RSA Security Inc. pre-empted a number of celebration parties by unexpectedly releasing the widely used RSA public-key encryption algorithm into the public domain ahead of this week’s expiration of the patent on the algorithm.
The move, like the patent expiration, will allow security vendors and others to use the algorithm at no charge, without a license from RSA Security. Analysts said this would result in more secure applications, especially among smaller firms that couldn’t afford the fees.
In fact, one of RSA’s biggest competitors, Baltimore Technologies PLC in Dublin, said it will now give away a repackaged version of its developer tool kit that it said it was prohibited from marketing in the United States due to RSA Security’s licensing agreements. The company previously charged up to $20,000 for the tools.
David Thompson, an analyst at Meta Group Inc., said having the algorithm in the public domain would allow for uniform cryptographic standards.
“Longer term, increased availability of cryptographic functionality will allow easier and less expensive integration of PKI [public-key infrastructure] security services into applications and thus help overcome a major stumbling block,” he said.
The RSA algorithm has become an encryption standard for many e-commerce security applications. The patent for it was issued to MIT on Sept. 20, 1983, and licensed exclusively to RSA Security. It would have expired on Wednesday, but RSA released its claim on the patent earlier this month. The company, which will still sell its BSAFE cryptographic software, said it released the patent early to counter any “misinformation” regarding its expiration, according to a statement.
Meanwhile, despite the fresh start, some critics last week continued to lament the hold the patent had on the security market for the past 17 years.
“Over the past two decades, the RSA patent and other public-key patents did more to suppress the deployment of public-key cryptography than the [National Security Agency],” said Phil Zimmerman, inventor of personal cryptography product Pretty Good Privacy (PGP). “Now at last, we can breathe freely and implement our own code.”
RSA spokesman Steve Casey noted that more than 800 customers have licensed the algorithm to develop more than 1,000 applications, including Microsoft Windows, Lotus Notes and Cisco Systems Inc. routers, and to protect trillions of transactions. “The RSA algorithm has created a de facto standard, and I find it hard to reconcile that fact with suggestions that we have somehow chilled the development of the market,” said Casey.
Casey also denied that RSA Security’s licensing terms kept companies from using the algorithm to develop their own innovative implementations.
“You can’t fault the company for protecting its intellectual property and taking steps to set terms for its licensing agreements. If the terms were so onerous for people, it is hard to reconcile those statements with the fact that it is a de facto standard and there are half a billion copies sold,” he said.
Del Torto, a founding employee at Santa Clara, Calif.-based PGP Security Inc., said that because the RSA algorithm was developed using government funds and published in a scientific journal, it should never have been patented. (Casey said that because of the government funding, the patent didn’t apply to government implementations.) But Torto said the patent drove people to develop better algorithms and spurred the creation of PGP.
Torto, speaking at a forum sponsored by the San Francisco-based Electronic Frontier Foundation, added that the ubiquity of the RSA algorithm and its longevity would ensure that it continues to be used. It’s not necessarily better than newer algorithms, he said, but it is trusted.
Whitfield Diffie, an engineer at Sun Microsystems Inc., is best known for his 1975 discovery of the concept of public-key cryptography. He said that despite some problems, RSA Security “gave pretty good value for the money” by organizing a standards organization of licensees, among other achievements. “We are better off having someone who has an interest in the technology and goes hawking it as opposed to just making it available,” said Diffie.
Baltimore Technologies Inc., a major competitor to RSA Security, said it will give away a version of its Keytools developer tool kit, which until now has cost developers $10,000 to $20,000.
The end of RSA Security’s hold on the algorithm means that Baltimore can produce and sell in the U.S. developer tool kits that use the RSA algorithm without having to obtain a license. Baltimore customers include IBM, Hewlett-Packard Co. and Sun.
Giving away Keytools will encourage the development of secure applications – and nudge developers to later use Baltimore’s PKI and open standard security infrastructure with exposed application programming interfaces, said Andrew Morbitver, a vice president of marketing for Baltimore’s U.S. operation.
Baltimore’s free tool kit is a limited version of KeyTools Lite and KeyTools Pro that includes all the essential elements needed to connect to a PKI, including cryptographic and digital certificate support, certificate request and retrieval from a Certificate Authority, Lightweight Directory Access Protocol directory support and certificate revocation checking.