December 1992 - cypherpunks-legacy

RE: Signing text messages...
by Doctor Zaphod 23 Dec '92

23 Dec '92

In Message 23 Dec 92 00:49:30 EST, Hal <CompuServe.COM!74076.1041(a)netcomsv.netcom.com> writes: >My public key, for those wanting to check the sig on the message below: By including your public key WITH your signed messages, aren't you inviting people to intercept it, replace it with they're own public key, and re-sign the message? If I didn't have a trusted copy of your public key already I wouldn't be able to verify your signature. TTFN! DrZaphod [AC/DC] / [DnA][HP] [drzaphod(a)ncselxsi.uucp] Technicolorized

1 0

Re: Pax and .fi remailer
by Hal 23 Dec '92

23 Dec '92

-----BEGIN PGP SIGNED MESSAGE----- Yanek points out a purpose for a PAX-hidden remailer: > You don't have to tell anyone that your remailer is behind the anon.100 > address. You could just (anonymously, of course) announce that a > remailer is running, and can be reached by sending message to the > anon.100 address. This way, no-one but the admins at pax can know > where the remailer itself lives. This could be useful in case > remailers are banned. The problem with this, it seems to me, is that the address of this "secret" remailer is compromised whenever it sends something out. I could just send a "Request-Remailing-To: <me>" message to this PAX anon.100 address, and then look at the return address when the message comes to me from this remailer. So again the anonymity provided by PAX seems to be lost. Now, one way to avoid this would be for the secret remailer not to send its outgoing mail directly to the requested destination, but rather always to insert one or other remailers into the chain. I think it was Yanek himself (or Dr. Z?) who suggested this earlier. This might work, but as was pointed out, if everyone does this we'll just get into infinite mail loops. Still, it might be OK if a well-known public remailer were chosen, especially one that was likely to be relativelly immune to pressure. I noted in the discussion of the anon.penet.fi remailer the author made the point that it was running on a machine in his house, one that he owned and used in his independent business. So presumably his machine is not going to be easy to shut down. (My remailer, OTOH, is running as part of what is basically a guest account on a machine which is to be used just for email and a little telnet/ftp activity. I figure that the remailer performs an email function, speaking broadly, so it's OK under the agreement I signed. But I'm sure that if the admin received some complaints I'd be kicked off. So I can't make any guarantees about how long it will be around.) (This would be another piece of information that would be useful in the remailer database being constructed by Eric Hollander - some comments on how immune the remailer operator would be to political pressure due to unpopular or illegal messages.) If this well-known machine guaranteed NOT to do this remail-via-a-remailer outgoing step, then it could be used by less politically secure remailers to protect themselves from pressure. In such a system, Yanek is right that a remailer could run completely anonymously. Perhaps someone would like to start up a remailer which runs under such a system. Hal Finney 74076.1041(a)compuserve.com -----BEGIN PGP SIGNATURE----- Version: 2.1 iQCVAgUBKzhqjKgTA69YIUw3AQFNmAQAgioJMosbMCoit2XflfzK/wgIOkG8qBfG JO3iTWRskVP5Gp43N1bs7W6YhgEXKWdJ/dqNoWrYV2/181zFhXh0xe7lsGifut1b UQGW6DipYIMlW0TbNjhpiIWwAQChn/3NvTJtcBGL0GY3l4ZjMZFs2qBonc/Y1Boe jWfWgQbHSXw= =6y5/ -----END PGP SIGNATURE----- Distribution: CYPHERPUNKS >INTERNET:CYPHERPUNKS@TOAD.COM

