A few of my random thoughts about what I currently know with regards to restrictions on the use of SSLeay due to software patents and US cryptographic export restrictions. Seth Robertson <seth@soscorp.com> and david d `zoo' zuhn <zoo@armadillo.com> have been very helpful in the preparation of this file. First up, my library is FREE for COMMERCIAL and non-commercial use. I make no money from people using the algorithms encoded in this library. (But I would accept donations :-). I live in Australia and if there are any cryptographic export restrictions, all I can say is that I have had available for anon-ftp crypto routines for nearly 4 years and no government type person has ever mentioned a thing. All code in this library was written by me and I have never seen SSLref or RSAref. DES. I have my libdes DES library in this packages. I wrote it from documentation in the University of Queensland library. My library is actually used in SSLref (so I have been told). I find it 'cute' that it appears that most SSL implementation may end up using a DES encryption library from Australia :-). People from the USA are not allowed to export DES due to crypto export restrictions. It can go in but not out. RC4. I have RSA's RC4 cipher in my SSL packages. I implemented it from source code found on a ftp site in Europe. I am not sure of the legal status of people in the USA using it since I think RSA are not very happy about it being reverse engineered. I assume that RSA's implementation is Copyrighted and is a Trade Secret, but that should not effect this implementation since it was not derived from RSA's actual source. So, it may be illegal to use in the USA but I don't know. Export is definitely a no no. IDEA. The IDEA algorithm can be used in the SSL protocol and as of version 0.4.2 of my library it is present. I believe it needs to be licensed for businesses in Europe due to software patents but am not sure how they are 'enforcing' the licenceing. RSA. Ah, the big one. The following is taken from the "The SSL Protocol" as published by Netscape. The Massachusetts Institute of Technology and the Board of Trustees of the Leland Stanford Junior University have granted Public Key Partners (PKP) exclusive sub-licensing rights to the following patents issued in the United States, and all of their corresponding foreign patents: Cryptographic Apparatus and Method ("Diffie-Hellman") No. 4,200,770 Public Key Cryptographic Apparatus and Method ("Hellman-Merkle") No. 4,318,582 Cryptographic Communications System and Method ("RSA") No. 4,405,829 Exponential Cryptographic Apparatus and Method ("Hellman-Pohlig") No. 4,424,414 These patents are stated by PKP to cover all known methods of practicing the are of Public Key encryption, including the variations collectively known as El Gamal. Public Key partners has provided written assurance to the Internet Society that parties will be able to obtain, under reasonable, nondiscriminatory terms, the right to use the technology covered by these patents. ...... From my understanding, it is therefor required that US people must get a license from PKP to use SSLeay. People outside the USA can use it as much as the like since I don't think the US software patents are valid outside of the US. My implementation has been written from books on algorithms which include sections on number theory. I basically knew zip about RSA stuff before I started reading at the start of April'95. So this one is a 'no export' from the USA and probably a 'no use' in the USA. The Diffie-Hellman routines are covered by the same problems. So we end up with a library that is free, but in the USA you must pay money to people who the author has never met nor spoken too, otherwise you break the law. People can use my SSL library and the encryption routines (except RSA and RC4) if I make it possible to build SSLeay to use RSAref. RSAref is the 'public' RSA reference implementation. It is limited I believe to 1024 bit private keys. My RSA implementation is not (I have some sample keys of 2048, 4096 bits in the distribution). RSA Inc. have another implementation of RSA in their BSAFE toolkit but it is for commercial use and costs dollars. It is not limited to 1024 bit keys (I believe). RSAref is free for non-commercial use under some very interesting conditions. I have appended their conditions to the end of this document. This RSA code can probably be imported into the USA but not executed. Again, not for export once in the USA. One interesting question I have is what is the status of a binary program that is a SSL filter between the Internet and a local program (via a named pipe or UNIX domain socket); If I make binaries available in Australia, will people who ftp it to the USA for free then have to pay PKP to run the program? I could