Mailing List Archive


Back to the month index Back to the list index
Brian Candler (B.Candler@pobox.com)
Mon, 27 Jan 1997 11:08:23 +0000 (GMT) 

From: Brian Candler <B.Candler@pobox.com>
Message-Id: <199701271108.LAA00372@gazebo.candler.co.uk>
Subject: Re: [mSQL] How to secure the server?
Date: Mon, 27 Jan 1997 11:08:23 +0000 (GMT)

> > Kerberos is not suitable because of the export restrictions. It isn't even
> > legal for Bambi to have a copy of Kerberos (that's the theory anyway). A
> > system based on RSA would be more preferable because the RSA code while not
> > exportable (from the US) has an excellent implementation outside the US.
>
> Hi
>
> You seem to be familiar with law and encryption matter.

Hmm, I'm not sure he is. You need to be very precise about the difference
between an _algorithm_ (e.g. RSA, IDEA) and an _implementation_ (e.g. PGP)

There is no reason why Kerberos could not be used outside the U.S., if
someone outside the U.S. wrote a 'clean room' implementation from scratch. I
have a vague idea it has been done already, but I'm not sure.

Limitations on _implementations_ (pieces of software) are as follows:

- No secure crypto code can be exported from the U.S.
- Normal software copyright

Limitations on _algorithms_ are as follows:

- RSA: subject to patents only in the U.S. (since they published before
  applying. In most places, once something is published you can't apply
  for a patent. In the U.S. you are allowed up to one year to apply)

  So in the U.S. you need a licence from the patent holders to use RSA,
  but not elsewhere.
  Note that in the U.S. there is a source module called RSAREF which is
  licenced for free, non-commercial use; this is what is linked into the
  U.S. version of PGP. But you can't export it, so outside the U.S. you
  just have to write your own implementation of RSA (which is what the
  International version of PGP does)

- DES: unrestricted. However its small 56-bit key means it is now
  considered past its useful life.

- IDEA: subject to worldwide patents but free for non-commercial use.
  128-bit key and no weaknesses yet found.

For both RSA and IDEA, the licence fees for commercial use are very
reasonable.

> I have a question for you, I am building a client-server system that
> needs encryption.
> The client is an home made Visual Basic program, the server
> application is a CGI running through the web server.
> I need to send some encrypted data between the two parts, but the
> server is in USA and the client will be distibuted all around the
> world.
>
> What solutions could I use to achieve the objective without beeing out of
> US laws ?
>
> RSA, PGP, whatelse ?

RSA is not a piece of software, it is an algorithm.

PGP is probably not very well suited to your needs because it is for sending
of files (like E-mail messages) rather than streams. But if you are able to
batch up all your data into a block, encrypt, and send the block, it would
be fine. PGP uses RSA for key encryption and IDEA for data encryption.

At the USA side:
  - If it is non-commercial, use the U.S. freeware version of PGP
  - If it is commercial, you need to buy the commercial version of PGP

Outside the USA:
  - Use the International freeware version of PGP
  - If it is a commercial application, buy a (very cheap) IDEA licence.
    Details are supplied with the PGP source code.

However it sounds to me that what you really want is ssh. With ssh, you set
up what is effectively a secure telnet session between two hosts; then you
can "tunnel" other TCP/IP sessions through it. It uses RSA for key exchange
and authentication, and either IDEA or DES for data encryption.

There is a free international version of ssh on ftp.cs.hut.fi, and for info
on commercial versions (including Windoze 95 clients) see
http://www.datafellows.com

Secure Sockets Layer (SSL) may be another solution to your problem, but I
don't have any information on this. You could also look at the Netscape
Commerce Server, but the 40-bit keys for export versions of clients are
laughably insecure.

Regards,

Brian Candler.

P.S. Remember it is illegal to _use_ cryptography in certain countries (e.g.
France)
--------------------------------------------------------------------------
To remove yourself from the Mini SQL mailing list send a message containing
"unsubscribe" to "unsubscribe" to msql-list-request@bunyip.com. Send a message containing
"info msql-list" to majordomo@bunyip.com for info on monthly archives of
the list. For more help, mail owner-msql-list@bunyip.com NOT the msql-list!