Date: Mon, 11 Jan 1999 15:31:19 -0500
From: Vin McLellan <vin@shore.net>
To: aucrypto@suburbia.net
Subject: AUCRYPTO: RSA Down Under
Stewart Baker <sbaker@steptoe.com>, Washington attorney, acting
chairman of the President's Export Council's Subcommittee on Encryption,
former NSA General Counsel, and an usually savvy commentator on crypto
politics and US export controls, wrote on Dave Farber's IP List:
> RSA's Australian crypto announcement should be taken with a
> grain of salt. Australia may have somewhat more lenient
> encryption export practices than the US, but it is in fact
> closely aligned with the US on most such issues.
Historically -- particularly, spook to spook -- this is certainly
true, at least in statutes and regulations controlling the export of
commercial crypto code exported from Australia on magnetic media. See Part
III, category 5/2, of the Australian Controls on the Export of Defence and
Strategic Goods. Crypto software at:
<http://www.dod.gov.au/dao/exportcontrols/greenbk/guidelin.htm> See also
the FAQ from Electronic Frontier, Australia, at:
<http://www.efa.org.au/Issues/Crypto/cryptfaq.html>.
> As I said to one reporter, moving from the US to Australia
> because you don't like US encryption controls is like moving
> from Minneapolis to Chicago because you don't like cold
> winters -- quite possibly an improvement but not exactly a
> solution.
Great line, but....
For many years, Australia has allowed the virtually unrestricted distribution, over the Internet, of many of the most popular free industrial-strength cryptosystems, crypto libraries, and crypto-enhanced application packages. A public FTP site at the Australian Defence Force Academy offers unrestricted downloads of PGPi, has for years. Imagine the culture shock if the US suddenly became a nation in which West Point had a website which offered free and trusted e-mail encryption software, over the Internet, to any citizen of any country! Over the past five years, Australia has actually become the source of choice for strong, free, and unrestricted cryptographic software -- in large part due to the team of two Aussie cryptographers, Eric Young and Tim Hudson, that RSA last year was lucky enough to recruit to manage RSA-Australia, its new R&D crypto lab in Brisbane. How this came about is the story of SSLeay; a tale any one of thousands of programmers and privacy mavens around the world could readily retell. In 1995, Eric Young and Tim Hudson posted version 1 of SSLeay to the Internet. SSLeay (eay for Eric A. Young) is a free cryptographic library in which Young managed to single-handedly implement the full suite of cryptosystems used in SSL: the RSA-based security protocol that provides confidentiality, integrity, and "digital signature" authentication functions for secure connections, transactions, and file transfers over the World Wide Web (WWW) recently invented by European programmers. Since RSA's public key cryptosystem was patented only in the US, Young was free to offer a full-strength "domestic US" version of the crypto internationally, while American export regulations forced Netscape and other US vendors to export browsers and web servers secured with no more than 40-bit crypto -- a mere fraction of the 56/128-bit cryptographic strength used in the otherwise identical products sold in the domestic US market. That Eric Young and Tim Hudson made their SSLeay crypto library and applications available to all without charge -- under a uniquely liberal license which Hudson drafted to simply require that the code be properly attributed and forever unencrumbered -- was a striking example of the fabled freeware and shareware culture that has historically provided much of the most creative and useful computer software, including most of the Internet's protocols and essential data services. That there was a hungry market for SSLeay among corporate developers who were, around the world, working on internal WWW-based applications, and small independent developers who wanted to bring their own SSL-enabled software to market, reflected the growing consciousness among non-American consumers -- and particularly programmers and other computer industry professionals -- that they were being sold only broken or purposely-weakened security technology by American vendors. There was, and is, some inevitable bitterness among buyers of computer and communications products which had been designed so that the US signals intelligence agency, the National Security Agency (NSA), could eavesdrop at will on supposedly secure transactions. Only Americans believe that the NSA, and its sibling agencies from other nations, are rummaging through the world communications net looking for child pornographers, drug dealers, and terrorists. From 1996 on, crypto-enhanced free software quickly began pile up
on the SSLeay ftp and web site, now at: <http://www.cryptsoft.com.au>. From
there, it quickly jumped to hundreds, perhaps thousands, of freeware
distribution sites around the world.
