Date: Mon, 11 Jan 1999 15:31:19 -0500
From: Vin McLellan <vin@shore.net>
To: aucrypto@suburbia.net
Subject: AUCRYPTO: RSA Down Under
Stewart Baker <sbaker@steptoe.com>, Washington attorney, acting
chairman of the President's Export Council's Subcommittee on Encryption,
former NSA General Counsel, and an usually savvy commentator on crypto
politics and US export controls, wrote on Dave Farber's IP List:
> RSA's Australian crypto announcement should be taken with a
> grain of salt. Australia may have somewhat more lenient
> encryption export practices than the US, but it is in fact
> closely aligned with the US on most such issues.
Historically -- particularly, spook to spook -- this is certainly
true, at least in statutes and regulations controlling the export of
commercial crypto code exported from Australia on magnetic media. See Part
III, category 5/2, of the Australian Controls on the Export of Defence and
Strategic Goods. Crypto software at:
<http://www.dod.gov.au/dao/exportcontrols/greenbk/guidelin.htm> See also
the FAQ from Electronic Frontier, Australia, at:
<http://www.efa.org.au/Issues/Crypto/cryptfaq.html>.
> As I said to one reporter, moving from the US to Australia
> because you don't like US encryption controls is like moving
> from Minneapolis to Chicago because you don't like cold
> winters -- quite possibly an improvement but not exactly a
> solution.
Great line, but....
For many years, Australia has allowed the virtually unrestricted
distribution, over the Internet, of many of the most popular free
industrial-strength cryptosystems, crypto libraries, and crypto-enhanced
application packages. A public FTP site at the Australian Defence Force
Academy offers unrestricted downloads of PGPi, has for years. Imagine the
culture shock if the US suddenly became a nation in which West Point had a
website which offered free and trusted e-mail encryption software, over the
Internet, to any citizen of any country!
Over the past five years, Australia has actually become the source
of choice for strong, free, and unrestricted cryptographic software -- in
large part due to the team of two Aussie cryptographers, Eric Young and Tim
Hudson, that RSA last year was lucky enough to recruit to manage
RSA-Australia, its new R&D crypto lab in Brisbane. How this came about is
the story of SSLeay; a tale any one of thousands of programmers and privacy
mavens around the world could readily retell.
In 1995, Eric Young and Tim Hudson posted version 1 of SSLeay to
the Internet. SSLeay (eay for Eric A. Young) is a free cryptographic
library in which Young managed to single-handedly implement the full suite
of cryptosystems used in SSL: the RSA-based security protocol that provides
confidentiality, integrity, and "digital signature" authentication
functions for secure connections, transactions, and file transfers over the
World Wide Web (WWW) recently invented by European programmers.
Since RSA's public key cryptosystem was patented only in the US,
Young was free to offer a full-strength "domestic US" version of the crypto
internationally, while American export regulations forced Netscape and
other US vendors to export browsers and web servers secured with no more
than 40-bit crypto -- a mere fraction of the 56/128-bit cryptographic
strength used in the otherwise identical products sold in the domestic US
market.
That Eric Young and Tim Hudson made their SSLeay crypto library and
applications available to all without charge -- under a uniquely liberal
license which Hudson drafted to simply require that the code be properly
attributed and forever unencrumbered -- was a striking example of the
fabled freeware and shareware culture that has historically provided much
of the most creative and useful computer software, including most of the
Internet's protocols and essential data services.
That there was a hungry market for SSLeay among corporate
developers who were, around the world, working on internal WWW-based
applications, and small independent developers who wanted to bring their
own SSL-enabled software to market, reflected the growing consciousness
among non-American consumers -- and particularly programmers and other
computer industry professionals -- that they were being sold only broken or
purposely-weakened security technology by American vendors.
There was, and is, some inevitable bitterness among buyers of
computer and communications products which had been designed so that the US
signals intelligence agency, the National Security Agency (NSA), could
eavesdrop at will on supposedly secure transactions. Only Americans believe
that the NSA, and its sibling agencies from other nations, are rummaging
through the world communications net looking for child pornographers, drug
dealers, and terrorists.