1 0

Pax and .fi remailers
by Hal 23 Dec '92

23 Dec '92

Upon more thought, I don't see a really good way to use the PAX remailer in conjunction with our remailers based on the scripts of Eric Hughes. The PAX remailer can only be used to send messages to those who have "registered" with the remailer to receive an anonymous ID there. So, for PAX to work with our remailers we would have to register. For example, my remailer at hal(a)alumni.caltech.edu would have to register with PAX and receive an anonymous ID, like "anon.100(a)pax.tpa.com.au". Then, to use a two-hop remailer consisting of first PAX and then mine, you would prepare a message as usual for my remailer: ==================== :: Request-Remailing-To: dest This is a message for two-hop anonymous remailing. ==================== Perhaps you would encrypt this using my remailer's public key, getting: ==================== :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.1 hEwCG6rHcT8LtDcBAfwLWYgWXpCoi7TjoeVttBYpk3KPbiYf9L9CCegfYlvj56RA OFrijYag+jqNlHQXmO52bXL8PaNUowD7a2pFY80WpgAAAGt/RXNzaWkI/b3CkviB eh/piaUDxgfPd4npcURHtUCEeh8bPpzVaI9qm6xZlxSaJif+CtFqyuaRezj+hcXR YT9JOl93LAxQJITeYUlPXgkBEvyB4u3HjpCDSS5NETDcqd8rtBspzUvlcmqT1g== =d356 -----END PGP MESSAGE----- ==================== You would then send this to anon.100(a)pax.tpa.com.au. (NOTE: Don't try this - I haven't yet gotten an anonymous ID at PAX.) PAX would forward it to my remailer, unchanged, which would then decrypt it and send it onward. Oh, yes, PAX would also strip the .sig, which is perhaps why you'd want to do this. But for this to work, I have to publically announce that my remailer, hal(a)alumni.caltech.edu, can be reached at PAX "anonymous" address anon.100(a)pax.tpa.com.au. This seems a little strange, as the PAX address is then no longer anonymous. I have to tell everybody what the address is in order for it to be useful. So, the PAX remailer doesn't really add much anonymity, but it does excise your .sig. It's not clear that it's worth it just for that. On a more positive note, the other remailer, in Finland, is much more promising for our purposes. It has a remailing capability similar to ours. You could send mail to: hal%alumni.caltech.edu(a)anon.penet.fi, and it would forward the mail to hal(a)alumni.caltech.edu. This is similar functionality to a non-encrypting form of the remailers we are operating, and so it can help confuse things. Also, this remailer could be used in a chain of our remailers by using an address of the proper form. For example, mail sent to the Rebma remailer, then to Finland, then to the Rosebud remailer, could be done by putting, at the front of your message: :: Request-Remailing-To: elee7h5%rosebud.ee.uh.edu(a)anon.penet.fi :: Request-Remailing-To: <dest> Then a blank line, then your message itself. Mail it to remailer(a)rebma.mn.org. I haven't tried this but it should work, theoretically. Hal 74076.1041(a)compuserve.com Distribution: CYPHERPUNKS >INTERNET:CYPHERPUNKS@TOAD.COM