For v.1 of SSLeay, Hudson had already integrated SSLeay into SSLapps, the core Internet services (FTP and Telnet,) and he soon added full-strength SSL to international versions of several early browsers. Other volunteers used SSLeay to enhance the remote service utilities of UNIX. Young and Hudson worked with several teams which integrated SSL functionality into the full-featured but free Apache webserver. (Another Australian, Farrell McKay, independently developed Fortify for Netscape, an ingenious hack which took advantage of a design weakness in the NSA-approved Netscape crypto module which allowed the Fortify untility to ungrade the the weak crypto in a Netscape export browser to full strength SSL.) More recently, Young and Hudson led a team that overnight reinstalled full-strength SSL into the published -- but crypto-stripped -- code of the "Mozilla" browser that Netscape released in public domain last year. Working without pay -- coding for the sheer delight of creation and in some tradition of service -- the Australian team transformed Mozilla into "Cryptozilla," today available without restrictions from: http://mozilla-crypto.ssleay.org/index.php
Freeware and shareware are created wherever there are programmers, but such free distribution of cryptography and crypto-enhanced privacy and security products has never been allowed from the US. That Australia became the nexus for the distribution unversally trusted free crypto implementations involved Young, Hudson and more than a little chance. But there was also more than chance involved. Several Australian governments have proven unwilling or unable to pass legislation that would have allowed the Australian Defense Department (which has nominal control of crypto exports on physical media) to extend its regime to cover the distribution of "intangibles," like software programs, over the Internet. The current Australian government, led by Prime Minister John Howard, has obviously been of two minds in its approach to crypto politics and export controls on cryptography. On one hand, Australia is a beneficiary of the UKUSA partnership of the English-speaking intelligence agencies. Australia has also been one of the US's closest allies in the Wassenaar Arrangement <http://www.wassenaar.org>, the diplomatically-cloaked coalition of
intelligence agencies which collectively seeks to restrict international
trade in dangerous munitions and "destabilizing" crypto-based privacy
technology.
Last June -- shortly after Young and Hudson had helped create Cryptozilla from the "open source" browser code published by Netscape -- Robbie Costmeyer, director of strategic trade policy and operations for the Australian Defense Department, and the AU Wassenaar delegate, publicly suggested that Young and Hudson should be prosecuted and jailed under Australia's Weapons of Mass Destruction Act -- since they seemed to otherwise elude the export controls he enforced. On the proverbial other hand, the reaction to Costmeyer's threat was vehement and telling. Dan Tebbutt, The Australian's widely-read tech columnist, ridiculed him in print as a Cold War martinet reminiscent of Jack Nicholson's raving US Marine CO in the movie, "A Few Good Men." It also quickly became apparent that Mr. Costmeyer was not speaking for the government, nor even for the  Australian Defense Department. The Federal Minister for Communications, Information Technology and the Arts, Senator Richard Alston, quickly jumped in to describe Australia's "generous" cryptography policies as a golden opportunity for Australian companies. Tebbutt, The Australian's columnist, paraphrased Mr. Alston: "Local innovators have the chance to corner lucrative security markets beyond the reach of dominant multinationals like IBM, Microsoft and Sun, who are generally prevented from shipping their safest e-commerce products beyond US borders. Yet the Minister emphasizes that the Government's attitude falls short of a total green light." "We are very keen to promote the growth of trade in encryption technology, but we do have to be mindful of law enforcement considerations," Mr. Alston said. "I think the balance will move in favour of commerce rather than law enforcement." Mr. Baker opined: > I suspect that [Australian export] controls are the news hook, > but the commercial motivation is something else. Look more carefully, Counselor. True, Eric Young and Tim Hudson are folklore figures in the world of Internet computing. And Young is now Chief Technical Officer for RSA Data Security Australia Pty. Ltd., while Hudson is now Technical Director for Development in RSA's new Brisbane-based crypto R&D center.(See <http://www.aus.rsa.com>.) But -- contrary to a number of press reports --
there is a lot more to RSA-Australia than the recruitment of new executive
talent for RSA Data Security, Inc.
