Stefan Arentz <stefan.arentz@soze.com> wrote:
[...] I do not want to buy a complete BSAFE license. It is too expensive and I only need RC4.
This is apparently a common misconception -- at least it keeps popping up among people discussing WAP, SSL, CDPD, and PPTP-compatible products, even IEEE-compatible embedded systems -- so (in the spirit of All Souls Day) I thought to double back and post a correction here. Boo! If your business plan (or your boss, or your investors, or your customers, etc.) requires, or makes it useful and valuable, for your firm to license RSA-branded RC4 implementation code -- as opposed using to one of the many copyleft "ARC4" implementations in wide circulation -- you should ask RSA for a quote on a RC4 license for your intended app. <shriek> RSA licenses RC4 code separately, upon request. Always has, AFAIK. (RC4 is, of course, MIT Professor Ron Rivest's widely trusted, widely adopted, defacto standardized, variable key-length stream cipher. "RC" was initially only Rivest's personal designation for crypto project in development, as in "Ron's Code." The best known Rivest ciphers are RC2, RC4, RC5, and RC6. (RC4 was reverse engineered and anonymously published on the Net in September, 1994. The same thing subsequently happened to RC2. RSA Security, the company Rivest co-founded to market the RSA public key cryptosystem and his other cryptographic wares, later chose to patent RC5 and RC6. Patents for crypto remain controversial, at least on the Net.) The idea of paying to use a cryptosystem -- and particularly Rivest's RC4 -- is scary, heretical, and painful to some... but others reportedly find RSA's BSAFE implementation code stable and dependable, and RSA's prices and T&Cs reasonable and flexible. YMMV, but RSA does a huge business selling "high assurance" code to OEMs and other firms seeking to implement various crypto protocols and both proprietary and public ciphersuites. See: <http://www.rsasecurity.com/standards/protocols/protocols_table.html> Trick or treat? Apparently, even among IT professionals, it is necessary <sigh> to occasionally announce that RSA does NOT require an OEM or an enterprise customer to license all the BSAFE ciphers and protocols -- there are, mind you, eight distinct and specialized BSAFE crypto toolkits from RSA -- when all a poor Developer wants is RC4. Such is the depth of the FUD piled up around RC4 -- like tinder and faggots stacked at the feet of a condemned witch no one hates enough to burn. Goblins, gallows, and gibbets, oh yeah! (All Hallows Eve is celebrated in the US as Halloween, an annual children's festival held after dark on the last day of October. Children who participate are urged to distinguish between horrors that are real and unreal. The participation of adults in the rituals, unfortunately, is frowned upon.) RC4 has become doubly famous as "the cipher none dare name." Clank, rattle, clink in the Crypt. Oh yeah! While many can now copy the robust simplicity of Rivest's RC4 logic -- and ARC4 ("Apparently RC4") code is widely deployed -- RSA still claims and defends its registered "RC4" trademark (and the copyright on its BSAFE implementation code.) Which is, of course, why RSA-branded RC4 code is still so often bought and sold. <shrieks & screams> Personally, I don't think that is demonic or even undeserved -- but then, I'm biased. I've been a consultant to RSA for years. (And I'm a wicca'd man at heart. I think the poor witches got a bad rap from all the jealous priests.) Happy Halloween, _Vin Vin McLellan * The Privacy Guild * Chelsea, MA USA