From 1996 on, crypto-enhanced free software quickly began pile up
on the SSLeay ftp and web site, now at: <http://www.cryptsoft.com.au>. From
there, it quickly jumped to hundreds, perhaps thousands, of freeware
distribution sites around the world.
For v.1 of SSLeay, Hudson had already integrated SSLeay into
SSLapps, the core Internet services (FTP and Telnet,) and he soon added
full-strength SSL to international versions of several early browsers.
Other volunteers used SSLeay to enhance the remote service utilities of
UNIX. Young and Hudson worked with several teams which integrated SSL
functionality into the full-featured but free Apache webserver. (Another
Australian, Farrell McKay, independently developed Fortify for Netscape, an
ingenious hack which took advantage of a design weakness in the
NSA-approved Netscape crypto module which allowed the Fortify untility to
ungrade the the weak crypto in a Netscape export browser to full strength
SSL.) More recently, Young and Hudson led a team that overnight reinstalled
full-strength SSL into the published -- but crypto-stripped -- code of the
"Mozilla" browser that Netscape released in public domain last year.
Working without pay -- coding for the sheer delight of creation and
in some tradition of service -- the Australian team transformed Mozilla
into "Cryptozilla," today available without restrictions from:
http://mozilla-crypto.ssleay.org/index.php
Freeware and shareware are created wherever there are programmers,
but such free distribution of cryptography and crypto-enhanced privacy and
security products has never been allowed from the US. That Australia became
the nexus for the distribution unversally trusted free crypto
implementations involved Young, Hudson and more than a little chance.
But there was also more than chance involved.
Several Australian governments have proven unwilling or unable to
pass legislation that would have allowed the Australian Defense Department
(which has nominal control of crypto exports on physical media) to extend
its regime to cover the distribution of "intangibles," like software
programs, over the Internet.
The current Australian government, led by Prime Minister John
Howard, has obviously been of two minds in its approach to crypto politics
and export controls on cryptography.
On one hand, Australia is a beneficiary of the UKUSA partnership of
the English-speaking intelligence agencies. Australia has also been one of
the US's closest allies in the Wassenaar Arrangement
<http://www.wassenaar.org>, the diplomatically-cloaked coalition of
intelligence agencies which collectively seeks to restrict international
trade in dangerous munitions and "destabilizing" crypto-based privacy
technology.
Last June -- shortly after Young and Hudson had helped create
Cryptozilla from the "open source" browser code published by Netscape --
Robbie Costmeyer, director of strategic trade policy and operations for the
Australian Defense Department, and the AU Wassenaar delegate, publicly
suggested that Young and Hudson should be prosecuted and jailed under
Australia's Weapons of Mass Destruction Act -- since they seemed to
otherwise elude the export controls he enforced.
On the proverbial other hand, the reaction to Costmeyer's threat
was vehement and telling. Dan Tebbutt, The Australian's widely-read tech
columnist, ridiculed him in print as a Cold War martinet reminiscent of
Jack Nicholson's raving US Marine CO in the movie, "A Few Good Men." It
also quickly became apparent that Mr. Costmeyer was not speaking for the
government, nor even for the Australian Defense Department.
The Federal Minister for Communications, Information Technology and
the Arts, Senator Richard Alston, quickly jumped in to describe Australia's
"generous" cryptography policies as a golden opportunity for Australian
companies.
Tebbutt, The Australian's columnist, paraphrased Mr. Alston: "Local
innovators have the chance to corner lucrative security markets beyond the
reach of dominant multinationals like IBM, Microsoft and Sun, who are
generally prevented from shipping their safest e-commerce products beyond
US borders. Yet the Minister emphasizes that the Government's attitude
falls short of a total green light."
"We are very keen to promote the growth of trade in encryption
technology, but we do have to be mindful of law enforcement
considerations," Mr. Alston said. "I think the balance will move in favour
of commerce rather than law enforcement."
Mr. Baker opined:
> I suspect that [Australian export] controls are the news hook,
> but the commercial motivation is something else.
Look more carefully, Counselor.