2 1

Encryption Technology
by yanek＠novavax.nova.edu 23 Dec '92

23 Dec '92

> I am going to be teaching a seminar on computer law next quarter. One area > the casebooks seem to entirely ignore is encryption--the area where > technology is currently supporting privacy and weakening state power. I would > appreciate either references to or on line copies of useful material. The > three main things I need are a clear explanation of the technology (public > key cryptography in particular), I assume that you just want an explanation of what the technology does, not how exactly it works, i.e. I am not going to include the formulas and algorithms, just a description of what it does and how it can be used. Here's a summary of a couple of the most relevant technologies: PUBLIC KEY CRYPTOGRAPHY -- each person generates two keys, one is called teh public key the other is private. These two are related in that what is encrypted with one can only be decrypted with the other. It is impossible (computationally infeasible) to derive one knowing the other. The most popular public key cryptography algorithm is RSA, which is based on the ease of multiplying large primes, and the difficulty of factoring the product. How it is used: you publish the public key, while keeping the private key to yourself. Anyone can send a secret message to you by encrypting it with your public key. You are the only one that can decrypt the message, since only you have the private key. You can reply by encrypting your message with their public key, and they can decrypt it with their private key. DIGITAL SIGNATURES -- techniques that are used to verify that a message claiming to be from you was actually written by you. To do that, you compute a "message digest", which is similar to a "checksum" in that it can be used to check that the message has not been altered. Then you encrypt the "digest" with your private key and attach to the message. Currently the most popular "digest" algorithm is MD5. To verify a signature: the person verifying computes the same checksum, then decrypts the checksum attached to the message. If the two match, the message must have been signed by you, since no-one else has your private key, and could not have generated the signature. DIFFEY-HELLMANN KEY EXCHANGE -- a protocol by which two communicating parties can arrive at a secret piece of information that can not be known to a passive eavesdropper (as in a wiretap), and can not be recovered from analysis of recorded communication. This secret piece of information is usually used as the key for a conventional cryptography algorithm such as DES or IDEA to encrypt following communication. SENDER UNTRACEABILITY -- use of a protocol by which one of a group of commnicating entities can send a public message, while it is impossible to trace the message to the sender. This can be used to send messages anonymously or pseudonymously and untraceably. One of the protocols that makes this possible is David Chaum's dc-net protocol, in which every participant sends some data, and when all the data are combined, the anonymous message emerges. Another is the mix-net, or "remailer" approach. In this case, you send your message to a re-mailer, with encrypted instructions on where to send it. By sending your message through a chain of such remailers, untraceability is achieved. RECEIVER UNTRACEABILITY -- a method by which you can retrieve a message sent to you, without anyone having any way of knowing that you received the message, or indeed if you received any message at all. How it works: anyone wanting to leave a message to you encrypts it with your public key, and posts it on a "bulletin board". You download all the messages from the bulletin board periodically, and see if you can decrypt any using your private key. DIGITAL CASH -- one entity creates some amount of digital "tokens", which may then be transfered to other people, who can transfer them between each other, and when they are returned to their creator, he can not trace the transactions that have occured, only the total balance of a person at the end of the set of transactions. > a clear explanation of how it can be used and why it matters, Each of these technologies by itself can not accomplish much. But if all these are put together, any person can send messages to any other person, without anyone but the two of them knowing that a message was sent, or what it said. As for why it matters, I include here Timothy C. May's Crypto Anarchist Manifesto: The Crypto Anarchist Manifesto Timothy C. May tcmay(a)netcom.com A specter is haunting the modern world, the specter of crypto anarchy. Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re- routing of encrypted packets and tamper-proof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation. The technology for this revolution--and it surely will be both a social and economic revolution--has existed in theory for the past decade. The methods are based upon public-key encryption, zero-knowledge interactive proof systems, and various software protocols for interaction, authentication, and verification. The focus has until now been on academic conferences in Europe and the U.S., conferences monitored closely by the National Security Agency. But only recently have computer networks and personal computers attained sufficient speed to make the ideas practically realizable. And the next ten years will bring enough additional speed to make the ideas economically feasible and essentially unstoppable. High-speed networks, ISDN, tamper-proof boxes, smart cards, satellites, Ku-band transmitters, multi-MIPS personal computers, and encryption chips now under development will be some of the enabling technologies. The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy. Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure, so too will cryptologic methods fundamentally alter the nature of corporations and of government interference in economic transactions. Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures. And just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property. Arise, you have nothing to lose but your barbed wire fences! -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay(a)netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | PGP Public Key: by arrangement. > and a brief summary of the present legal/political > situation--in particular, attempts and suggestions that have been made to > control the technology. The FBI has proposed a "Digital Telephony" bill, which would require all providers of any kind of communications service to build in a wiretap capability for the government. Department of State is restricting the export of any crypto software, claiming that it is a weapon, and therefore falls under ITAR (International Traffic in Arms Regulations) rules. Public Key Partners (PKP) holds the control of patents that cover RSA, and possibly the very idea of public key cryptography. Someone (I can't provide a reference) has proposed that anyone that uses encryption should be required to register their key with the Justice Department, so that the text could be decrypted if a search warrant is issued. These are all the attempts to control this technology that come to my mind right now. The Electronic Frontier Foundation (EFF) can probably provide more information (e-mail to eff(a)eff.org) > David Friedman > DDFr(a)Midway.UChicago.Edu > DDFr(a)AOL.Com -- Yanek Martinson mthvax.cs.miami.edu!safe0!yanek uunet!medexam!yanek this address preferred -->> yanek(a)novavax.nova.edu <<-- this address preferred Phone (305) 765-6300 daytime FAX: (305) 765-6708 1321 N 65 Way/Hollywood (305) 963-1931 evenings (305) 981-9812 Florida, 33024-5819

