Thanks to everyone for their contributions on this topic.  I sent Dr. Hipp's 
explanation to our legal team, and that was good enough for them.  (This is a 
US company, for those who wondered.)

I agree with Simon that if that explanation could be added to the comment in 
random.c about the use of RC4, it could perhaps shortcut these legal 
discussions for others.

Thanks again!

Eric


-----Original Message-----
From: sqlite-users-bounces at mailinglists.sqlite.org 
[mailto:sqlite-users-boun...@mailinglists.sqlite.org] On Behalf Of Richard Hipp
Sent: Tuesday, August 11, 2015 10:11 AM
To: General Discussion of SQLite Database <sqlite-users at 
mailinglists.sqlite.org>
Subject: Re: [sqlite] Lawyers, encryption, and RC4

On 8/11/15, Eric Hill <Eric.Hill at jmp.com> wrote:
>
> We're getting some pushback from our lawyers suggesting that SQLite's 
> use of
> RC4 even just to generate random numbers is, in their minds, 
> encryption for export purposes.

No.

The RC4 encryption algorithm consists of three subcomponents:

(1) Key management logic
(2) The pseudo-random number generator (PRNG)
(3) The encoder/decoder

SQLite only implements (2).  It omits (1) and (3).  And hence, the RC4 kernel 
inside of SQLite cannot be used for encryption.

--
D. Richard Hipp
drh at sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users at mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to