Open Source Embedded SSL - Export Questions

2003-11-25 Thread J Harper
Hi All,

We've implemented a small version of SSL that we plan to release as open source by 
year's end.  I've seen some discussion on this group indicating that this would be 
useful in the embedded environments, given the current landscape of larger 
implementations such as OpenSSL (Crypto++, etc).  We developed this ourselves (using 
some of the crypto routines in Tom's libtomcrypt) as part of our Web services based 
device management software because we needed to keep our own footprint small, and I 
imagine there are others looking to do the same.

Once our code is released, we welcome feedback in terms of additional requirements, 
gotchas, etc. (and if you want to jump in now, that's fine too).  But before we can 
release, we need to understand the export issues (we're a US based company).  An 
overview of what we're developed for the first release:

SSLv3 protocol implementation
Simple ASN.1 parsing
Cipher suites:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

We're not looking for official legal advice, just some pointers to current online 
resources of how to go about registering our product in the US.  I've seen posts that 
for SSL implementations you just need to send a letter to the government, but 
haven't come across an official government checklist and address.  We may be able to 
weaken the code down using the export ciphers, but I doubt end users will be 
interested in that level of encryption.  Plus, if we do have to limit key lengths, it 
seems a bit arbitrary with open source code, since users can simply change a few lines 
of code and have full strength crypto.  Are there any special provisions for source 
release (short of getting a tattoo, singing an mp3 or sending a model rocket over to 
Mexico - kidding, kidding)?

We'd appreciate feedback or pointers to documentation on the steps required for 
government registration and an approximate timeframe for the process.  On a different, 
but similar legal note, what current patent/trademark issues have people run across 
with the algorithms mentioned above?  RSA patents expired a few years ago and our ARC4 
implementation is not trademarked as far as I understand (although most books on the 
subject seem a bit squirrelly).  Open source crypto libraries include implementations 
of these and other disputed algorithms including DSS and ECC, so I'm wondering how 
they handled the situation.

Thanks,

J Harper
PeerSec Networks
http://www.peersec.com
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cryptophone locks out snoopers

2003-11-25 Thread Ian Grigg
(link is very slow:)
http://theregister.co.uk/content/68/34096.html


Cryptophone locks out snoopers 
By electricnews.net
Posted: 20/11/2003 at 10:16 GMT


A German firm has launched a GSM mobile phone that
promises strong end-to-end encryption on calls,
preventing the possibility of anybody listening in. 

If you think that you'll soon be seeing this on the shelves
of your local mobile phone shop though, think again. For
a start, the Cryptophone sells for EUR1,799 per handset,
which puts it out of the reach of most buyers. Second,
the phone's maker, Berlin-based GSMK, say the phone
will not be sold off the shelf because of the measures
needed to ensure that the product received by the
customer is untampered with and secure. Buyers must
buy the phone direct from GSMK. 

According to GSMK, the new phone is designed to
counteract known measures used to intercept mobile
phone calls. While GSM networks are far more secure
than their analogue predecessors, there are ways and
means to circumvent security measures. 

The encryption in GSM is only used to protect the call
while it is in the air between the GSM base station and
the phone. During its entire route through the telephone
network, which may include other wireless links, the call
is not protected by encryption. Encryption on the GSM
network can also be broken. The equipment needed to do
this is extremely expensive and is said to be only
available to law enforcement agencies, but it has be
known to fall into the hands of criminal organisations. 

The Cryptophone is a very familiar-looking device, since
it is based around the same HTC smartphone that O2
used as its original XDA platform. The phone runs on a
heavily modified version of Microsoft Pocket PC 2002. 

GSMK says it is the only manufacturer of such devices
that has its source code publicly available for review. It
says this will prove that there are no back-doors in the
software, thus allaying the fears of the
security-conscious. Publication of the source code
doesn't compromise the phone's security, according to
GSMK. The Cryptophone is engineered in such a way
that the encryption key is only stored in the phone for the
duration of the call and securely erased immediately
afterwards. 

One drawback of the device is that it requires the
recipient of calls to also use a Cryptophone to ensure
security. GSMK does sell the device in pairs, but also
offers a free software download that allows any PC with
a modem to be used as a Cryptophone. 

GSMK says that the Cryptophone comples with German
and EU export law. This means the device can be sold
freely within the EU and a number of other states such
as the US, Japan and Australia. It cannot be sold to
customers within Afghanistan, Syria, Iraq, Iran, Libya
and North Korea. A number of other states are subject
to tight export controls and a special licence will have to
be obtained. 

© ElectricNews.Net

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]