1 0

Signing text messages...
by Hal 23 Dec '92

23 Dec '92

My public key, for those wanting to check the sig on the message below: -----BEGIN PGP PUBLIC KEY BLOCK----- mQCNAiqsNkwAAAEEAMKWM52m5EWi0ocK4u1cC2PPyHT6tavk9PC3TB5XBYDegf3d sldRpnjJj1r+aO08FFO+QLEI9wtBqvf1PPP5iLX7sD2uIVlJH14MPtyVtjm9ZKb8 JMtCW74045BgtHBC9yQ3V7vXNV5jM6dE2ocnH4AI/pBFrGLJPKgTA69YIUw3AAUR tCZIYWwgRmlubmV5IDw3NDA3Ni4xMDQxQGNvbXB1c2VydmUuY29tPokAlQIFECqu M1Tidd4O/2f3CwEByrUD/3uoV2y+Fuicrrd2oDawgOw9Ejcx6E+Ty9PVPqKvflLs 0zYyGfeFVSgBbTSDP3X91N3F68nydl9J9VA6QRCGelHM1cZRukCJ0AYbKYfpwUN0 xjEGHsDrd2gT5iWlB3vBZvi+6Ybs4rSq+gyZzVm1/+oRrMen32fz2r0CLgUtHok2 =fF6Z -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNED MESSAGE----- Phil Karn asks about end-of-line conventions for signed text messages. PGP uses the convention of lines terminated by carriage-return-line-feed. On Unix systems or other systems which don't use that convention, it attempts to change the message into this "canonical" text mode before calculating or checking the signature. The issue of trailing blanks is more problematical. Some mail gateways and some mail "user agent" software apparently take liberties with blanks at the end of lines. The PGP canonical text format does not include any specification for whether lines could or could not have blanks at the end. If mailers will leave trailing blanks alone, then PGP cleartext signed messages will have correct signatures. If some intervening mailer has added or removed trailing blanks, then the signatures will be wrong. Presumably something like this has happened to my signed message on which Edgar found a bad signature. Perhaps Edgar could try stripping any trailing blanks from his copy of my message and see if it then signature-checks OK. I'll double-check that this message is signed with no trailing blanks. Then if you get a bad signature, I predict that you must have trailing blanks in your copy of the file. I'd appreciate hearing whether this prediction is correct. It would be possible to change PGP's canonical text format to specify that lines have no blanks at the end. In that case, PGP would, whenever it computed or checked a signature on a text file, process the file to make sure that each line ended with a CRLF preceded by no trailing blanks. I think this would solve a lot of the gateway problems. But it would be a somewhat more "aggressive" change to what the user is asking PGP to sign. The design of PGP's cleartext signature was influenced by PEM, which also uses a canonical text format for line terminators, but doesn't deal with trailing spaces, as far as I know. The real solution, IMO, is to fix those broken mailers that add or remove spaces. I don't see why this behavior has ever been put into mail gateways. Hal Finney 74076.1041(a)compuserve.com -----BEGIN PGP SIGNATURE----- Version: 2.1 iQCVAgUBKzfNHqgTA69YIUw3AQGNdwP/Q51Lvmee1cTb865aInePsRxMTe4qfjeU DSP8o5hHlBKbII8mCrU/WHZ7upjO3ak4E6wZDyOexsfJFH4FIMnDueihrVVXevlA FWUQopZIyG4P5Wzofgra8BSjw5WzVZncW2alPQFuB40D9N9VgyopX8IktktVPs4p qDkHsn9zIpU= =K/Ui -----END PGP SIGNATURE----- Distribution: CYPHERPUNKS >INTERNET:CYPHERPUNKS@TOAD.COM

1 0

Re: Signing ascii text
by karn＠qualcomm.com 23 Dec '92

23 Dec '92

Okay, the cr/lf convention is what I suspected was the case. That's what I'll implement. Can't do much about the munged messages... Phil

