RSAREF(TM): A Cryptographic Toolkit for Privacy-Enhanced Mail RSA Laboratories (A division of RSA Data Security, Inc.) January 5, 1993 This document copyright (C) 1992 RSA Laboratories, a division of RSA Data Security, Inc. License is granted to reproduce, copy, post, or distribute in any manner, provided this document is kept intact and no modifications, deletions, or additions are made. WHAT IS IT? RSAREF is a cryptographic toolkit designed to facilitate rapid deployment of Internet Privacy-Enhanced Mail (PEM) implementations. RSAREF represents the fruits of RSA Data Security's commitment to the U.S. Department of Defense's Advanced Research Projects Agency (DARPA) to provide free cryptographic source code in support of a PEM standard. RSA Laboratories offers RSAREF in expectation of PEM's forthcoming publication as an Internet standard. Part of RSA's commitment to DARPA was to authorize Trusted Information Systems of Glenwood, MD, to distribute a full PEM implementation. That implementation will be available this spring. RSAREF supports the following PEM-specified algorithms: o RSA encryption and key generation, as defined by RSA Laboratories' Public-Key Cryptography Standards (PKCS) o MD2 and MD5 message digests o DES (Data Encryption Standard) in cipher-block chaining mode RSAREF is written in the C programming language as a library that can be called from an application program. A simple PEM implementation can be built directly on top of RSAREF, together with message parsing and formatting routines and certificate-management routines. RSAREF is distributed with a demonstration program that shows how one might build such an implementation. The name "RSAREF" means "RSA reference." RSA Laboratories intends RSAREF to serve as a portable, educational, reference implementation of cryptography. WHAT YOU CAN (AND CANNOT) DO WITH RSAREF The license at the end of this note gives legal terms and conditions. Here's the layman's interpretation, for information only and with no legal weight: 1. You can use RSAREF in personal, non-commercial applications, as long as you follow the interface described in the RSAREF documentation. You can't use RSAREF in any commercial (moneymaking) manner of any type, nor can you use it to provide services of any kind to any other party. For information on commercial licenses of RSAREF-compatible products, please contact RSA Data Security. (Special arrangements are available for educational institutions and non-profit organizations.) 2. You can give others RSAREF and programs that interface to RSAREF, under the same terms and conditions as your RSAREF license. 3. You can modify RSAREF as required to port it to other operating systems and compilers, as long as you give a copy of the results to RSA Laboratories. Other changes require written consent. 4. You can't send RSAREF outside the United States or Canada, or give it to anyone who is not a U.S. or Canadian citizen and doesn't have a U.S. "green card." (These are U.S. State and Commerce Department requirements, because RSA and DES are export-controlled technologies.) HOW TO GET IT To obtain RSAREF, read the license at the end of the note and return a copy of the following paragraph by electronic mail to : I acknowledge that I have read the RSAREF Program License Agreement and understand and agree to be bound by its terms and conditions, including without limitation its restrictions on foreign reshipment of the Program and information related to the Program. The electronic mail address to which I am requesting that the program be transmitted is located in the United States of America or Canada and I am a United States citizen, a Canadian citizen, or a permanent resident of the United States. The RSAREF Program License Agreement is the complete and exclusive agreement between RSA Laboratories and me relating to the Program, and supersedes any proposal or prior agreement, oral or written, and any other communications between RSA Laboratories and me relating to the Program. RSAREF is distributed by electronic mail in UNIX(TM) "uuencoded" TAR format. When you receive it, store the contents of the message in a file, and run your operating system's "uudecode" and TAR programs. For example, suppose you store the contents of your message in the file 'contents'. You would run the commands: uudecode contents # produces rsaref.tar tar -xvf rsaref.tar RSAREF includes about 60 files organized into the following subdirectories: doc documentation on RSAREF and RDEMO install makefiles for various operating systems rdemo RDEMO demonstration program source RSAREF source code and include files test test scripts for RDEMO RSAREF is also available via anonymous FTP to 'rsa.com'. Along with RSAREF you can get RIPEM, Mark Riordan's RSAREF-based privacy-enhanced mail application, and an Emacs command interface to RIPEM. See the file 'README' in the FTP directory 'rsaref' for more