Re: RC4 - To license or not?
Stefan Arentz [EMAIL PROTECTED] wrote: [...] I do not want to buy a complete BSAFE license. It is too expensive and I only need RC4. This is apparently a common misconception -- at least it keeps popping up among people discussing WAP, SSL, CDPD, and PPTP-compatible products, even IEEE-compatible embedded systems -- so (in the spirit of All Souls Day) I thought to double back and post a correction here. Boo! If your business plan (or your boss, or your investors, or your customers, etc.) requires, or makes it useful and valuable, for your firm to license RSA-branded RC4 implementation code -- as opposed using to one of the many copyleft "ARC4" implementations in wide circulation -- you should ask RSA for a quote on a RC4 license for your intended app. shriek RSA licenses RC4 code separately, upon request. Always has, AFAIK. (RC4 is, of course, MIT Professor Ron Rivest's widely trusted, widely adopted, defacto standardized, variable key-length stream cipher. "RC" was initially only Rivest's personal designation for crypto project in development, as in "Ron's Code." The best known Rivest ciphers are RC2, RC4, RC5, and RC6. (RC4 was reverse engineered and anonymously published on the Net in September, 1994. The same thing subsequently happened to RC2. RSA Security, the company Rivest co-founded to market the RSA public key cryptosystem and his other cryptographic wares, later chose to patent RC5 and RC6. Patents for crypto remain controversial, at least on the Net.) The idea of paying to use a cryptosystem -- and particularly Rivest's RC4 -- is scary, heretical, and painful to some... but others reportedly find RSA's BSAFE implementation code stable and dependable, and RSA's prices and TCs reasonable and flexible. YMMV, but RSA does a huge business selling "high assurance" code to OEMs and other firms seeking to implement various crypto protocols and both proprietary and public ciphersuites. See: http://www.rsasecurity.com/standards/protocols/protocols_table.html Trick or treat? Apparently, even among IT professionals, it is necessary sigh to occasionally announce that RSA does NOT require an OEM or an enterprise customer to license all the BSAFE ciphers and protocols -- there are, mind you, eight distinct and specialized BSAFE crypto toolkits from RSA -- when all a poor Developer wants is RC4. Such is the depth of the FUD piled up around RC4 -- like tinder and faggots stacked at the feet of a condemned witch no one hates enough to burn. Goblins, gallows, and gibbets, oh yeah! (All Hallows Eve is celebrated in the US as Halloween, an annual children's festival held after dark on the last day of October. Children who participate are urged to distinguish between horrors that are real and unreal. The participation of adults in the rituals, unfortunately, is frowned upon.) RC4 has become doubly famous as "the cipher none dare name." Clank, rattle, clink in the Crypt. Oh yeah! While many can now copy the robust simplicity of Rivest's RC4 logic -- and ARC4 ("Apparently RC4") code is widely deployed -- RSA still claims and defends its registered "RC4" trademark (and the copyright on its BSAFE implementation code.) Which is, of course, why RSA-branded RC4 code is still so often bought and sold. shrieks screams Personally, I don't think that is demonic or even undeserved -- but then, I'm biased. I've been a consultant to RSA for years. (And I'm a wicca'd man at heart. I think the poor witches got a bad rap from all the jealous priests.) Happy Halloween, _Vin Vin McLellan * The Privacy Guild * Chelsea, MA USA
Re: Musings on AES and DES