1 0

Signing ascii text
by karn＠qualcomm.com 23 Dec '92

23 Dec '92

I see some potential problems here as people start signing ASCII text (e.g., email messages, etc). Is there a convention for the end of line sequence that is to be used for the copy of the file that is run through the hash function? If there isn't, then the file hash will depend on the local end-of-line convention, which is bad. I'm facing this problem right now in an experimental "XMD5" command that I've added to my FTP server. The idea is to let you compute a hash on a remote file so you can compare it with a local file without actually having to send it. It works great in binary mode, but ascii mode is problematic. Phil

2 1

Re: Remailer Policies
by D Anton Sherwood 23 Dec '92

23 Dec '92

Keith Henson asked: > Re logs and trying to destroy them when the cops are beating down your > door, wouldn't it be a lot better to keep them encrypted? Keith Here's a lame question from a beginner who hasn't even downloaded PGP: Am I supposed to memorize my private key, lest cops beat down the door while I'm out? Anton Sherwood dasher(a)well.sf.ca.us +1 415 267 0685 1800 Market St #207, San Francisco 94102 USA

1 0

Amtrak San Jose - San Diego for Usenix
by gnu＠cygnus.com 23 Dec '92

23 Dec '92

Costs $107 round trip, and takes about 14 hours each way. FYI. John

1 0

RIPEM message for your approval
by jim＠RSA.COM 22 Dec '92

22 Dec '92

Mark- As you can imagine, many changes have been proposed, and, I think, some good ones incorporated, in the most current form of the RSAREF license. These changes are based on constructive comments from over twenty people. These changes may encourage folks to distribute RSAREF and RIPEM who otherwise would not have. We plan to make all RSAREF applications (such as RIPEM) availble WITH RSAREF. Why shouldn't someone get all the stuff built on it if they get RSAREF? (Including helpful code such as the Thompson/Schiller emacs adapter.) I assume you have no objection. I'm hopeful that you see these changes as positive; please let me know if that's not true! I offer a summary of them, the rationale, perceived benefits, and a complete copy of the revised license. ------------------------------------------------------------------ Here's a summary of the changes between what's attached (the one we plan to now "standardize" on for RSAREF) and what you sent me: changed 1(a) and added (8): the license is now perpetual. Some have claimed RSA might "suddenly" decide to cancel RSAREF licenses. It is now crystal clear that the license can only be cancelled by violating the agreement. RSA cannot cancel it at its discretion. And even if you violate it, it doesn't cancel the license of those who got it from you. I think this is an importnat clarification, from what I've heard. changed 1(c) and added 2(d): We don't care about any porting or performance mods, but we don't feel we should allow automatic access under the normal interface. We've granted it to you since RIPEM predates RSAREF (also to John Gilmore for a secure RLOGIN using Diffie-Hellman) and we'll grant it to anyone for any reasonable use. (We state so in the Agreement.) We just want to know what it is we're allowing to go around the interface. End of Section 1 - a clarification in the form of an addition is made here. Some have said that unrelated software on a tape with RSAREF could be covered by the restrictions imposed on RSAREF Application Programs. This should clear that up. (I believe this helps you in the separate distribution of the RIPEM code minus the RSAREF code.) changed (6): We simply have removed RSA's $5,000 cap on protecting RSAREF users against charges from some other patent holders. (Like PKP!) Some have claimed that RSAREF was posibly a way to "set up" users for PKP (the patent holders) since $5K was hardly enough to defend against patent infringement. (They actually thought RSAREF was a way to get people to infringe just so that PKP could sue them! RSA pays $5,000, but PKP collects more, therefore it's a 'you hold em, and I'll hit em' thing, or so I guess they thought.) I believe this makes it clear we intend to sue no one for using RSAREF, and in fact defend users ALL THE WAY if someone else does. I think these are all for the better, and will engender trust in RSA's intentions with RSAREF, to support free PEM. --------------------------------------------------------------------- New RSAREF License (December 1992 version) ---------------------------------------------------------------------- RSA LABORATORIES PROGRAM LICENSE AGREEMENT RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA") GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM: 1. LICENSE. RSA grants you a non-exclusive, non-transferable, perpetual (subject to the conditions of section 8) license for the "RSAREF" program (the "Program") and its associated documentation, subject to all of the following terms and conditions: a. to use the Program on any computer in your possession; b. to make copies of the Program for back-up purposes; c. to modify the