By Kurt Seifried, [email protected], Copyright Kurt Seifried
RSA is one of the corner stones of modern cryptography. Numerous protocols use RSA, one of the most widespread being SSL (Secure Sockets Layer), the de facto standard for encryption of WWW traffic, and to a lesser degree for protocols such as POP and IMAP (among others). Unfortunately RSA is patented in the USA (until Sept 20th, 2000), resulting in a variety of restrictions/issues. You cannot use RSA without a license, for things such as web browsers this is not a problem as Netscape/Microsoft/etc. have licensed RSA components, for server software however you typically have to pay for SSL enabled services (such as secure web servers). However there is an implementation of RSA called RSAREF (RSA Reference), which has several problems, you cannot develop it, you can only make bug fixes, so speed wise it lags well behind other RSA implementations, and it has had a number of serious security problems (which have since been fixed). RSAREF used for free, however not in any situation on which you charge for access to the service using RSAREF which is perfectly reasonable, until you consider institutions such as universities. Universities charge tuition to students, and a portion of this goes to paying for network services, so legally speaking universities cannot use RSAREF (although several do, some, like columbia.edu have gone so far as to create encryption software for use on campus). US businesses are mostly in the clear, for internal operations there are typically no fees associated with access, however for e-commerce servers, and for services that ISP's and other network providers provide you cannot legally use RSAREF. The RSA company is also quite zealous about protecting their patents, so if they find a business using RSA or RSAREF improperly (i.e. they have not paid for it when they should) they will go after you, so before using RSAREF please consult a lawyer. The good news (as stated before) is that the patent should expire in September of 2000, and that outside the US using RSAREF/etc is perfectly legal.