Ray Dillinger [EMAIL PROTECTED] wrote: snip [As the DES,] Dataseal/Demon/Lucifer was pretty good. It may not have been the *most* secure algorithm of its time, but neither was it a transparent and useless "cipher" with obvious flaws other than the 56-bit keyspace. However, the important part of building up trust (or lack thereof) in the cipher came after it was chosen as the DES. I suggest that you give insufficient weight to the importance of the NSA imprimatur on the DES. The DES became the standard we know today -- for years, universally accepted in US commerce, banking, and trade -- largely because the US National Security Agency (NSA) issued, upon the designation of the DES by NIST, a statement that the NSA's cryptanalysts knew of no attack on the DES algorithm more effective than a brute force search of all possible 56-bit keys. That -- and perhaps NIST's projections of the work and time required to break a 56-bit key -- provided the "due diligence" groundwork that allowed US bankers and businessmen to label crypto a solved problem. No liability could accrue to a CTO or CEO or product manager who chose to use the DES (and, conversely, no one but a fool would use an alternative cipher --whatever the key length -- in a commercial environment.) The 1976 designation of the DES -- unlike most traditional standardization efforts -- was not about interoperability. It was not even about relative cryptographic strength (although there must have been some fascinating charts at Fort Meade which projected the life-span of a 56-bit key against the successive five-year certifications built into the DES selection.) The broad acceptance of the DES in US industry and finance was, in large part, simply a function of the way a NSA-blessed cipher contained and limited potential liability. In the real world, the technical review that you celebrate -- among academic mathematicians and the(relatively few) unencumbered cryptographers in academia and private industry -- was all but irrelevant. (Only negative results would make a difference, and those were scant and slow in coming.) I would argue that, at least in the US, that research had virtually no impact on those who made the relevant purchase and policy decisions (who were seldom crypto-savvy, let alone crypto-literate.) Until well into the 1990s, there was no significant non-governmental crypto community to offer alternative judgements until fairly recently... and it must be said that the widespread trust, among American civilians, in the NSA's judgement in this matter was not misplaced. DES was pretty much what they said it was (even down to that tweak in the S-boxes to block differential analysis, which the academic crypto researchers didn't discover for many years.) The NSA was/is really very good at what they did, and -- particularly in the US computer industry (which until 1960 had been pretty much guided by NSA RD contracts) -- their cryptanalytic expertise was wholly unchallenged. That choice focused every cryptanalyst in the world on it, for a while, and sparked a fair amount of hard research in mathematics. Eventually someone found an attack better than brute force on it -- but the attack requires a very very large number of plaintext/ciphertext pairs to carry out, and seems unlikely in practice. The important thing though, is that people did the math, did the research, did the hard thinking -- and did it for a long time. When someone uses DES or 3DES today, she knows EXACTLY how much protection her data is getting, and knows that hundreds, possibly thousands, of brilliant people have focused many man-years on proving that that amount of protection *is* exactly how much she's getting. It may be that some other ciphers that were around at that time are more secure -- hell, no doubt about it really. But none of those ciphers have attracted the attention of as many really bright people making *sure* it's secure that being the DES has gotten for this cipher. Now, the newly minted AES is standing in place to receive the same attention from the worldwide community -- indeed, has already started to. snip I presume that the AES selection process was open, to the degree that it was, largely to permit the large contemporary private-sector and the academic crypto community an opportunity to participate in, and endorse, the final AES selection. I suspect, however, that the formal adoption of the AES FIPS -- when Rijndael is designated the approved mechanism for securing sensitive but unclassified government data -- will involve some similar NSA endorsement, implicit or explicit. It will be interesting to see how explicit it is, and what sort of demand for an overt stamp of approval from the NSA still exists in the marketplace.
