A Cryptographic Toolkit for Privacy-Enhanced Mail
(A division of RSA Data Security, Inc.)
January 5, 1993
This document copyright (C) 1992 RSA Laboratories, a division of RSA
Data Security, Inc. License is granted to reproduce, copy, post, or
distribute in any manner, provided this document is kept intact and
no modifications, deletions, or additions are made.
WHAT IS IT?
RSAREF is a cryptographic toolkit designed to facilitate rapid
deployment of Internet Privacy-Enhanced Mail (PEM) implementations.
RSAREF represents the fruits of RSA Data Security's commitment to the
U.S. Department of Defense's Advanced Research Projects Agency
(DARPA) to provide free cryptographic source code in support of a PEM
standard. RSA Laboratories offers RSAREF in expectation of PEM's
forthcoming publication as an Internet standard.
Part of RSA's commitment to DARPA was to authorize Trusted Information
Systems of Glenwood, MD, to distribute a full PEM implementation. That
implementation will be available this spring.
RSAREF supports the following PEM-specified algorithms:
o RSA encryption and key generation, as defined by RSA
Laboratories' Public-Key Cryptography Standards (PKCS)
o MD2 and MD5 message digests
o DES (Data Encryption Standard) in cipher-block chaining mode
RSAREF is written in the C programming language as a library that can
be called from an application program. A simple PEM implementation
can be built directly on top of RSAREF, together with message parsing
and formatting routines and certificate-management routines. RSAREF
is distributed with a demonstration program that shows how one might
build such an implementation.
The name "RSAREF" means "RSA reference." RSA Laboratories intends
RSAREF to serve as a portable, educational, reference implementation
WHAT YOU CAN (AND CANNOT) DO WITH RSAREF
The license at the end of this note gives legal terms and conditions.
Here's the layman's interpretation, for information only and with no
1. You can use RSAREF in personal, non-commercial applications,
as long as you follow the interface described in the RSAREF
documentation. You can't use RSAREF in any commercial
(moneymaking) manner of any type, nor can you use it to
provide services of any kind to any other party. For
information on commercial licenses of RSAREF-compatible
products, please contact RSA Data Security. (Special
arrangements are available for educational institutions and
2. You can give others RSAREF and programs that interface to
RSAREF, under the same terms and conditions as your RSAREF
3. You can modify RSAREF as required to port it to other
operating systems and compilers, as long as you give a copy
of the results to RSA Laboratories. Other changes require
4. You can't send RSAREF outside the United States or Canada, or
give it to anyone who is not a U.S. or Canadian citizen and
doesn't have a U.S. "green card." (These are U.S. State and
Commerce Department requirements, because RSA and DES are
HOW TO GET IT
To obtain RSAREF, read the license at the end of the note and return a
copy of the following paragraph by electronic mail to
I acknowledge that I have read the RSAREF Program License
Agreement and understand and agree to be bound by its terms and
conditions, including without limitation its restrictions on
foreign reshipment of the Program and information related to the
Program. The electronic mail address to which I am requesting
that the program be transmitted is located in the United States
of America or Canada and I am a United States citizen, a Canadian
citizen, or a permanent resident of the United States. The RSAREF
Program License Agreement is the complete and exclusive agreement
between RSA Laboratories and me relating to the Program, and
supersedes any proposal or prior agreement, oral or written, and
any other communications between RSA Laboratories and me relating
to the Program.
RSAREF is distributed by electronic mail in UNIX(TM) "uuencoded" TAR
format. When you receive it, store the contents of the message in a
file, and run your operating system's "uudecode" and TAR programs.
For example, suppose you store the contents of your message in the
file 'contents'. You would run the commands:
uudecode contents # produces rsaref.tar
tar -xvf rsaref.tar
RSAREF includes about 60 files organized into the following
doc documentation on RSAREF and RDEMO
install makefiles for various operating systems
rdemo RDEMO demonstration program
source RSAREF source code and include files
test test scripts for RDEMO
RSAREF is also available via anonymous FTP to 'rsa.com'. Along with
RSAREF you can get RIPEM, Mark Riordan's RSAREF-based privacy-enhanced
mail application, and an Emacs command interface to RIPEM. See the
file 'README' in the FTP directory 'rsaref' for more information.