True, Eric Young and Tim Hudson are folklore figures in the world
of Internet computing. And Young is now Chief Technical Officer for RSA
Data Security Australia Pty. Ltd., while Hudson is now Technical Director
for Development in RSA's new Brisbane-based crypto R&D center.(See
<http://www.aus.rsa.com>.) But -- contrary to a number of press reports --
there is a lot more to RSA-Australia than the recruitment of new executive
talent for RSA Data Security, Inc.
RSA-Australia is the result of a long and careful campaign to woo
the Australian government with the prospect of high tech economic
development, and to push the US government to define the (perhaps still
evolving) guidelines that govern how non-US citizens -- who work outside
the United States, for an American-owned, but overseas-chartered, firm --
can be involved in development and sale of cryptographic products.
I've been a consultant to Security Dynamics Technologies, RSA's
parent firm, for many years, but I'm not privy to the insider details. The
immediate results seem apparent, however. Tim Hudson, Eric Young, and RSA's
CEO Jim Bidzos have cracked a door that could give RSA-Australia a
potentially lucrative role in the burgeoning global market for e-commerce
infrastructure.
After extensive negotiations and consultations with RSA, Canberra
last year decided to give RSA-Australia a license to sell and ship RSA's
new (SSLeay-based) BSAFE SSL-C toolkit to developers and implementors,
anywhere but in the so-called "pariah" nations, with merely routine
reporting requirements.
Like SSLeay, the several cryptosystems and protocol modules in the
BSAFE SSL-C library -- "secure protocol components for C," at
<http://www.aus.rsa.com/products/sslc/index.html> --
provides the full suite of strong symmetric and public key cryptosystems
used in the SSL v.1&2 and TLS v.1 -- the trusted and secure SSL
implementation that any 10 year-old American boy or girl gets when he or
she downloads a free "domestic-grade" Web browser from Netscape or
Microsoft.
In the international computer security market, the advent of BSAFE
SSL-C is a big deal. I expect you will soon hear of major deals between
RSA-Australia and prominent non-American computer and communications firms.
RSA's endorsement and pledge of commercial-grade support for Eric
Young's code modules should give BSAFE SSL-C legs among prospective
corporate buyers world-wide, as these firms seek to integrate strong and
trusted crypto into internal applications and their software and hardware
products. RSA's corporate credibility and its reputation for quality code
and technical support is such that it can, and does, charge a premium when
it sells a "Genuine RSA" module of DES code in Japan and other parts of
Asia. For a cryptographic security firm, reputation _is_ its core product.
RSA Data Security (RSADSI) is best known for its US-patented RSA
public key cryptosystem. The RSA "PKC" is a cryptographic protocol which is
today used almost universally to create "digital signatures" and to
securely exchange crypto keys among individuals with no prior contact.
Today, this RSA technology provides the foundation of online electronic
commerce -- and e-commerce, many hope, will be the Economic Engine of the
21st Century. RSA's master cryptographer Ron Rivest (the "R" of RSA)
continues to teach at MIT in Cambridge, Mass., but he is also widely
regarded as one of the most creative and productive minds in his field.
Coinventor of the RSA public key cryptosystem 20 years ago, Rivest
has since invented a number of the world's most widely used commercial
cryptosystems for RSADSI: RC2, RC4, and recently, RC6, now an official
candidate to replace the American DES. He also designed two of the most
widely implemented "hash" algorithms: MD4 and MD5.
Australia's breakthrough policy on crypto exports -- if it is seen
as stable -- is also expected to spur collateral economic development. (A
senior Irish official last year reported that his government believed that
Ireland's "progressive" stance on crypto export controls had lured over 400
foreign companies to set up offices and plants in Ireland in recent years.)
Australia's Howard Administration has apparently concluded that the
development of a crypto-savvy industrial sector now is "crucial" to
Australia's 21st Century prosperity. Major figures in the Australian
Defense establishment have also made it clear that they believe that the
Commonwealth, for its own national security interests, must have a
homegrown crypto industry.
