riordanmr@clvax1.cl.msu.edu (Mark Riordan) (03/13/91)
Archive-name: security/crypt/spx/1991-03-12 Archive-directory: crl.dec.com:/pub/DEC/SPX/ [192.58.206.2] Original-posting-by: riordanmr@clvax1.cl.msu.edu (Mark Riordan) Original-subject: SPX: Public key software demo free from DEC Reposted-by: emv@ox.com (Edward Vielmetti) I got this message by sending an email request to: sphinx-request@dsmail.enet.dec.com Subject: Announcing SPX Availability Announcing the availablity of SPX Beta Release. SPX is an authentication service that enhances the security in open networks by using public key technology. SPX is distributed via anonymous FTP from crl.dec.com (address 192.58.206.2). The following files can be obtained in the /pub/DEC/SPX directory. SPX.v2.0-beta.tar.Z - SPX sources and documentation (without crypto algorithm sources) SPX.v2.0-doc.tar.Z - SPX documentation only SPX-README - SPX README notes kit-verifier.tar.Z - sources for kit verifier program SPX-FORMS - forms to obtain crypto algorithms Also, for DIGITAL internal distribution, the SPX kit can be ftp'd from crl, or copied from CRL::/pub/DEC/SPX. Recipients can be assured that they received a valid SPX kit from DIGITAL if the kit-verifier program returns the following checksum specified in the SPX-README file located on crl.dec.com in the /pub/DEC/SPX directory. kit's name checksum ---------- -------- SPX.v2.0-beta.tar.Z ee4e5c35d2d67653f82f873759f42f34 SPX Beta Release Overview o This version of SPX is for Beta test only. Caution: SPX is a prototype and should NOT be relied on to protect sensitive information. (Testing may find bugs which are potential security holes.) o This software is supplied "as is" with no warranty of any kind, expressed or implied, for any purpose, including any warranty of fitness or merchantibility. DIGITAL assumes no responsibility for the use or reliability of this software, nor promises to provid any form of support for it on any basis. o Distribution of this software is authorized only if no profit or remuneration of any kind is received in exchange for such distribution. o This software produces public key authentication certificates bearing an expiration date established by DIGITAL and RSA Data Security, Inc. It may cease to generate certificates after the expiration date. Any modification of this software that changes or defeats the expiration date or its effect is unauthorized. o SPX distribution recipients can register users and use the rtools. o SPX is working towards providing a common API interface with Kerberos. Discussions refining this interface, in conjunction with MIT/Project Athena, are in progress at this time. Users should be cautious about writing applications to SPX's API. As the API evolves, SPX users will be made aware of any changes through the SPX distribution list. o We expect to offer a new SPX version with bug fixes, and comments after Beta test. o Comments on how to improve the usability of SPX are welcome from users. A SPX mailing list has been created for discussions related to the deployment of SPX public key based authentication service. The mailing list is intended to cover a wide range of issues including : o Issues related to deployment of SPX, including technical issues, deployment status, availability, etc. o Issues related to protocol extensions, API issues, clarification of details, unpublished changes, etc. Please send contributions to the list at "sphinx@crl.dec.com". Administrative requests, e.g., additions to or deletions from the list, should be sent to "sphinx-request@crl.dec.com". If you have questions or comments, please send them by e-mail to "sphinx-info@crl.dec.com" or mail them to : SPX Distribution Digital Equipment Corporation 295 Foster Street, LTN1-1/G08 Littleton, MA 01460 Fax: (508) 486-6014 The SPX kit is split into two components: 1) the kit without the sources for DES and RSA crypto algorithms (publically available). 2) the sources for the DES and RSA crypto algorithms (Export controlled). However, the crypto sources will be distributed only to individuals who declare themselves as US citizens working in the US. Note that the kit is essentially useless without the crypto algorithms in either source or binary form. We are in the process of making arrangements for binary crypto distribution outside the US. SPX is intended to be portable software for UNIX (tm) TCP/IP platforms. Currently, we have ported SPX for ULTRIX VAX and MIPS platforms. You can request the crypto sources by filling out the attached form and returning it to us. The crypto algorithm source code is subject to U.S. export restrictions under the U.S. Department of State's International Traffic in Arms Regulations (22 CFR Subchapter M). -------------------------------------------------------------------------------- +---------------------------+ TM | | | | | | | | | d | i | g | i | t | a | l | M E M O R A N D U M | | | | | | | | +---------------------------+ Date: 11 March 1991 To: Requester From: Bruce Chase Loc.M/S: LTN1-1/G08 Phone: (508) 486-6011 E-Mail: chase@ultra.enet.dec.com SUBJECT: Request for SPX crypto algorithm source code Please provide the following information in order to be granted SPX crypto algorithm source code: Your full name: ________________________________ Nationality: ________________________________ Affiliation: ________________________________ Department: ________________________________ Address: ________________________________ ________________________________ ________________________________ ________________________________ Phone number: _(_____)________________________ E-Mail address: ________________________________ Following information is desired regarding your computing environment to assist us in supporting SPX. Number of networked systems: ________ Hardware platforms: ________________________________ ________________________________ Operating Systems: ________________________________ ________________________________ Network protocols: ________________________________ ________________________________ What network authentication service is presently being used? ________________________________ Please reply to this request by inserting the appropriate information. You may fax a hardcopy (with original to follow later by mail) of this request to the following address: SPX Distribution, Attn. Bruce Chase Digital Equipment Corporation 295 Foster Street, LTN1-1/G08 Littleton, MA 01460 Fax: (508) 486-6014 In the event you cannot be approved for receipt of the SPX crypto algorithm source code, you will be sent a rejection notification. If you are approved, you will be mailed a shell archive file with the SPX crypto sources. The information in the SPX crypto algorithm source code is subject to U.S. export restrictions under the U.S. Department of State's International Traffic in Arms Regulations (22 CFR Subchapter M). Access to the SPX crypto algorithm source code will be granted to you under the condition that you agree not to disclose information found in the crypto sources to people who are not authorized access to the information. Authorized access is granted only to those individuals who have completed the aforementioned form and been approved for receipt of the SPX crypto sources. This may be viewed as an individual source license which cannot be shared. This restriction does not apply to the base SPX code, only to the crypto algorithm sources. Also, SPX uses a patented RSA algorithm which is copyrighted in the source distribution. Access to SPX sources will be granted to you under the condition that you agree not to tamper with either the RSA algorithm or certification authority functions. By sending you the SPX crypto algorithm source code, Digital Equipment Corporation is not authorizing the Requestor to use the RSA algorithm in SPX beyond the indended use in the software. Print name: ________________________________ Signature: ________________________________ Date: ________________________________