RSA opens vault to crypto code
Facing a July 1 standards deadline, RSA Data Security publishes a description of its RC2 encryption algorithm that is key to its secure email.
The encryption firm hopes publishing the description will mollify the Internet Engineering Task Force, which told backers of S/MIME--a widely used method of encrypting email based on RSA's technology--to get moving by July 1 or fall off the standards track.
But RSA's gesture may not be enough. "The publication of RC2 is an important step, but only one," said Jeffrey I. Schiller, who oversees the IETF's security standards activity. The July 1 deadline was S/MIME boosters to submit a charter for a "working group" on the protocol.
"A key condition for a successful charter in this area is for the necessary technology to be openly available," he said. That could be a barrier, since RSA still requires software developers to pay for a RC2 license--or develop their own code based on the description.
Another secure email protocol called PGP/MIME, from RSA rival Pretty Good Privacy, is well on its way to winning the IETF's endorsement as a standard for secure email.
"This is an important step in making S/MIME widely adopted," said RSA's Gary Kinghorn, director of product marketing. "For the first time, RSA is giving up any trade secret protection by showing how to do RC2, so others can do an implementation of RC2 without being worried that RSA is protecting its code."
"This surprised a lot of people in the industry," said Charles Breed, PGP's senior director of technical marketing. "It's obviously a step in the right direction for everybody." However, "what RSA has done is taken a tiny step forward, when they need to take a larger leap forward to make S/MIME a truly valid standard. It's still unproven."
Breed cited the need for wide deployment and interoperability, adding that even though RSA has published the description of RC2, software developers still must pay to license the algorithm from RSA or build their own from scratch.
The RC2 algorithm is flexible enough to use either 40-bit encryption, which can be sold outside the U.S. under current crypto export laws, or a far stronger 128-bit version for domestic use.
But RSA's publishing RC2 could lead to two different standards for secure email, meaning developers could choose between them or support both.
By publishing a description of its RC2 algorithms, software developers can scrutinize how RSA's cryptography works--whether it can be broken by crackers or has a "back door" so a government can grab a user's cryptographic keys. Since RC2 is a key component of S/MIME, publishing it boosts RSA's drive to have S/MIME blessed as a standard.
Although S/MIME has not been formally blessed as an IETF standard, many vendors already use it as the basis for their secure email products, including Netscape Communications in the email software of its Communicator 4.0 browser.
RSA is currently sponsoring interoperability tests and has certified eight email products, including software from Netscape, Frontier Technologies, ConnectSoft, Deming Software, Entrust Technologies, NEL, OpenSoft, and freeware Premail. Other companies, including Microsoft, are now undertaking testing of their own.