RSA-Australia is the result of a long and careful campaign to woo the Australian government with the prospect of high tech economic development, and to push the US government to define the (perhaps still evolving) guidelines that govern how non-US citizens -- who work outside the United States, for an American-owned, but overseas-chartered, firm -- can be involved in development and sale of cryptographic products. I've been a consultant to Security Dynamics Technologies, RSA's parent firm, for many years, but I'm not privy to the insider details.  The immediate results seem apparent, however. Tim Hudson, Eric Young, and RSA's CEO Jim Bidzos have cracked a door that could give RSA-Australia a potentially lucrative role in the burgeoning global market for e-commerce infrastructure. After extensive negotiations and consultations with RSA, Canberra last year decided to give RSA-Australia a license to sell and ship RSA's new  (SSLeay-based) BSAFE SSL-C toolkit to developers and implementors, anywhere but in the so-called "pariah" nations, with merely routine reporting requirements. Like SSLeay, the several cryptosystems and protocol modules in the BSAFE SSL-C library -- "secure protocol components for C," at <http://www.aus.rsa.com/products/sslc/index.html> --
provides the full suite of strong symmetric and public key cryptosystems
used in the SSL v.1&2 and TLS v.1 -- the trusted and secure SSL
implementation that any 10 year-old American boy or girl gets when he or
she downloads a free "domestic-grade" Web browser from Netscape or
Microsoft.
In the international computer security market, the advent of BSAFE SSL-C is a big deal. I expect you will soon hear of major deals between RSA-Australia and prominent non-American computer and communications firms. RSA's endorsement and pledge of commercial-grade support for Eric Young's code modules should give BSAFE SSL-C legs among prospective corporate buyers world-wide, as these firms seek to integrate strong and trusted crypto into internal applications and their software and hardware products. RSA's corporate credibility and its reputation for quality code and technical support is such that it can, and does, charge a premium when it sells a "Genuine RSA" module of DES code in Japan and other parts of Asia. For a cryptographic security firm, reputation _is_ its core product. RSA Data Security (RSADSI) is best known for its US-patented RSA public key cryptosystem. The RSA "PKC" is a cryptographic protocol which is today used almost universally to create "digital signatures" and to securely exchange crypto keys among individuals with no prior contact. Today, this RSA technology provides the foundation of online electronic commerce -- and e-commerce, many hope, will be the Economic Engine of the 21st Century.  RSA's master cryptographer Ron Rivest (the "R" of RSA) continues to teach at MIT in Cambridge, Mass., but he is also widely regarded as one of the most creative and productive minds in his field. Coinventor of the RSA public key cryptosystem 20 years ago, Rivest has since invented a number of the world's most widely used commercial cryptosystems for RSADSI: RC2, RC4, and recently, RC6, now an official candidate to replace the American DES. He also designed two of the most widely implemented "hash" algorithms: MD4 and MD5. Australia's breakthrough policy on crypto exports -- if it is seen as stable -- is also expected to spur collateral economic development. (A senior Irish official last year reported that his government believed that Ireland's "progressive" stance on crypto export controls had lured over 400 foreign companies to set up offices and plants in Ireland in recent years.) Australia's Howard Administration has apparently concluded that the development of a crypto-savvy industrial sector now is "crucial" to Australia's 21st Century  prosperity. Major figures in the Australian Defense establishment have also made it clear that they believe that the Commonwealth, for its own national security interests, must have a homegrown crypto industry. Given the size of the Australian home market, attracting the investment this will require obviously means crypto exports. And it has always been clear that Australia could only competitively export if it licensed commercial developers to export full-strength, industry-standard, strong crypto products and toolkits. The world "infosec" market is not defined by Wassenaar; quite the contrary: 56-bit crypto simply doesn't meet minimal corporate "good practice" standards in many places. The US Dept. of Commerce told the Wall Street Journal that the key to the legality (under US law) of RSA-Australia's trade in cryptographic modules is that "neither U.S. technology or U.S. personnel could be involved in making the product." (Isn't it interesting to see how many industry observers have expressed surprise to discover that there are apparently some limits to the jurisdiction of US law over foreign nationals -- even if those non-American citizens work for an US-owned firm outside the US?  