Program in any manner for porting or performance improvement purposes (subject to Section 2) or to incorporate the Program into other computer programs for your own personal or internal use, provided that you provide RSA with a copy of any such modification or Application Program by electronic mail, and grant RSA a perpetual, royalty-free license to use and distribute such modifications and Application Programs on the terms set forth in this Agreement. d. to copy and distribute the Program and Application Programs in accordance with the limitations set forth in Section 2. "Application Programs" are programs which incorporate all or any portion of the Program in any form. The restrictions imposed on Application Programs in this Agreement shall not apply to any software which, through the mere aggregation on distribution media, is co-located or stored with the Program. 2. LIMITATIONS ON LICENSE. a. RSA owns the Program and its associated documentation and all copyrights therein. You may only use, copy, modify and distribute the Program as expressly provided for in this Agreement. You must reproduce and include this Agreement, RSA's copyright notices and disclaimer of warranty on any copy and its associated documentation. b. The Program and all Application Programs are to be used only for non-commercial purposes. However, media costs associated with the distribution of the Program or Application Programs may be recovered. c. The Program, if modified, must carry prominent notices stating that changes have been made, and the dates of any such changes. d. Prior permission from RSA is required for any modifications that access the Program through ways other than the published Program interface or for modifications to the Program interface. RSA will grant all reasonable requests for permission to make such modifications. 3. NO RSA OBLIGATION. You are solely responsible for all of your costs and expenses incurred in connection with the distribution of the Program or any Application Program hereunder, and RSA shall have no liability, obligation or responsibility therefor. RSA shall have no obligation to provide maintenance, support, upgrades or new releases to you or to any distributee of the Program or any Application Program. 4. NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 5. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6. PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set forth below, RSA, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against you on the basis of infringement of any United States patent in the field of cryptography by the unmodified Program; and (ii) pay any final judgment or settlement entered against you on such issue in any such suit or proceeding defended by RSA. The obligations of RSA under this Section 6 are subject to: (i) RSA's having sole control of the defense of any such claim, suit or proceeding; (ii) your notifying RSA promptly in writing of each such claim, suit or proceeding and giving RSA authority to proceed as stated in this Section 6; and (iii) your giving RSA all information known to you relating to such claim, suit or proceeding and cooperating with RSA to defend any such claim, suit or proceeding. RSA shall have no obligation under this Section 6 with respect to any claim to the extent it is based upon (A) use of the Program as modified by any person other than RSA or use of any Application Program, where use of the unmodified Program would not constitute an infringement, or (B) use of the Program in a manner other than that permitted by this Agreement. THIS SECTION 6 SETS FORTH RSA'S ENTIRE OBLIGATION AND YOUR EXCLUSIVE REMEDIES CONCERNING CLAIMS FOR PROPRIETARY RIGHTS INFRINGEMENT. NOTE: Portions of the Program practice methods described in and subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829, and all foreign counterparts and equivalents, issued to Leland Stanford Jr. University and to Massachusetts Institute of Technology. Such patents are licensed to RSA by Public Key Partners of Sunnyvale, California, the holder of exclusive licensing rights. This Agreement does not grant or convey any interest whatsoever in such patents. 7. RSAREF is a non-commercial publication of cryptographic techniques. Portions of RSAREF have been published in the International Security Handbook and the August 1992 issue of Dr. Dobb's Journal. Privacy applications developed with RSAREF may be subject to export controls. If you are located in the United States and develop such applications, you are advised to consult with the State Department's Office of Defense Trade Controls. 8. TERM. The license granted hereunder is effective until terminated. You may terminate it at anytime by destroying the Program and its associated documentation. The termination of your license will not result in the termination of the licenses of any distributees who have received rights to the Program through you so long as they are in compliance with the provisions of this license. -----------------------------------------------------------------

1 0