Re: Rijndael Hitachi
Vin McLellan me wrote: My comment was simply that the Hitachi patent claims set the stage for rumors that may shadow the AES choice for years. I think that is unfortunate. Personally, I think it is embarrassing that the Hitachi patents were ever issued. Arnold G. Reinhold [EMAIL PROTECTED] replied: Maybe I am missing something, but what would be the big deal if NIST did take patent claims into account? There were five excellent candidates. If NIST picked Rijndael in part because it least likely to be tied up in court for the next N years, does that diminish their glory? Myself, I wouldn't blame NIST if they factored, as you suggest, avoidance of endless legal hassles into their decision-making process. (Nor, when you come down to it, would I be shocked to discover that NIST subsequently lied, or issued misleading comments, about whether the Hitachi patent claims were a factor in their decision... just to keep the AES Process out of the Courts.) The Hitachi patents become an inevitable issue -- for conspiracy buffs, if no one else -- only because the winner was the single AES Finalist that Hitachi did not claim was infringing upon its "data rotation" crypto patents.(See http://csrc.nist.gov/encryption/aes/round2/comments/2410-sharano.pdf) (This, in turn, becomes a little more complicated because, as Schneier et al argue, Rijndael -- despite *not* being mentioned in the Hitachi letter than tagged the other four Finalist -- seems to be as vulnerable, or not, to the Hitachi patents as the named four: MARS, RC6, TwoFish, and Serpent.) I don't think anything that (might have) happened in NIST's private AES deliberations can lessen the accomplishment of this historically open process of soliciting, evaluating, and choosing (to the extent that any final selection can be open;-) Rijndael as the AES, from among the five great cryptosystems that were AES Finalists. While I appreciate how difficult it is for many -- Yanks and non-Yanks (indeed, anyone who knows anything about US Crypto Politics and the historic subservience of NIST to the NSA) -- to dismiss the influence of the US signals intelligence agencies upon the AES process as negligible, I think we lucked out. In the aftermath of the flawed Clipper Chip fiasco -- the Fortezza disaster; the pro-crypto rebellion of the EC; with the steady deterioration of the NSA's stature mystique in Congress and among American businessmen, and the common presumption that electronic commerce is the economic engine for the first decade of the 21st Century -- I think we got an open AES review, and a reasonable final choice among the best cryptosystems that could be solicited from the most capable (non-governmental) cryptographers available. Hosanna! Skeptics may quibble on relative weight put on various stated criteria, but no one familiar with the professional stature, respective egos, and personal independence of the "AES cryptographers," as a group, is going to suggest that these development teams were tame, tainted with some spooky impulses to offer only so much crypto strength and no more. That a Belgian cryptosystem was eventually selected as the American AES may make it easier to dismiss those fears overseas, and may hasten the adoption of AES internationally. Full AES standardization and interoperability, a good thing, should come more quickly. Given the integrity of the larger AES process -- and the universal respect Rijndael seemed to win among all the cryptographers involved -- I think it is clear that the relative weight of the Hitachi patent claims in NIST's AES selection process was minor. Whether, minor or not, that impact might have shifted the balance from another contender to Rijndael is impossible to say. Unless, of course, you accept NIST's simple declaration in its Report on the Development of the AES: http://csrc.nist.gov/encryption/aes/, pg. 79. Noting that NISt had solicited, collected, and analyzed IP claims relevant to the AES candidates, the report baldly states: "...IP was not a factor in NIST's selection of the proposed AES algorithm." That says, I think, that no IP claims against the AES Finalists were substantive enough to influence the final selection. (As an American, of course, I believe that skepticism about the truthfulness of any governmental declarations is an inalienable right, as well as common sense.) NIST's bureaucratic language is also just cryptic enough to support alternative interpretations. How "not a factor?" A recent C'punk tirade about NIST, AES, and HItachi from the irrepressible John Young, patron and editor of the Cryptome website, beats this drum; Mr. Young seeks deep secrets, undocumented considerations, tell-all revelations. (My own feeling is that it may be a b
Re: New Encryption System for Music (nytimes)