Revelation! (Yet there is a lesson here. When the NSA conceded that, indeed, there had to be some limit, RSA worked diligently with the US Commerce Dept.to define that limit and forge concrete guidelines.  For a company which fought a decade-long guerrilla war against the NSA -- during which the NSA spent millions trying to crush RSA in the marketplace, vigorously promoting its DSS and Fortezza as a public-key-crypto alternative to RSA's namesake cryptosystem -- this was an interesting display of confidence. Sun Microsystems tried a frontal attack on US export controls with a Russian subsidiary; firms like C2Net and Network Associates ignore the rules and exploit loopholes in the law to export crypto. But name another vendor which has done the dance with the US Commerce Dept. and come out of it with something positive and useful?) When unnatural allies are forced to work together, US diplomats used to call it "constructive engagement." On the Cryptography mailing list, a number of top security architects (Rich Salz of CertCo, Steve Bellovin of AT&T Research, Ben Laurie of the Apache Group and OpenSSL) wondered where and how the line was drawn between US technology and non-US technology -- especially since some of the cryptosystems RSA-Australia was offering (RC4 for example) were based on proprietary RSA products, and most were invented in the US. As I've heard the story, Young and Hudson, representing the nascent RSA-Australia, worked for months to prove to technical examiners from US Dept. of Commerce, and the NSA, that none of Young's code in the new BSAF SSL-C toolkit was directly based on any code or technical analysis developed in the US of A. It is largely because of this that the BSAFE SSL-C crypto library is so different from Young's SSLeay library of algorithms and protocol modules. Reverse-engineered versions of Rivest's RC2 and RC4 cryptosystems have been anonymously published on the Internet, but -- because the source was unknown -- that alone was not enough to document a non-US source. (By 1998, of course, RC2 was no longer merely American: Rivest had published an Internet RFC describing the algorithm as part of RSA's campaign to promote an Internet standard based on its S/MIME protocol for e-mail encryption.) Where there was no solid and explicit documentation of a non-American source for a SSLeay crypto module, Young had to toss it out and reimplement. (Ironically, RSA had years earlier purchased Eric Young's speedy DES implementation as the basis for the DES module in RSA's industry-standard BSAFE (US) toolkit for software developers. The RSA manuals duely credit E. Young.) Young eventually decided to completely reimplement both RC2 and RC4 so he could fully document that all of the code intended for BSAFE SSL-C was based on documentation readily available worldwide. Young's new implementation of RC4 was based on conference proceedings readily available in technical libraries worldwide, but RSA engineers still had to bring in Rivest's RC4 reference code to prove that the two RC4 modules were coded quite differently. Young and Hudson also provided testimonials from other prominent Australian cryptographers that RSA's RC4 algorithm could be readily coded from purely public information that was freely available in many countries. The eventual result was that Young's BSAFE SSL-C code was eventually certified, by officials in both nations, as 100-percent Australian. Australia licensed RSA-Australia to commercially export BSAFE SSL-C before the Wassenaar group met in December to recommend new rules for how the 33 participating states, including Australia, should manage crypto exports -- but the changes don't seem likely to affect the BSAFE SSL-C license. (The Wassenaar security delegates to now urge the participating nations to establish new export controls over "mass market" software which uses crypto with keys longer than 64-bits, and to restrict other symmetric crypto software and hardware with keys longer than 56-bit keys (unless a formal export license is issued by the respective national government. What this might mean in practice is as yet unclear.) To judge from semi-official comments from authorities in Canada, Finland, and Ireland -- three nations which have made major efforts to promote the development of a domestic crypto industry -- the new Wassenaar recommendations will cause few if any changes in their current procedures for overseeing exports from their prized crypto entrepreneurs. Any control system that requires exporters to apply for a license, if sufficiently speedy and predictable, can be almost transparent in the sales process. There is apparently a great deal of leeway in how the Wassenaar "signatories" implement the Wassenaar