Will Expiration of RSA's Patent Unencumber SSL/PGP?

petej asks: "Big companies with valuable patents usually don't put all their eggs in one basket. It's common practice to build a "patent fence" around the main patent, so that when the main one expires, the others preserve the company's hegemony on their technology. When the main RSA patent expires next year, will there be any other RSA patents that might cover and encumber PGP or OpenSSL? Will we really have a freely available SSL toolkit in OpenSSL, or will we still be forced to buy an RSA license because of some other patent?"

Re:174 (at least) RSA based patents! whew!

After a quick browse through, most of these look irrelevant to basic use of RSA in PGP. However a few are very irritating, like the 1995 patent on timestamping. The abstract describes it like this: send a hash of your document to a timestamp authority, and they add the current time and sign it with their private key. Prevent cheating either by using a sequenced chain of timestamps or by basing your selection of timestamp authorities on the document hash. Gosh, who woulda thunk it?

Patents on crypto algorithms don't bother me that much, but when they start patenting the kinds of ideas that I think up when I'm driving I get pretty pissed.

Re:Thought I would share this

Perhaps I'm nit picking... But please be careful. Our laws regarding encryption exports are not *AT ALL* the same as the US Laws. If something is produced in the us, and is under US export control, then we recognize that and place the same controls on it. This is the price we pay for getting easy access to it. (US export restrictions don't apply to Canada) If it's developed anywhere else, in Canada or otherwise, we can do whatever we want. (nearly) If it's in the public domain, there are absolutely no permits or anything required. If it's a business venture, there are export permits necessary.. but this is no different than those necessary for any other export.

RSADSI has a few other patents

Aside from the Diffie-Hellman and RSA patents, they also hold the Hellman-Merkle patent and the Schnorr patent. These will not expire until later, in the case of the Schnorr patent in 2009 or so. Incidentally, RSADSI has repeatedly claimed that algorithms like ElGamal are covered under the "Merkle knapsacks" patent, so it is not true that (packages such as) GPG are undisputably patent-free.

The Schnorr patent covers some of the knowledge-proof protocols that are used when using public-key crypto systems for contractual things
(I think... it's been a while since I've read the literature =) so it's still an issue when cryptography is used to enforce standards of behavior and such. It might also have an impact on things that Free Software projects are planning in the future.

Lotsa lawyers

[dmiller]

RSADSI is a big company who depends heavily on the RSA algorithm for their revenue. You can bet that they have scores of lawyers who will try to intimidate anyone who tries to use the RSA algorithm after expiry.

They would probably not win any case that made it to court, but that is enough to scare many smaller companies into purchasing a license. Most of the larger companies already have licenses.

PGP (2.x at least) still uses the IDEA algorithm which is patented by Ascom Systec of Switzerland, so it is not totally free.

GnuPG does not use any patented algorithms and is a much better product anyway. There also exist plug-in RSA implementations which allow it be backwards compatible with PGP 2.x.

RSA open, RC ciphers copyrighted, BSAFE closed

[drig]

The RSA cipher and any uses of it will open whn the patent expires. This means that US citizens will finally be able to use the RSA implementation in SSLeay/OpenSSL, or roll their own.

The RC ciphers, RC2, RC4 and RC5, are copyrighted. The names are trademarked. This means that you can not use RSA's code, or the names RC[245], without RSA's permissions. But, you can use AAILRC5EFTN, An Algorithm Incredibally Like RC5 Except For The Name. Basically, RC5 (or 2 or 4), but named different.

BSAFE, now known as Crypto-C, is a product of RSA's, just like any other software product. You will still need to buy it if you want to use it.

RSA's strategy is to move upwards in the food chain, while continuing to promote Crypto-C as the best of breed. They are making PKI toolkits now. PKI toolkits give developers the ability to handle authentication, do work with certificates, and do other, Public Key stuff that relates to Infrastructures. OpenCA would mimic one portion of RSA's Keon offering.

Crypto-C will now be sold a little differently. Instead of "you have to pay us anyway, why not just buy the toolkit", it's now "this is the absolute best crypto toolkit and you should buy it". And they have a point. Crypto-C is highly optimized for all sorts of platforms, has been continually reviewed for security by RSA Labs, has been ported to a huge number of platforms,is easy to work with, and generally an all-around righteous toolkit.

Most /. readers won't want to buy Crypto-C. It's enormously expensive. RSA can now focus on selling to huge companies and not twiddling around, suing the little guy. Frankly, I think the patent expiring will be the best thing for the company since Bidzos joined the board.