Given the size of the Australian home market, attracting the
investment this will require obviously means crypto exports. And it has
always been clear that Australia could only competitively export if it
licensed commercial developers to export full-strength, industry-standard,
strong crypto products and toolkits. The world "infosec" market is not
defined by Wassenaar; quite the contrary: 56-bit crypto simply doesn't meet
minimal corporate "good practice" standards in many places.
The US Dept. of Commerce told the Wall Street Journal that the key
to the legality (under US law) of RSA-Australia's trade in cryptographic
modules is that "neither U.S. technology or U.S. personnel could be
involved in making the product."
(Isn't it interesting to see how many industry observers have
expressed surprise to discover that there are apparently some limits to the
jurisdiction of US law over foreign nationals -- even if those non-American
citizens work for an US-owned firm outside the US? Revelation!
(Yet there is a lesson here. When the NSA conceded that, indeed,
there had to be some limit, RSA worked diligently with the US Commerce
Dept.to define that limit and forge concrete guidelines. For a company
which fought a decade-long guerrilla war against the NSA -- during which
the NSA spent millions trying to crush RSA in the marketplace, vigorously
promoting its DSS and Fortezza as a public-key-crypto alternative to RSA's
namesake cryptosystem -- this was an interesting display of confidence. Sun
Microsystems tried a frontal attack on US export controls with a Russian
subsidiary; firms like C2Net and Network Associates ignore the rules and
exploit loopholes in the law to export crypto. But name another vendor
which has done the dance with the US Commerce Dept. and come out of it with
something positive and useful?)
When unnatural allies are forced to work together, US diplomats
used to call it "constructive engagement."
On the Cryptography mailing list, a number of top security
architects (Rich Salz of CertCo, Steve Bellovin of AT&T Research, Ben
Laurie of the Apache Group and OpenSSL) wondered where and how the line was
drawn between US technology and non-US technology -- especially since some
of the cryptosystems RSA-Australia was offering (RC4 for example) were
based on proprietary RSA products, and most were invented in the US.
As I've heard the story, Young and Hudson, representing the
nascent RSA-Australia, worked for months to prove to technical examiners
from US Dept. of Commerce, and the NSA, that none of Young's code in the
new BSAF SSL-C toolkit was directly based on any code or technical analysis
developed in the US of A.
It is largely because of this that the BSAFE SSL-C crypto library is so
different from Young's SSLeay library of algorithms and protocol modules.
Reverse-engineered versions of Rivest's RC2 and RC4 cryptosystems
have been anonymously published on the Internet, but -- because the source
was unknown -- that alone was not enough to document a non-US source. (By
1998, of course, RC2 was no longer merely American: Rivest had published an
Internet RFC describing the algorithm as part of RSA's campaign to promote
an Internet standard based on its S/MIME protocol for e-mail encryption.)
Where there was no solid and explicit documentation of a non-American
source for a SSLeay crypto module, Young had to toss it out and
reimplement. (Ironically, RSA had years earlier purchased Eric Young's
speedy DES implementation as the basis for the DES module in RSA's
industry-standard BSAFE (US) toolkit for software developers. The RSA
manuals duely credit E. Young.)
Young eventually decided to completely reimplement both RC2 and RC4
so he could fully document that all of the code intended for BSAFE SSL-C
was based on documentation readily available worldwide. Young's new
implementation of RC4 was based on conference proceedings readily available
in technical libraries worldwide, but RSA engineers still had to bring in
Rivest's RC4 reference code to prove that the two RC4 modules were coded
quite differently. Young and Hudson also provided testimonials from other
prominent Australian cryptographers that RSA's RC4 algorithm could be
readily coded from purely public information that was freely available in
many countries.
The eventual result was that Young's BSAFE SSL-C code was
eventually certified, by officials in both nations, as 100-percent
Australian.
Australia licensed RSA-Australia to commercially export BSAFE SSL-C
before the Wassenaar group met in December to recommend new rules for how
the 33 participating states, including Australia, should manage crypto
exports -- but the changes don't seem likely to affect the BSAFE SSL-C
license.