recommendations and regulate their cryptographic exports. Despite some attempts to portray it as international law, the Wassenaar Arrangement is not even a treaty. It is more like a Memorandum of Understanding among the participating nations. The two probably fatal flaws in the Wassenaar scheme are (a) that not all nations which produce cryptosystems are in the Club, and (b) the members of the Club are infinitely creative in their interpretation of the rules. (Surely, since their national interests vary, to expect otherwise is naive.) Exploiting the market opportunities created by the NSA's effective control over US export controls is now a mainstay of formal economic planning in, for example, the European Community. See the "European Expert Hearing on Digital Signatures and Encryption": <http://www.fsk.dk/fsk/div/hearing/krypt.html> Is it surprising that the
crypto-savvy Aussies now want to do more than waltz with Matilda?
In late December, as the decision of Eric Young and Tim Hudson to go commercial and join RSA became known, there was some consternation among those who depend upon (or whose business plan depends upon) a free cryptographic library. It was misplaced. Tim Hudson had crafted the unusual SSLeay license so that no one -- not even Eric Young or himself -- could bottle up the code they have released and claim it as proprietary. RSA's new BSAFE SSL-C library is a different product. Although the functionality is today similar, BSAFE SSL-C will soon be expanded with new additions from Young and other RSA-Australia developers. With the SSLeay license, however, the two Australian entrepreneurs are both leaving their SSLeay work behind, in the public domain, for others to use and further develop, _and_ carrying parts of it into the commercial software market where RSA-Australia will sell it. SSLeay continues to be in wide circulation, freely available, even as the BSAFE SSL-C library is sold with the extensive documentation and promise of ongoing technial support that RSA traditionally offers it OEM customers. There is clearly room for both. There are business strategies that require many corporations to purchase "mission critical" software -- with clear responsibility (and liability) for quality assurance, maintenance, upgrades, and future development -- and there are others which presume the developers can obtain free code modules. There was a briefly contentious effort to organize a new group of primary developers to continue to develop Young's SSLeay library and to adapt it to the evolving Internet protocols and new opportunities. Americans, by law, are unfortunately forbidden to engage in the sort of transnational Internet-based  cryptographic development this entails, but a number of leading talents in "open source" crypto have banded together in an "OpenSSL" organization to carry on the SSLeay tradition. See: <http://www.openssl.org>
In late December, as the decision of Eric Young and Tim Hudson to go commercial and join RSA became known, there was some consternation among those who depend upon (or whose business plan depends upon) a free cryptographic library. It was misplaced. Tim Hudson had crafted the unusual SSLeay license so that no one -- not even Eric Young or himself -- could bottle up the code they have released and claim it as proprietary. RSA's new BSAFE SSL-C library is a different product. Although the functionality is today similar, BSAFE SSL-C will soon be expanded with new additions from Young and other RSA-Australia developers. With the SSLeay license, however, the two Australian entrepreneurs are both leaving their SSLeay work behind, in the public domain, for others to use and further develop, _and_ carrying parts of it into the commercial software market where RSA-Australia will sell it. SSLeay continues to be in wide circulation, freely available, even as the BSAFE SSL-C library is sold with the extensive documentation and promise of ongoing technial support that RSA traditionally offers it OEM customers. There is clearly room for both. There are business strategies that require many corporations to purchase "mission critical" software -- with clear responsibility (and liability) for quality assurance, maintenance, upgrades, and future development -- and there are others which presume the developers can obtain free code modules. There was a briefly contentious effort to organize a new group of primary developers to continue to develop Young's SSLeay library and to adapt it to the evolving Internet protocols and new opportunities. Americans, by law, are unfortunately forbidden to engage in the sort of transnational Internet-based  cryptographic development this entails, but a number of leading talents in "open source" crypto have banded together in an "OpenSSL" organization to carry on the SSLeay tradition. See: anyone wants to participate. See: <http://www.distributed.net/des/>.)