just call it 'securelink' and not tell them the 'secret' encryption algorithm I use. Would they then be able to be prosecuted for violating a patent they don't know is being violated? A few more points for people in the USA regarding putting hooks in their code to use SSL/RSA from my library and acquisition of a license from PKP (the people who own the patent) for use of the RSA algorithm. First, PKP have exclusive patent rights on all aspects of public key cryptography (as 'listed' above). Part of these conditions is that they are reasonable and non-discriminatory in their licensing. Unfortunately this does not mean they have to license my implementation. They have to license an implementation and they can put as many restrictions as they like (e.g. it cannot be modified or whatever). I have not actually spoken to PKP at this point in time. The patent gives a limited (17 year) monopoly, which some would consider a very very long time in the software game..... One thing worth considering, there are no crypto export restrictions between the USA and Canada, and Canada does not have software patents. So it is legal to build and use my library in Canada if you live in the USA. Second point, the following is the X11R6/xdm-auth/README and the same README appears in X11R5 (I have been playing with DES for quite a few years :-) If you are looking for the file xc/lib/Xdmcp/Wraphelp.c, be advised that export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. You will find what you are looking for, in compressed form, as the file /private/xdm/help on this machine. Note that you have to cd to '/private/xdm' in one step and then 'get' the file. Although it sounds stupid, and it is, we would appreciate if you would only tell other people how to find this README file, and not point them directly to the actual source code, so that they will read this warning. For persons outside the US, a compatible version of this file, implemented outside the US, can be obtained by anonymous ftp to ftp.psy.uq.oz.au (130.102.32.1) in the directory /pub/X11R5/. So perhaps other people could get away with doing a similar thing with their code. It could be worth talking to the X consortium if you are not sure about the legal implications. For the RSA code, it may actually be illegal to even have code that would only work with my implementation. If you wrote code that could work with either SSLref or my SSLeay, you should be ok. Anyway, enough of my rambling, none of this affects me because a) I'm not making any money from this so I don't need to pay anyone :-) b) I'm living in part of the world not covered by software patent. This information could all be wrong and out of date since alot of this stuff seems to be changing daily, so these are some of my off the cuff thoughts on the topic as of December 1995. eric Oh yes, I believe the laws in France are as follows: Crypto code is considered munitions, much as in the USA. The use of crypto stuff is illegal unless it is properly authorized. Authorization of serious crypto stuff like PGP is impossible. So if the use of PGP is illegal so is my library (I have the same algorithms plus more, in library and program form). So if you are in France you are not even supposed to import this library. ==== What follow is what I believe to be the license for RSAref. The second part of item 1. is interesting. It appears that these are be the only conditions that free public key applications can be used in the USA. My free library will probably not change this. -- >WHAT YOU CAN (AND CANNOT) DO WITH RSAREF > > 1. RSAREF is free for personal or corporate use under the > following conditions: > > o RSAREF, RSAREF applications, and services based on > RSAREF applications may not be sold. > > o You must give RSA the source code of any free RSAREF > application you plan to distribute or deploy within > your company. RSA will make these applications > available to the public, free of charge. > 2. RSAREF applications and services based on RSAREF > applications may be sold under the following conditions: > > o You must sign and return the RSAREF Commercial License > Agreement to RSA (call RSA for a copy of this > agreement). Remember, RSAREF is an unsupported toolkit. > If you are building an application to sell, you should > consider using fully supported libraries like RSA's > BSAFE or TIPEM SDK's. > > 3. RSAREF applications and services based on RSAREF > applications may be "sharewared" under the following > conditions: > > o Shareware authors do not need to sign a separate > agreement with RSA, provided that their per-copy asking > price is less than $50 and total RSAREF application > revenue is less than $10,000 annually. Otherwise, > shareware authors must sign and return the RSAREF > Commercial License Agreement.