(The Wassenaar security delegates to now urge the participating
nations to establish new export controls over "mass market" software which
uses crypto with keys longer than 64-bits, and to restrict other symmetric
crypto software and hardware with keys longer than 56-bit keys (unless a
formal export license is issued by the respective national government. What
this might mean in practice is as yet unclear.)
To judge from semi-official comments from authorities in Canada,
Finland, and Ireland -- three nations which have made major efforts to
promote the development of a domestic crypto industry -- the new Wassenaar
recommendations will cause few if any changes in their current procedures
for overseeing exports from their prized crypto entrepreneurs. Any control
system that requires exporters to apply for a license, if sufficiently
speedy and predictable, can be almost transparent in the sales process.
There is apparently a great deal of leeway in how the Wassenaar
"signatories" implement the Wassenaar recommendations and regulate their
cryptographic exports.
Despite some attempts to portray it as international law, the
Wassenaar Arrangement is not even a treaty. It is more like a Memorandum of
Understanding among the participating nations. The two probably fatal flaws
in the Wassenaar scheme are (a) that not all nations which produce
cryptosystems are in the Club, and (b) the members of the Club are
infinitely creative in their interpretation of the rules. (Surely, since
their national interests vary, to expect otherwise is naive.)
Exploiting the market opportunities created by the NSA's effective
control over US export controls is now a mainstay of formal economic
planning in, for example, the European Community. See the "European Expert
Hearing on Digital Signatures and Encryption":
<http://www.fsk.dk/fsk/div/hearing/krypt.html> Is it surprising that the
crypto-savvy Aussies now want to do more than waltz with Matilda?
In late December, as the decision of Eric Young and Tim Hudson to
go commercial and join RSA became known, there was some consternation among
those who depend upon (or whose business plan depends upon) a free
cryptographic library. It was misplaced. Tim Hudson had crafted the unusual
SSLeay license so that no one -- not even Eric Young or himself -- could
bottle up the code they have released and claim it as proprietary. RSA's
new BSAFE SSL-C library is a different product. Although the functionality
is today similar, BSAFE SSL-C will soon be expanded with new additions from
Young and other RSA-Australia developers.
With the SSLeay license, however, the two Australian entrepreneurs
are both leaving their SSLeay work behind, in the public domain, for others
to use and further develop, _and_ carrying parts of it into the commercial
software market where RSA-Australia will sell it. SSLeay continues to be in
wide circulation, freely available, even as the BSAFE SSL-C library is sold
with the extensive documentation and promise of ongoing technial support
that RSA traditionally offers it OEM customers.
There is clearly room for both. There are business strategies that
require many corporations to purchase "mission critical" software -- with
clear responsibility (and liability) for quality assurance, maintenance,
upgrades, and future development -- and there are others which presume the
developers can obtain free code modules.
There was a briefly contentious effort to organize a new group of
primary developers to continue to develop Young's SSLeay library and to
adapt it to the evolving Internet protocols and new opportunities.
Americans, by law, are unfortunately forbidden to engage in the sort of
transnational Internet-based cryptographic development this entails, but a
number of leading talents in "open source" crypto have banded together in
an "OpenSSL" organization to carry on the SSLeay tradition. See:
<http://www.openssl.org>
In late December, as the decision of Eric Young and Tim Hudson to
go commercial and join RSA became known, there was some consternation among
those who depend upon (or whose business plan depends upon) a free
cryptographic library. It was misplaced. Tim Hudson had crafted the unusual
SSLeay license so that no one -- not even Eric Young or himself -- could
bottle up the code they have released and claim it as proprietary. RSA's
new BSAFE SSL-C library is a different product. Although the functionality
is today similar, BSAFE SSL-C will soon be expanded with new additions from
Young and other RSA-Australia developers.
With the SSLeay license, however, the two Australian entrepreneurs
are both leaving their SSLeay work behind, in the public domain, for others
to use and further develop, _and_ carrying parts of it into the commercial
software market where RSA-Australia will sell it. SSLeay continues to be in
wide circulation, freely available, even as the BSAFE SSL-C library is sold
with the extensive documentation and promise of ongoing technial support
that RSA traditionally offers it OEM customers.