information. USERS' GROUP RSA Laboratories maintains the electronic-mail users' group for discussion of RSAREF applications, bug fixes, etc. To join the users' group, send electronic mail to . REGISTRATION RSAREF users who register with RSA Laboratories are entitled to free RSAREF upgrades and bug fixes as soon as they become available and a 50% discount on selected RSA Data Security products. To register, send your name, address, and telephone number to . INNOVATION PRIZES RSA Laboratories will award cash prizes for the best applications built on RSAREF. If you'd like to submit an application, want to be on the review panel, or would like more details, please send electronic mail to . Applications are due December 31, 1992, and awards will be announced March 31, 1993. First prize is $5000, second prize is $2000, and there are five prizes of $1000. PUBLIC-KEY CERTIFICATION RSA Data Security offers public-key certification services conforming to forthcoming PEM standards. For more information, please send electronic mail to . PKCS: PUBLIC-KEY CRYPTOGRAPHY STANDARDS To obtain copies of RSA Laboratories' Public-Key Cryptography Standards (PKCS), send electronic mail to . OTHER QUESTIONS If you have questions on RSAREF software, licenses, export restrictions, or other RSA Laboratories offerings, send electronic mail to . AUTHORS RSAREF was written by the staff of RSA Laboratories with assistance from RSA Data Security's software engineers. The DES code is based on an implementation that Justin Reyneri did at Stanford University. Jim Hwang of Stanford wrote parts of the arithmetic code under contract to RSA Laboratories. ABOUT RSA LABORATORIES RSA Laboratories is the research and development division of RSA Data Security, Inc., the company founded by the inventors of the RSA public-key cryptosystem. RSA Laboratories reviews, designs and implements secure and efficient cryptosystems of all kinds. Its clients include government agencies, telecommunications companies, computer manufacturers, software developers, cable TV broadcasters, interactive video manufacturers, and satellite broadcast companies, among others. RSA Laboratories draws upon the talents of the following people: Len Adleman, distinguished associate - Ph.D., University of California, Berkeley; Henry Salvatori professor of computer science at University of Southern California; co-inventor of RSA public-key cryptosystem; co-founder of RSA Data Security, Inc. Taher Elgamal, senior associate - Ph.D., Stanford University; director of engineering at RSA Data Security, Inc.; inventor of Elgamal public-key cryptosystem based on discrete logarithms Martin Hellman, distinguished associate - Ph.D., Stanford University; professor of electrical engineering at Stanford University; co-inventor of public-key cryptography, exponential key exchange; IEEE fellow; IEEE Centennial Medal recipient Burt Kaliski, chief scientist - Ph.D., MIT; former visiting assistant professor at Rochester Institute of Technology; author of Public-Key Cryptography Standards; general chair of CRYPTO '91 Cetin Koc, associate - Ph.D., University of California, Santa Barbara; assistant professor at University of Houston Ron Rivest, distinguished associate - Ph.D., Stanford University; professor of computer science, MIT; co-inventor of RSA public-key cryptosystem; co-founder of RSA Data Security, Inc.; member of National Academy of Engineering; director of International Association for Cryptologic Research; program co-chair of ASIACRYPT '91 RSA Laboratories seeks the talents of other people as well. If you're interested, please write or call. ADDRESSES RSA Laboratories RSA Data Security, Inc. 100 Marine Parkway 100 Marine Parkway Redwood City, CA 94065 Redwood City, CA 94065 (415) 595-7703 (415) 595-8782 (415) 595-4126 (fax) (415) 595-1873 (fax) PKCS, RSAREF and RSA Laboratories are trademarks of RSA Data Security, Inc. All other company names and trademarks are not. ---------------------------------------------------------------------- RSA LABORATORIES PROGRAM LICENSE AGREEMENT RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA") GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM: 1. LICENSE. RSA grants you a non-exclusive, non-transferable, perpetual (subject to the conditions of section 8) license for the "RSAREF" program (the "Program") and its associated documentation, subject to all of the following terms and conditions: a. to use the Program on any computer in your possession; b. to make copies of the Program for back-up purposes; c. to modify the Program in any manner for porting or performance improvement purposes (subject to Section 2) or to incorporate the Program into other computer programs for your own personal or internal use, provided that you provide RSA with a copy of any such modification or Application Program by electronic mail, and grant RSA a perpetual, royalty-free license to use and distribute such modifications and Application Programs on the terms set forth in this Agreement. d. to copy and distribute the Program and Application Programs in accordance with the limitations set forth in Section 2. "Application Programs" are programs which incorporate all or any portion of the Program in any form. The restrictions imposed on Application Programs in this Agreement shall not apply to any software which, through the mere aggregation on distribution media, is co-located or stored with the Program. 