The important patent was the Diffie Hellman patent

[daw]

Really, the important patent was the patent on Diffie-Hellman key exchange, since this was the first public key algorithm. Since it has already expired, it's already possible to build totally free SSL/PGP workalikes without any patented code. You just need to add a free symmetric key cryptosystem like Blowfish or triple DES.

RSA, RSADSI, and SSL

[gbroiles]

First, don't forget (if you ever knew) that Netscape (now AOL) holds a patent on SSL itself. In the past, Netscape's policy was to freely license the patent to anyone who agreed not to dispute its validity, but I don't know if that's AOL's current policy, or if they'll change that in the future. There are also 14 patents which reference the SSL patent.

With respect to RSA (the company)'s control over RSA (the algorithm) it will, indeed, end on 9/20/2000 - but that means one thing to open source developers, and something else to developers who are using BSAFE or one of RSA's other toolkits.

For several years now, RSA has been very, very reluctant to issue a bare patent license for the RSA algorithm. What they will cheerfully do is give you a license to use the patent, so long as you also use their (licensed) object libraries which implement the code. This leads to continued control over the market after 9/20/2000 in two ways: by forcing licensees to recompile using other crypto libraries, since the libraries themselves are still covered by copyright even after the patent expires; and by limiting the number of competitive libraries and programmers with experience writing/using those libraries, since it hasn't been legal (in the US) to create them.

Consequently, developers who have been using RSA-licensed proprietary object code thus far will likely continue to use it (and to pay royalties to RSA) even after the patent expires. Developers who have been using open source libraries like SSLeay and OpenSSL will be well-positioned to take advantage of the expiry. The two lead programmers on the SSLeay project, Tim Hudson and Eric Young, have been RSA employees for about a year now, so updates to the package won't come from them. (See http://www.cryptsoft.com/~eeay/ for more on that.)

174 (at least) RSA based patents! whew!

[doogieh]

The RSA patent is referenced by 174 newer patents. That means that (at least) 174 other people have similar "inventions", some real, some questionable, which directly use the RSA algorithm. Here it is.

The problem is that its hard to tell what uses of RSA are actually covered by these newer patents. It doesn't matter whether the use is "obvious" to us, it's just impossible to tell what uses are covered without going through everything. Translation: RSA will be available soon, but it's use for almost anything commercial/useful will still be independently patentable.

You would think...

[Hobbex]

Personally I have always been rather surprised that the field of crypography is so littered with patents everywhere. You would think that near genius crypographers like R and S would be the first to realize that the flows and uses of information can only truly to controlled by mathematics - and that attempts to do so by law, straight in the face of the very nature of information, are not only futile but ultimetly very harmful.

It is thankful that there are also people like Schneier in the field.

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Thought I would share this

[Alban]

I work at a company that does telecom products. Our lawyers did a lot of research on the RSA patent. Some of you may already know this, but some of you might not:

RSA
---

RSA is protected by a US patent. Everyone knows this. However, the patent only applies to the US, which does NOT include Canada (some people think the RSA patent also applies to Canada since our crypto laws are identical). So if you are not an american company, you can sell your product WITH RSA all over the world except in the US.

In the US I would suggest using DSA instead of RSA. Works very well. The only problem is that you will have trouble finding certificate authorities that support DSA (Verisign, GTE Cybertrust, etc... only support RSA certs). You might want to check these:

http://www.equifax.com : they are supposed to have DSA support.

http://www.arcanvs.com : they already support DSA certs.

http://www.thawte.com : they support DSA certs BUT they are signed by an intermediate DSA issuing cert that in turn is signed by an RSA cert. So it doens't really work if you have to avoid using RSA. BUT, if enough people e-mail the president of Thawte and say they would like DSA certs they might provide support earlier... By the way, the president (Mark Shuttleworth) answers e-mails in less then a day and he knows more then just sales figures...

Also, Thawte has the greatest test facility among all CAs out there! Just go in the "test" section on their web page. You can test everything, RSA certs, DSA certs, PKCS7 chains, etc.

RC4
---

RC4 is not patented, but it is copyrighted. Not the algorithm, but its implementation. However, as we all know the algorithm was leaked some years ago and today it is considered public knowledge since you can find it in any book. So you can use the algorithm FREE anywhere in the world if you make your own implementation without basing your work on an implementation that was done by RSADSI. You also have to rename the algorithm. You can't use the name "RC4". But you can use "AV4" for instance.

If you are not using RSA then you might want to forget about RC4 because there are not SSL Ciphersuites that combine DSA (the RSA alternative) and RC4.

MD2
---

We also did some research on that (our lawyers actually) and you can actually use the name MD2 (unlike RC4) and use the alg. free if you can write an implementation independantly of any implementation done by RSADSI or the implementation found in the RFC.

I don't know about MD5 because we used a library that gave us the right to use MD5...