DDJ article on RC4

Anonymous nobody at jpunix.com
Fri Dec 23 22:22:13 PST 1994


Putting the Genie Back in the Bottle

What had all the earmarkings of a major-league food fight sure didn't take
long to dry up and blow away.  Triggering the flap was an internet posting
of source code that implemented the RC4 algorithm, an act that knocked on
all kinds of legal doors - trade secrets, Internet-host liabilities, reverse
engineering, shrink-wrap licensing, export control.  You name it.
   The problem is that RC4, the block-cipher encryption algorithm at the
heart of RSA Data Security cryptography, is protected as a trade secret.
But some on the net say the online posting let the genie out of the bottle -
RC4 was made public and available for anyone to use, RSA's claims
notwithstanding.  RSA counters that the company used trade-secret law
simply to protect its intellectual property, and there's never really been
any "secret" about the algorithm.  Anyone willing to sign a nondisclosure
agreement acknowledging RC4's trade-secret status could have ready access to
the reference and source code.  Among companies which have licensed
RC4-based tools from RSA are Microsoft, Novell, Apple, and Lotus, all of
which distribute RC4-based binary files in shrink-wrapped applications.
   You can imagine the furor when an unidentified person (or persons) used
an anonymous remailer to post worldwide - first to a cryptographer mailing
list, then to a newsgroup - source code that was supposedly RC4.  Subsequent
testing by programmers and cryptographers confirmed that the code was indeed
compatible with "real" RSA RC4 code.  RSA Data Security responded by calling
in everyone from the U.S. Customs Service to the Federal Bureau of
Investigation.  In a strongly worded warning on the net, RSA said it
considered the posting "a violation of law ... [and] ... a gross abuse of
the Internet."
   If the person(s) who posted the source code had in fact signed an RSA
nondisclosure agreement, the issue seems pretty clear-cut.  They broke the
law, not to mention RSA's trust.  If, as some claim and RSA disputes, the
code was reverse-engineered from object files in off-the-shelf software,
then the law was probably broken - unless RSA and other vendors decide to
test the strength of highly questionable and likely unenforceable
shrink-wrap licenses that try to prohibit disassembly/decompilation.  Of
course, it just might be that some cryptographer derived the algorithm after
examining the key, plaintext, and ciphertext.  And there's even the chance,
albeit unlikely, that a dumpster diver ran across discarded copies in RSA's
corporate wastebasket.
   Questions concerning the legal status of copyrighted material that's made
freely available (illicitly or otherwise) on the Internet also have to be
tackled.  Can Internet hosts be held accountable for an anonymous postings
of protected material?  And don't forget, RC4 isn't just any software - it's
ENCRYPTION software.  Is posting such software online worldwide the same as
exporting it?  If so, the State Department might have a thing or two to say.
The end result is that RC4 code is available on ftp sites worldwide, ready
and waiting for you to use it.  But if you grab it off the net, can you use
it without RSA's permission?  For the time being, the answer probably
depends on which lawyer you ask.
   Speculation aside, the RC4 controversy explains why many developers are
protecting their intellectual property with patents instead of copyrights.
Gray areas like RC4 would be black and white if RC4 had been patented.  But
then patenting would also mean that RC4 would have been public in the first
place.
   The immediate impact may be on RC5, the next-generation version of RC4,
which Ron Rivest describes in this issue.  In part because of the RC4
controversy, Ron and RSA Data Security are considering patenting RC5, a
departure from their original plans.  At one point, RC5 code and reference
was to be distributed free-of-charge for noncommercial use.  Small
businesses could license the material for $500, and large businesses, for
$1000.  All proceeds were to go to RSA Labs - not RSA's bottom line - to
fund further R&D.  This could still happen even if RSA patents RC5, but the
licensing fees would be higher to offset the patent costs.
   Likewise, there could be some repercussion in terms of exporting
RC4-based systems.  For the past couple of years, vendors have been allowed
to export software that uses RC4 short-key encryption.  The State Department
could change this since RC4 is no longer secret.
   As for the multitude of legal questions, nothing concrete will
immediately come of the RC4 brouhaha, unless those responsible for posting
the code are identified.  Existing RC4-based systems weren't compromised and
may have benefited, since we can now see that system backdoors don't exist.
   What we're left with are more questions, fewer answers, and the suspicion
that one of these days a big shoe is going to fall on software and
intellectual-property rights - one that won't make anyone completely happy.


                                      Johnathan Erickson
                                      editor-in-chief







More information about the cypherpunks-legacy mailing list