Tom Vogt wrote: anonymous' view is too drastic, but I guess that he's more close to home as far as copyright AS A BUSINESS is concerned. I don't remember any multinational corporations living entirely on (C) in, say, 1928. Vin McLellan replied: In the 1920s, all over the industrialized world, there were large, well-established, "third-party" corporate entities which invested in the the creation, "publication," and distribution of radio broadcasts, photographs, sound recordings on cylinders and records, even moving pictures -- although, at least in the US, it often took a few years for new media to gain full copyright protection. Tom responded: I stand corrected. I had put these into the distribution business, not the (C) biz, especially since they provided something the general public was not capable of producing themselves (which is not the case with CDs or tapes today). however, I must agree that without (C), this industry would most likely not have existed in the form it did. Vin: No one shouldn't be afraid of copyright (or patents, IMNSHO.) I suggest, however, that we should be very concerned with the steady erosion in the public claim to eventual free access. In the US, at least, no copyright held by a corporation has been given over to the public domain since WWI -- and, Tom's suggestion to the contrary, there were many of them in corporate hands even then;-) Tom: are there any sources for this? None I have readily available, but any real copyright expert should be able to confirm it. Tom: maybe one should go the opposite way. how about drafting a suggestion for an extension of (C) to eternity? let's just grant (C) protection forever. that should make people listen to why (C) is limited. I'm afraid nobody knows those reasons anymore. I agree that the case for "public domain" is seldom made, except in the perverted argument for content/media piracy through "fair use." I heartily agree that public policy debate (and the legislation that results) is much the poorer because of its absence. Suerte, _Vin
RE: New Encryption System for Music (nytimes)
Secret Squirrel declared: Copyright is a short-lived aberration (60-70 years ?), and technology is finally dealing with it. Vin McLellan replied: U. Check out Section 8 of the US Constitution. 1787. http://caselaw.findlaw.com/data/constitution/articles.html Tom Vogt suggested: anonymous' view is too drastic, but I guess that he's more close to home as far as copyright AS A BUSINESS is concerned. I don't remember any multinational corporations living entirely on (C) in, say, 1928. Think again. I'm not sure where anyone is going with this, but any sensible response to the mix of technology, law, and politics that appears likely to dramatically recast the idea of copyright -- and has already greatly extended the lifespan of corporate copyrights -- must start with some basis in historical reality. Third parties, in some sense corporate, have been making money of original works since Guttenberg: newspapers, book publishers, music publishers, fine-art publishers. In the 1920s, all over the industrialized world, there were large, well-established, "third-party" corporate entities which invested in the the creation, "publication," and distribution of radio broadcasts, photographs, sound recordings on cylinders and records, even moving pictures -- although, at least in the US, it often took a few years for new media to gain full copyright protection. Only a few decades later, software programs were accepted as copyrightable IP by the their authors, and/or the firms which paid for their development. (Although I think historians will bicker for centuries about whether software deserved its own class of IP, apart from patent and copyright, the development of automatic control systems -- say, by 1890, when the Hollerith punched-card tabulating machine was used in the US censes -- gave software a clear IP heritage. In both the open technical arts, and "corporate" trade secrets, that heritage went back to the late 18th Century; the punch-card sequence programs for the Jacquard Loom; Lady Lovelace's mid-19th Century designs for "weaving algeraic patterns" on Babbage's Analytical Engine; and thousands of little-known gageteers.) Perhaps it is not mere coincidence that the beginnings of what historians call the paleotechnic period (1750-1900), the first stage of the Industrial Revolution, is typically pegged ten years after the British Copyright Act of 1740? The impassioned Rationalists who drafted the British Copyright statute (and the American Constitutional provision on patent and copyright) all had a vision of a future in which information, innovative designs, and stimulating fictions -- created by whoever -- would be pried from the hands of the Church, the State, and the social elite, and made available to all. It was a profoundly democratic vision. The temporary "property right" inherent in both copyright and patents was meant, not unreasonably, to provide a righteous return to the author/inventor/investors -- but central and inherent to the policy was the concept of the (eventual unencumbered) circulation of creative, stimulating, and useful ideas in the society at large: the priceless vision of "public domain." No one shouldn't be afraid of copyright (or patents, IMNSHO.) I suggest, however, that we should be very concerned with the steady erosion in the public claim to eventual free access. In the US, at least, no copyright held by a corporation has been given over to the public domain since WWI -- and, Tom's suggestion to the contrary, there were many of them in corporate hands even then;-) The original 14 years of copyright protection doubled to 30; then 70 years; then became the life of the copyright holder. Then it became life plus 30 years; then life plus 70 -- and now (if the copyright holder is a deathless corporation, instead of a person), it extends for 95 years, practically in perpetuity. On top of all that, we have the DMCA. sigh Suerte, _Vin
RE: Intrust Technology?