2. LIMITATIONS ON LICENSE. a. RSA owns the Program and its associated documentation and all copyrights therein. You may only use, copy, modify and distribute the Program as expressly provided for in this Agreement. You must reproduce and include this Agreement, RSA's copyright notices and disclaimer of warranty on any copy and its associated documentation. b. The Program and all Application Programs are to be used only for non-commercial purposes. However, media costs associated with the distribution of the Program or Application Programs may be recovered. c. The Program, if modified, must carry prominent notices stating that changes have been made, and the dates of any such changes. d. Prior permission from RSA is required for any modifications that access the Program through ways other than the published Program interface or for modifications to the Program interface. RSA will grant all reasonable requests for permission to make such modifications. 3. NO RSA OBLIGATION. You are solely responsible for all of your costs and expenses incurred in connection with the distribution of the Program or any Application Program hereunder, and RSA shall have no liability, obligation or responsibility therefor. RSA shall have no obligation to provide maintenance, support, upgrades or new releases to you or to any distributee of the Program or any Application Program. 4. NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 5. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6. PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set forth below, RSA, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against you on the basis of infringement of any United States patent in the field of cryptography by the unmodified Program; and (ii) pay any final judgment or settlement entered against you on such issue in any such suit or proceeding defended by RSA. The obligations of RSA under this Section 6 are subject to: (i) RSA's having sole control of the defense of any such claim, suit or proceeding; (ii) your notifying RSA promptly in writing of each such claim, suit or proceeding and giving RSA authority to proceed as stated in this Section 6; and (iii) your giving RSA all information known to you relating to such claim, suit or proceeding and cooperating with RSA to defend any such claim, suit or proceeding. RSA shall have no obligation under this Section 6 with respect to any claim to the extent it is based upon (A) use of the Program as modified by any person other than RSA or use of any Application Program, where use of the unmodified Program would not constitute an infringement, or (B) use of the Program in a manner other than that permitted by this Agreement. THIS SECTION 6 SETS FORTH RSA'S ENTIRE OBLIGATION AND YOUR EXCLUSIVE REMEDIES CONCERNING CLAIMS FOR PROPRIETARY RIGHTS INFRINGEMENT. NOTE: Portions of the Program practice methods described in and subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829, and all foreign counterparts and equivalents, issued to Leland Stanford Jr. University and to Massachusetts Institute of Technology. Such patents are licensed to RSA by Public Key Partners of Sunnyvale, California, the holder of exclusive licensing rights. This Agreement does not grant or convey any interest whatsoever in such patents. 7. RSAREF is a non-commercial publication of cryptographic techniques. Portions of RSAREF have been published in the International Security Handbook and the August 1992 issue of Dr. Dobb's Journal. Privacy applications developed with RSAREF may be subject to export controls. If you are located in the United States and develop such applications, you are advised to consult with the State Department's Office of Defense Trade Controls. 8. TERM. The license granted hereunder is effective until terminated. You may terminate it at anytime by destroying the Program and its associated documentation. The termination of your license will not result in the termination of the licenses of any distributees who have received rights to the Program through you so long as they are in compliance with the provisions of this license. 9. GENERAL a. This Agreement shall be governed by the laws of the State of California. b. Address all correspondence regarding this license to RSA's electronic mail address , or to RSA Laboratories ATTN: RSAREF Administrator 100 Marine Parkway, Suite 500 Redwood City, CA 94065