So what does the publication of the reverse engineering of RC4 mean legally? AT&T claimed trade sevret and copyright protection over code that was pretty well known in the BSDI case... Can RC4 still be construed as a trade secret or proprirtary to RSADS and Bizdos or are, as I understand from previous messages, we free to use RC4 now (ignoring the submarine patent issue)?
Can RC4 still be construed as a trade secret or proprirtary to RSADS and Bizdos or are, as I understand from previous messages, we free to use RC4 now (ignoring the submarine patent issue)? A trade secret is just that, a secret. For parties unrelated to the holder of the secret, once it's no longer a secret, it's not a secret, and the former holder of the secret has no protection at all. In other words, if you're not, say, a BSAFE licensee, you are free to use the alleged RC4 algorithm. Let me repeat. If you've never made an agreement with RSADSI about not distributing their trade secrets, RSADSI has _no_ claim against you about the trade secret. (I don't know if the name "RC4" is trademarked.) Note the use of the word 'unrelated' in the sentence above. The situation is hazier there. Both licensees and agents (including employees) of the holder of the secret are liable for damages if they breach the trust of the secret holder by revealing the secret. This liability, however, does _not_ make the secret any less revealed. The former holder can sue for damages, assuming there's someone to sue and the damages can be ascertained. If you're the user of a product which includes RC4, like Lotus Notes, for example, the agreement between Lotus and RSADSI about protection of trade secrets doesn't apply to you, assuming you don't work for Lotus or RSADSI. You weren't a party to the agreement, and its terms don't directly affect thrid parties. You made a (shrink-wrap) agreement with Lotus, not RSADSI. Eric
A trade secret is just that, a secret. For parties unrelated to the holder of the secret, once it's no longer a secret, it's not a secret, and the former holder of the secret has no protection at all. In other words, if you're not, say, a BSAFE licensee, you are free to use the alleged RC4 algorithm.
This was my understanding *before* the recent jury decision in the Microsoft vs Stac Electronics countersuit. When Stac sued Microsoft for infringing their patents on disk compression, Microsoft countersued Stac for trade secret infringement for having reverse-engineered some hidden system calls in MS-DOS. Not only did the jury uphold Stac's bogus software patent, but they also found in favor of Microsoft on their ridiculous trade secret accusation! Needless to say, this creates a very troubling precedent. Now you can now apparently infringe a trade secret merely by examining fully public information (e.g., commercially available object code.) Phil
Phil Karn says:
A trade secret is just that, a secret. For parties unrelated to the holder of the secret, once it's no longer a secret, it's not a secret, and the former holder of the secret has no protection at all. In other words, if you're not, say, a BSAFE licensee, you are free to use the alleged RC4 algorithm.
This was my understanding *before* the recent jury decision in the Microsoft vs Stac Electronics countersuit. [...] Microsoft countersued Stac for trade secret infringement for having reverse-engineered some hidden system calls in MS-DOS. [...] the jury found in favor of Microsoft on their ridiculous trade secret accusation!
Ah, but that does make some sense. You see, Stac bought MS-DOS from Microsoft, and had to adhere to Microsoft's shrink wrap agreement. They broke the agreement they made with Microsoft when they bought the software. The person that reverse engineered RC4 obviously broke the rules and can be sued by RSA -- if anyone can ever figure out who he is. On the other hand, *I* have never signed an agreement with RSA... and I doubt that you have... Perry
Ah, but that does make some sense. You see, Stac bought MS-DOS from Microsoft, and had to adhere to Microsoft's shrink wrap agreement. Whether or not a shrink wrap agreement is valid is a further issue here as well. Taking something apart that lots of people have is, or at least should be, a fair use. Eric
"Patrick G. Bridges" <bridges@cs.arizona.edu> writes: So what does the publication of the reverse engineering of RC4 mean legally?
Does the answer to this question depend on whether it really was reverse engineered, or is a direct lift from the original source code? Jim Gillogly Sterday, 24 Halimath S.R. 1994, 06:43
Does the answer to this question depend on whether it really was reverse engineered, or is a direct lift from the original source code? It does not matter to disinterested parties, like the average cypherpunk. If it was reverse engineered, there may be a claim by the seller of the software against the licensee for breaching a "no reverse engineering" clause. In this case RSADSI is not a party to the action because the reversing engineer did not make an agreement with RSADSI concerning trade secrets. Any disinterested party is also not subject to this action, because they made no agreement with anybody involved. It's possible that RSADSI and, say, Lotus have an indemnification agreement in the case of reverse engineering, but that only affects the distribution of resources between those two companies. If it was lifted from source code, then RSADSI has a claim of malfeasance against theft of trade secrets. This doesn't reverse the fact that it's no longer a secret, but rather allows RSADSI to sue for the damages caused by the revelation of the secret. RSADSI can only sue the person who revealed the secret, not just anybody who posesses it. It's also possible that there might be a claim against the party to whom the secret was directly divulged, were there some conspiracy to steal trade secrets. That situation does not seem to apply here. In all of the above, be mindful that anybody can file a lawsuit and claim anything at all, and if it sounds official the gullible might believe that even the most farcical claims have merit. Eric
On Wed, 14 Sep 1994, Patrick G. Bridges wrote:
Can RC4 still be construed as a trade secret or proprirtary to RSADS and Bizdos or are, as I understand from previous messages, we free to use RC4 now (ignoring the submarine patent issue)?
I just checked the Cryptography Today FAQ from rsa.com and found precious little clues in the section about RC2 and RC4, except for the following: "RC2 and RC4 are proprietary algorithms of RSA Data Security, Inc.; details have not been published" (sic) They claim that RC4 is 10 or more times as fast as DES. Has anyone done any speed trials against libdes yet? Regards, - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet <asb@nexor.co.uk> Telephone +44 115 952 0585 | | PGP 2.6ui fingerprint: EC 80 9C 96 54 63 CC 97 FF 7D C5 69 0B 55 23 63 | +-------------------------------------------------------------------------+
Andrew Brown says:
They claim that RC4 is 10 or more times as fast as DES. Has anyone done any speed trials against libdes yet?
John Ioannidis, playing with the posted code, claims to have gotten 24mbps out of it, on a machine where a carefully tuned version of Phil Karn's DES code gets 2mbps. Perry
participants (6)
-
Andrew Brown -
hughes@ah.com -
Jim Gillogly -
Patrick G. Bridges -
Perry E. Metzger -
Phil Karn