Don't make the mistake of assuming that content control must be total or absolute. The market for such technologies, unlike many pundits who dismiss them in all variety, demands only that the content control be effective in denying the pirate the ability to make a market, to contest with the legit creators of the content with a clone that is wholly equal, unmarked, and untracable. The IP holders want only to be able to spot the copies and track them somewhat, traditional police (and diplomatic) procedures can then take over. You are undoubtedly correct in presuming that there will be ways around whatever controls are put in place. Onesy twosies copies don't worry anyone. If some group in China or India starts spinning out copies, but if those copies are identifiable as illicit clones, then much bigger wheels start turning to force the local authorities to crack down on the pirates. Suerte, _Vin At 12:24 AM 3/7/00 -0500, [EMAIL PROTECTED] wrote: I came across a company called InterTrust that claims to have developed a system whereby digital content can be downloaded to a user's PC, the user be required to pay for 'rights' to use the content under certain 'rules' set by the content provider and yet the user will somehow be prevented from copying, duplicating or distributing the content. This system is supposed to work offline. Somehow I don't see how InterTrust can prevent a user from copying the state of his PC prior to his 'using' the content, then use the content and then restoring the state each time he wants to use the content. Theoretically the user could distribute the 'state' of his PC to others and circumvent InterTrust's protection scheme. InterTrust's system is explained at http://www.intertrust.com/technology/index.html I'd be interested in a critique of this scheme. Regards, Jeff
Re: RSA Patent Workaround
According to well-informed sources in Her Majesty's Government, Pete Chown [EMAIL PROTECTED] wrote: This is a bit late since the patent expires in September. However, what do people think about this scheme? Firstly is it cryptographically reasonable, and secondly does it genuinely avoid the scope of the patent? Whereas in RSA you form a modulus n as the product of two primes p and q, in my scheme you set n = pqr, where all three are prime. The order of the multiplicative group modulo n is now (p - 1)(q - 1)(r - 1). You choose e and find d such that de is congruent to 1 modulo (p - 1)(q - 1)(r - 1). This will now behave in all respects identically to an RSA key, although you will have to make the modulus bigger for identical security. In fact, someone who is given e and n will find it almost impossible to prove that it is not a genuine RSA key. You could make a key like this into an X.509 certificate. The public side will work with all software, since proving that it is not an RSA public key involves factoring n and so is computationally infeasible. The private half should work with just about all software, since it has no reason to recalculate e and d. It's a nice idea, but it's been around for ages. RSA has always seemed confident that the general description of the RSA mechanism (claim 33, which doesn't ennumerate the number of primes;-) in the Stateside RSA patent covers it. (YMMV) Even if it is not a RSApkc "patent workaround," however, it may be a potentially useful formulation of PKC. [I don't think RSA (or anyone else, AFAIK) has thus far used it in a commercial product or included it in BSAFE or any other toolkits. Dunno why not. I do know that RSA, at least, explored in some depth its potential for speeding up (~X2) crypto calculations at the server in C/S interactions. ] A Compaq crypto team has also done research in this area, using different numbers of primes with RSA. (There may even be an old paper from RSA Labs on it. I'll see if I can find it. If it is not proprietary -- I'll send it along.) Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _A Thinking Man's Creed for Crypto _vbm *Vin McLellan + The Privacy Guild + [EMAIL PROTECTED]*
Re: RSA Patent Workaround
Pete Chown [EMAIL PROTECTED] suggested a PKC formulation: Whereas in RSA you form a modulus n as the product of two primes p and q, in my scheme you set n = pqr, where all three are prime. The order of the multiplicative group modulo n is now (p - 1)(q - 1)(r - 1). You choose e and find d such that de is congruent to 1 modulo (p - 1)(q - 1)(r - 1). Vin McLellan me noted that this was not a new idea, and added that in addition to relevant research at RSA Labs over the years... A Compaq crypto team has also done research in this area, using different numbers of primes with RSA. Andrew Brown [EMAIL PROTECTED] asked for a URL that might describe the Compaq research: / anything published and available on line? Not that I know of. The Compaq work was just something I heard about sometime last year. Maybe someone from Compaq (or elsewhere) can offer more details. Suerte, _Vin