geoff@suneast.uucp (Geoff Arnold) (12/04/85)
[line eater food]
Does anyone know of a version of 'crypt(3)' which doesn't contain
AT&T code, and is therefore not bound by U*ix licensing strictures?
Something less general (e.g. just password-size data blocks) would be
just fine.
--
#include <sys/disclaimer.h> /* co. lawyers: will this do? */
Geoff Arnold * * * Quick: 617-863-8870 x136 (but ya gotta catch me!)
Sun Microsystems Inc.***** Slower: {hplabs,ihnp4,nsc,pyramid}!sun!suneast!geoff
East Coast Division. * * * Slowest:One Cranberry Hill, Lexington, MA 02173avolio@decuac.UUCP (Frederick M. Avolio) (12/06/85)
In article <124@suneast.uucp>, geoff@suneast.uucp (Geoff Arnold) writes: > [line eater food] > Does anyone know of a version of 'crypt(3)' which doesn't contain > AT&T code, and is therefore not bound by U*ix licensing strictures? Let us be careful about posting something to a world-wide network that might break State Department "rules." -- Fred @ DEC Ultrix Applications Center {decvax,seismo,cbosgd}!decuac!avolio
gnu@l5.uucp (John Gilmore) (12/07/85)
In article <717@decuac.UUCP>, avolio@decuac.UUCP (Frederick M. Avolio) writes: > In article <124@suneast.uucp>, geoff@suneast.uucp (Geoff Arnold) writes: > > Does anyone know of a version of 'crypt(3)' which doesn't contain > > AT&T code, and is therefore not bound by U*ix licensing strictures? > Let us be careful about posting something to a world-wide network that > might break State Department "rules." > -- > Fred @ DEC Ultrix Applications Center {decvax,seismo,cbosgd}!decuac!avolio It was DEC that got us into the whole domestic versus international versions of Unix, because some wimp there would not request an export license for some obsolete cryptographic code from the Commerce Dept [yes, it's not the State Dept], and they got AT&T all tied up in the mess. Nobody since then has had the guts to even *ask* the govt for the license. Thanks for setting a precedent guys ... and thank *you* Fred, for suggesting that easy code which implements a publicly-available standard should be kept inside the US. I'm sure that the spooks in the big dark world out there can read the Federal Register if they want to find out how to cook up a DES algorithm. Jeez. PS: Armando, I'm not calling you a wimp, it was the DEC lawyers... Don't believe me? I've got proof... >From dmr@research.UUCP Mon Sep 17 22:15:46 1984 Newsgroups: net.crypt Subject: export controls Message-ID: <1041@research.UUCP> As has been said, there is indeed a special "International Edition" of System V that differs from the ordinary system in that it lacks the crypt command, the encrypting features of ed and vi, and the encrypt entry of crypt (3). The crypt entry, which is used for passwords, is there, as is the underlying DES algorithm. Here's how it happened. About a year ago, I got mail from Armando Stettner saying basically, "Do you know of any problems with exporting crypt? Our lawyers [at DEC] are worried about it." I replied that such worries were utterly unfounded for a variety of sensible reasons. Now, as it has turned out, DEC was very justified in worrying about export controls in general; they have recently been fined (I think) $500,000 for the Vaxen that almost got sent to Russia. I conjecture that the earliest stages of this or a similar incident were already in progress and they were trying to be extra careful when they learned about crypt. At any rate, the DEC lawyers communicated their fears to AT&T, and the AT&T lawyers, equally cautious, sought government advice. The problem, you see, is that cryptographic materials are under export control. There is a thing called the Munitions Control Board that worries not only about machine guns going to Libya, but also about the crypt command going to England. In practice, the enforcement is done by the Commerce department. AT&T had a meeting with Commerce, the MCB, and NSA. The upshot was that they decided it would be simplest all around just not to export the crypt command. The gov't would almost certainly have granted the license, but (probably wisely) AT&T decided it wasn't worth the hassle. In technical terms, the situation is ludicrous. The encrypt subroutine is distinguished mainly by the excruciating care I took to make it an exact transcription of the algorithm published in the Federal Register, and by its slowness. NBS, the caretaker of DES standardization, is explicit that software implementations cannot be certified, so in that sense encrypt is not "real" DES. The underlying subroutine is still there, only the simple command that uses it is missing. So there is actually nothing to protect, and even if there were, it's not protected. Nevertheless, in the present situation we officially don't need an export license, whereas with the crypt command we would. In political terms, AT&T probably could have done better. Conservative and careful, they called a big meeting at which no one could possibly have put forward anything but official positions about encryption programs. Private checking with well-placed people in the appropriate agencies might well have done the job. But who knows? Dennis Ritchie ---- >From ihnp4!cbosgd!clyde!watmath!utzoo!utcsri!hofbauer Sun Mar 31 20:28:31 1985 From: hofbauer@utcsri.UUCP (John Hofbauer) Newsgroups: net.crypt Subject: classification of crypt Message-ID: <951@utcsri.UUCP> Organization: CSRI, University of Toronto The classification of crypt is ironic, especially in light of the paper "File Security and the UNIX System Crypt Command" by J.A. Reeds and P.J. Weinberger, BLTJ, vol. 63, no. 8, part 2, October 1984, which states, according to its abstract, that "sufficiently large files encrypted with crypt can be deciphered in a few hours by algebraic techniques and human interaction. We outline such a decryption method and show it to be applicable to a proposed stengthened algorithm as well. We also discuss the role of encryption in file security."
leif@erisun.UUCP (Leif Samuelsson) (12/11/85)
In article <717@decuac.UUCP> avolio@decuac.UUCP (Frederick M. Avolio) writes: >Let us be careful about posting something to a world-wide network that >might break State Department "rules." As far as I know, our State Department has no "rules" concerning crypt programs. ---- Leif Samuelsson ..enea!erix!erisun!leif Ericsson Information Systems AB, Advanced Workstations Division S-172 93 SUNDBYBERG, Sweden (59 19' N / 17 57' E) ---------------------- ! ! ! | ! ! ! ! This is not a pipe ! ----------------------
dpk@mcvax.UUCP (Doug Kingston) (12/21/85)
Worrying about exporting crypt(3) to Europe is an academic exercise since it has been here ever since V7 was first released (which was before they decided it was taboo). -Doug-