David Kahn has repeatedly pressed them to do so. 

 Informal comments by senior DoE and NSA staff  indicate that some
of the early  innovative work on PKC was done to provide  a system to
maintain failsafe control over nuclear weapon systems, but it  is impossible
to date any of  this work  without new revelations from the NSA.  Matt Blaze
and Steve Bellovin have  gathered some interesting documentation on this
topic at: 

None of this secret research, of course, has anything to do with the
logic or ethics of free-market public invention.   In America, the US
Constitution offers citizens a limited-time right to commercially exploit a
new invention  -- including, according to US Courts,  a device which
implements a cryptographic algorithm in some sort of  pseudomechanical
protocol --  in exchange for the inventor's  permission to publish  the
details of that invention.  The  better to  spur innovation, further
development, and competitive industry in the nation as a whole.

 Secret invention, whether at GCHQ or the NSA,  serves only the
secret world.  It took unfettered invention, publication, and development --
often in the face of overt hostility and organized resistance  from the NSA,
the lead US signals intelligence agency --  to give us the cryptographic
foundation for 21st Century e-commerce, and some hope of personal privacy in
cyberspace,  where a virtual  universe which now shadows the material world.  

This empowerment of individual citizens was explicit in the goals of
Diffie et al as they developed the revolutionary concept of public key
cryptogra

Re: The name of "RSA"

[Robert Hettinga]

At 12:34 PM -0400 on 4/9/99, Steven M. Bellovin wrote:


> The claim has been made, by reputable people, that
> NSAM-160 laid the groundwork for NSA's invention of public key crypto.
> But there's nothing in the declassified portion of the memo that supports
> the claim.

I figure we should just use the initials of the person/people who developed
it first, whether they did it in secret or not. Like most cold warriors --
the folks at the Skunk Works, for example -- it's not their fault that
their work was kept secret.

It's a shame that Security Dynamics forced RSA's initials off the
algorithm, (in fact, if I were Rivest et. al., I'd be pissed, especially if
someone else with an earlier discovery is ever found), but, if SD doesn't
want people to use those initials anymore, then the initials of any earlier
independant discoverers, if any, should be used to name it.


Cheers,
RAH
-
Robert A. Hettinga 
Philodox Financial Technology Evangelism 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'