RSA's symmetric crypto "Challenge" contests have had a major impact on US and international policy and practice. Year by year, they have systematically destroyed many government-fostered illusions about the relative security of the restricted-strength cryptosystems which the Wassenaar coalition of intelligence agencies prefer to be used by citizens (who are not government officials) and corporate and commercial entities. RSA's first Challenge contest, launched in January, 1997, saw grad student Ian Goldberg use an UCLA network of a couple hundred PCs to crack a 40-bit cipher in three and a half hours. At the time, a 40-bit ciphers was the strongest cryptographic security software the US government would allow sold overseas without a sale-specific license approved by the NSA. US export regulations were subsequently changed to allow for the export of 56-bit DES in commercial products -- but only by those vendors who promised to design a "key recovery" mechanism into their products, so as to allow surreptitous third party access to encrypted stored data or communication links by appropriate, and duely authorized, government agents. The DES itself was first cracked in June, 1997, by the DESCHALL network organized by Rocke Verser of Loveland, Colorado. DESCHALL used the Internet to tap the spare cycles of some 70,000 computers (mostly desktop PCs) over four months. DESCHALL won a $10,000 award from RSA by decrypting the message: "Strong cryptography makes the world a safer place." However, the very scale of the effort involved was used by senior US intelligence officials to reassure Congress and corporate users that 56-bit crypto was still robust enough for civilian use. Some thought those officals had missed the point.  Last year, to better drive home the "marginal security" of 56-bit DES, RSA organized another series of 6-month DES Challenge contests in which participants would race the clock to crack DES -- still, even now, the mainstay of corporate security in the US, and in much of rest of the world.. After the Electronic Frontiers Foundation (EFF) built its $220,000 special-purpose DES Cracker ("Deep Crack") and decrypted a DES-enciphered message in only 56 hours in the July '98 RSA Challenge, the statements of top NSA and Justice officials to the US Congress and US businessmen -- assuring them that the DES was still robust enough that industry and much of government could depend upon it -- looked absurd, even deliberately misleading. (See, for example, Cowell and Freeh; June '97 Congressional Testimony. at: <http://jya.com/hir-hear.htm>)
The Wassenaar recommendations were again modernized to catch up. In the US, however, even with the most recent updates -- new special exemptions for powerful industry sectors like banking and insurance; and (finally!) an end to the extortionate demands that US vendors build key-recovery "backdoors" into their products to get DES export permits -- US export regulators continue to restrict US hardware and software exports to crypto no stronger than 56-bit DES. In what is still probably the most irksome aspect of the current US system to American firms which are potential exporters, the Commerce Dept.'s export licensing procedures for crypto, and crypto-enhanced computer and communications products, remains inherently subjective, enormously time-consuming, and largely unpredictable. With American products freely shipped overseas only with broken or "marginal" DES security, many non-American firms -- most, but not all, from the Wassenaar nations --  have actively and very successfully sought to expoit the overseas market opportunities created by US export controls and US crypto politics. Now, RSA-Australia -- fair dinkum RSA, for all the new blokes -- can get a piece of the pie. Suerte, _Vin ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A Thinking Man's Creed for Crypto  _vbm. *     Vin McLellan + The Privacy Guild + <vin@shore.net>    *       53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548