RC2 code published... finally (CNET coverage)
RSA opens vault to crypto code
By Tim Clark
June 27, 1997, 4:30 p.m. PT
Faced with a July 1 deadline from a leading Internet standards body,
RSA Data Security today published a description of its RC2 encryption
algorithm that is key to the company's brand of secure email.
The encryption firm hopes publishing the description will mollify the
Internet Engineering Task Force, which told backers of S/MIME--a
widely used method of encrypting email based on RSA's technology--to
get moving by July 1 or fall off the standards track.
But RSA's gesture may not be enough. "The publication of RC2 is an
important step, but only one," said Jeffrey I. Schiller, who oversees
the IETF's security standards activity. The July 1 deadline was S/MIME
boosters to submit a charter for a "working group" on the protocol.
"A key condition for a successful charter in this area is for the
necessary technology to be openly available," he said. That could be a
barrier, since RSA still requires software developers to pay for a RC2
license--or develop their own code based on the description.
Another secure email protocol called PGP/MIME, from RSA rival Pretty
Good Privacy, is well on its way to winning the IETF's endorsement as
a standard for secure email.
"This is an important step in making S/MIME widely adopted," said
RSA's Gary Kinghorn, director of product marketing. "For the first
time, RSA is giving up any trade secret protection by showing how to
do RC2, so others can do an implementation of RC2 without being
worried that RSA is protecting its code."
"This surprised a lot of people in the industry," said Charles Breed,
PGP's senior director of technical marketing. "It's obviously a step
in the right direction for everybody." However, "what RSA has done is
taken a tiny step forward, when they need to take a larger leap
forward to make S/MIME a truly valid standard. It's still unproven."
Breed cited the need for wide deployment and interoperability, adding
that even though RSA has published the description of RC2, software
developers still must pay to license the algorithm from RSA or build
their own from scratch.
The RC2 algorithm is flexible enough to use either 40-bit encryption,
which can be sold outside the U.S. under current crypto export laws,
or a far stronger 128-bit version for domestic use.
But RSA's publishing RC2 could lead to two different standards for
secure email, meaning developers could choose between them or support
both.
By publishing a description of its RC2 algorithms, software developers
can scrutinize how RSA's cryptography works--whether it can be broken
by crackers or has a "back door" so a government can grab a user's
cryptographic keys. Since RC2 is a key component of S/MIME, publishing
it boosts RSA's drive to have S/MIME blessed as a standard.
Although S/MIME has not been formally blessed as an IETF standard,
many vendors already use it as the basis for their secure email
products, including Netscape Communications in the email software of
its Communicator 4.0 browser.
RSA is currently sponsoring interoperability tests and has certified
eight email products, including software from Netscape, Frontier
Technologies, ConnectSoft, Deming Software, Entrust Technologies, NEL,
OpenSoft, and freeware Premail. Other companies, including Microsoft,
are now undertaking testing of their own.
related news stories
• Eudora stays private with PGP June 17, 1997
• Worldtalk secures email June 10, 1997
• PGP crypto approved for export May 29, 1997
• Entrust secures its niche April 8, 1997
• Email with Pretty Good Privacy debuts February 19, 1996
Back to Top
Copyright ©1995-97 CNET, Inc. All rights reserved.