There is clearly room for both. There are business strategies that
require many corporations to purchase "mission critical" software -- with
clear responsibility (and liability) for quality assurance, maintenance,
upgrades, and future development -- and there are others which presume the
developers can obtain free code modules.
There was a briefly contentious effort to organize a new group of
primary developers to continue to develop Young's SSLeay library and to
adapt it to the evolving Internet protocols and new opportunities.
Americans, by law, are unfortunately forbidden to engage in the sort of
transnational Internet-based cryptographic development this entails, but a
number of leading talents in "open source" crypto have banded together in
an "OpenSSL" organization to carry on the SSLeay tradition. See:
anyone wants to participate. See: <http://www.distributed.net/des/>.)
RSA's symmetric crypto "Challenge" contests have had a major impact
on US and international policy and practice. Year by year, they have
systematically destroyed many government-fostered illusions about the
relative security of the restricted-strength cryptosystems which the
Wassenaar coalition of intelligence agencies prefer to be used by citizens
(who are not government officials) and corporate and commercial entities.
RSA's first Challenge contest, launched in January, 1997, saw grad
student Ian Goldberg use an UCLA network of a couple hundred PCs to crack a
40-bit cipher in three and a half hours. At the time, a 40-bit ciphers was
the strongest cryptographic security software the US government would allow
sold overseas without a sale-specific license approved by the NSA.
US export regulations were subsequently changed to allow for the
export of 56-bit DES in commercial products -- but only by those vendors
who promised to design a "key recovery" mechanism into their products, so
as to allow surreptitous third party access to encrypted stored data or
communication links by appropriate, and duely authorized, government agents.
The DES itself was first cracked in June, 1997, by the DESCHALL
network organized by Rocke Verser of Loveland, Colorado. DESCHALL used the
Internet to tap the spare cycles of some 70,000 computers (mostly desktop
PCs) over four months. DESCHALL won a $10,000 award from RSA by decrypting
the message: "Strong cryptography makes the world a safer place."
However, the very scale of the effort involved was used by senior
US intelligence officials to reassure Congress and corporate users that
56-bit crypto was still robust enough for civilian use. Some thought those
officals had missed the point. Last year, to better drive home the
"marginal security" of 56-bit DES, RSA organized another series of 6-month
DES Challenge contests in which participants would race the clock to crack
DES -- still, even now, the mainstay of corporate security in the US, and
in much of rest of the world..
After the Electronic Frontiers Foundation (EFF) built its $220,000
special-purpose DES Cracker ("Deep Crack") and decrypted a DES-enciphered
message in only 56 hours in the July '98 RSA Challenge, the statements of
top NSA and Justice officials to the US Congress and US businessmen --
assuring them that the DES was still robust enough that industry and much
of government could depend upon it -- looked absurd, even deliberately
misleading.
(See, for example, Cowell and Freeh; June '97 Congressional Testimony. at:
<http://jya.com/hir-hear.htm>)
The Wassenaar recommendations were again modernized to catch up. In
the US, however, even with the most recent updates -- new special
exemptions for powerful industry sectors like banking and insurance; and
(finally!) an end to the extortionate demands that US vendors build
key-recovery "backdoors" into their products to get DES export permits --
US export regulators continue to restrict US hardware and software exports
to crypto no stronger than 56-bit DES.
In what is still probably the most irksome aspect of the current US
system to American firms which are potential exporters, the Commerce
Dept.'s export licensing procedures for crypto, and crypto-enhanced
computer and communications products, remains inherently subjective,
enormously time-consuming, and largely unpredictable.
With American products freely shipped overseas only with broken or
"marginal" DES security, many non-American firms -- most, but not all, from
the Wassenaar nations -- have actively and very successfully sought to
expoit the overseas market opportunities created by US export controls and
US crypto politics.
Now, RSA-Australia -- fair dinkum RSA, for all the new blokes --
can get a piece of the pie.
Suerte,
_Vin
-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.
* Vin McLellan + The Privacy Guild + <vin@shore.net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548