OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RC4 - To license or not?
From: Vin McLellan (vinshore.net)
Date: Sat Oct 21 2000 - 11:23:33 CDT


         Stefan Arentz <stefan.arentzsoze.com> wrote:

> [...] I do not want to buy a complete BSAFE license.
> It is too expensive and I only need RC4.

         This is apparently a common misconception -- at least it keeps
popping up among people discussing WAP, SSL, CDPD, and PPTP-compatible
products, even IEEE-compatible embedded systems -- so (in the spirit of All
Souls Day) I thought to double back and post a correction here.

         Boo!

         If your business plan (or your boss, or your investors, or your
customers, etc.) requires, or makes it useful and valuable, for your firm
to license RSA-branded RC4 implementation code -- as opposed using to one
of the many copyleft "ARC4" implementations in wide circulation -- you
should ask RSA for a quote on a RC4 license for your intended app.

         <shriek>

         RSA licenses RC4 code separately, upon request. Always has, AFAIK.

         (RC4 is, of course, MIT Professor Ron Rivest's widely trusted,
widely adopted, defacto standardized, variable key-length stream cipher.
"RC" was initially only Rivest's personal designation for crypto project in
development, as in "Ron's Code." The best known Rivest ciphers are RC2,
RC4, RC5, and RC6.

         (RC4 was reverse engineered and anonymously published on the Net
in September, 1994. The same thing subsequently happened to RC2. RSA
Security, the company Rivest co-founded to market the RSA public key
cryptosystem and his other cryptographic wares, later chose to patent RC5
and RC6. Patents for crypto remain controversial, at least on the Net.)

         The idea of paying to use a cryptosystem -- and particularly
Rivest's RC4 -- is scary, heretical, and painful to some... but others
reportedly find RSA's BSAFE implementation code stable and dependable, and
RSA's prices and T&Cs reasonable and flexible.

         YMMV, but RSA does a huge business selling "high assurance" code
to OEMs and other firms seeking to implement various crypto protocols and
both proprietary and public ciphersuites. See:
<http://www.rsasecurity.com/standards/protocols/protocols_table.html>

         Trick or treat?

         Apparently, even among IT professionals, it is necessary <sigh> to
occasionally announce that RSA does NOT require an OEM or an enterprise
customer to license all the BSAFE ciphers and protocols -- there are, mind
you, eight distinct and specialized BSAFE crypto toolkits from RSA -- when
all a poor Developer wants is RC4.

         Such is the depth of the FUD piled up around RC4 -- like tinder
and faggots stacked at the feet of a condemned witch no one hates enough to
burn.

         Goblins, gallows, and gibbets, oh yeah!

         (All Hallows Eve is celebrated in the US as Halloween, an annual
children's festival held after dark on the last day of October. Children
who participate are urged to distinguish between horrors that are real and
unreal. The participation of adults in the rituals, unfortunately, is
frowned upon.)

         RC4 has become doubly famous as "the cipher none dare name."

         Clank, rattle, clink in the Crypt. Oh yeah!

         While many can now copy the robust simplicity of Rivest's RC4
logic -- and ARC4 ("Apparently RC4") code is widely deployed -- RSA still
claims and defends its registered "RC4" trademark (and the copyright on its
BSAFE implementation code.)

         Which is, of course, why RSA-branded RC4 code is still so often
bought and sold.

         <shrieks & screams>

         Personally, I don't think that is demonic or even undeserved --
but then, I'm biased. I've been a consultant to RSA for years. (And I'm a
wicca'd man at heart. I think the poor witches got a bad rap from all the
jealous priests.)

         Happy Halloween,

            _Vin

Vin McLellan * The Privacy Guild * Chelsea, MA USA