RSA Laboratories maintains the electronic-mail users' group
<firstname.lastname@example.org> for discussion of RSAREF applications, bug
fixes, etc. To join the users' group, send electronic mail to
RSAREF users who register with RSA Laboratories are entitled to free
RSAREF upgrades and bug fixes as soon as they become available and a
50% discount on selected RSA Data Security products. To register,
send your name, address, and telephone number to
RSA Laboratories will award cash prizes for the best applications
built on RSAREF. If you'd like to submit an application, want to be
on the review panel, or would like more details, please send
electronic mail to <email@example.com>. Applications are due
December 31, 1992, and awards will be announced March 31, 1993. First
prize is $5000, second prize is $2000, and there are five prizes of
RSA Data Security offers public-key certification services conforming
to forthcoming PEM standards. For more information, please send
electronic mail to <firstname.lastname@example.org>.
PKCS: PUBLIC-KEY CRYPTOGRAPHY STANDARDS
To obtain copies of RSA Laboratories' Public-Key Cryptography
Standards (PKCS), send electronic mail to <email@example.com>.
If you have questions on RSAREF software, licenses, export
restrictions, or other RSA Laboratories offerings, send electronic
mail to <firstname.lastname@example.org>.
RSAREF was written by the staff of RSA Laboratories with assistance
from RSA Data Security's software engineers. The DES code is based on
an implementation that Justin Reyneri did at Stanford University. Jim
Hwang of Stanford wrote parts of the arithmetic code under contract
to RSA Laboratories.
ABOUT RSA LABORATORIES
RSA Laboratories is the research and development division of RSA Data
Security, Inc., the company founded by the inventors of the RSA
public-key cryptosystem. RSA Laboratories reviews, designs and
implements secure and efficient cryptosystems of all kinds. Its
clients include government agencies, telecommunications companies,
computer manufacturers, software developers, cable TV broadcasters,
interactive video manufacturers, and satellite broadcast companies,
RSA Laboratories draws upon the talents of the following people:
Len Adleman, distinguished associate - Ph.D., University of
California, Berkeley; Henry Salvatori professor of computer
science at University of Southern California; co-inventor of
RSA public-key cryptosystem; co-founder of RSA Data Security, Inc.
Taher Elgamal, senior associate - Ph.D., Stanford University;
director of engineering at RSA Data Security, Inc.; inventor of
Elgamal public-key cryptosystem based on discrete logarithms
Martin Hellman, distinguished associate - Ph.D., Stanford University;
professor of electrical engineering at Stanford University;
co-inventor of public-key cryptography, exponential key exchange;
IEEE fellow; IEEE Centennial Medal recipient
Burt Kaliski, chief scientist - Ph.D., MIT; former visiting assistant
professor at Rochester Institute of Technology; author of Public-Key
Cryptography Standards; general chair of CRYPTO '91
Cetin Koc, associate - Ph.D., University of California, Santa
Barbara; assistant professor at University of Houston
Ron Rivest, distinguished associate - Ph.D., Stanford University;
professor of computer science, MIT; co-inventor of RSA public-key
cryptosystem; co-founder of RSA Data Security, Inc.; member of
National Academy of Engineering; director of International
Association for Cryptologic Research; program co-chair of ASIACRYPT
RSA Laboratories seeks the talents of other people as well. If you're
interested, please write or call.
RSA Laboratories RSA Data Security, Inc.
100 Marine Parkway 100 Marine Parkway
Redwood City, CA 94065 Redwood City, CA 94065
(415) 595-7703 (415) 595-8782
(415) 595-4126 (fax) (415) 595-1873 (fax)
PKCS, RSAREF and RSA Laboratories are trademarks of RSA Data
Security, Inc. All other company names and trademarks are not.
PROGRAM LICENSE AGREEMENT
RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA")
GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM:
1. LICENSE. RSA grants you a non-exclusive, non-transferable,
perpetual (subject to the conditions of section 8) license
for the "RSAREF" program (the "Program") and its associated
documentation, subject to all of the following terms and
a. to use the Program on any computer in your possession;
b. to make copies of the Program for back-up purposes;
c. to modify the Program in any manner for porting or
performance improvement purposes (subject to Section 2)
or to incorporate the Program into other computer programs
for your own personal or internal use, provided that you
provide RSA with a copy of any such modification or
Application Program by electronic mail, and grant RSA
a perpetual, royalty-free license to use and distribute
such modifications and Application Programs on the terms
set forth in this Agreement.
d. to copy and distribute the Program and Application Programs
in accordance with the limitations set forth in Section 2.
"Application Programs" are programs which incorporate all or any
portion of the Program in any form. The restrictions imposed on
Application Programs in this Agreement shall not apply to any software
which, through the mere aggregation on distribution media, is
co-located or stored with the Program.
2. LIMITATIONS ON LICENSE.
a. RSA owns the Program and its associated documentation and
all copyrights therein. You may only use, copy, modify and
distribute the Program as expressly provided for in this
Agreement. You must reproduce and include this Agreement,
RSA's copyright notices and disclaimer of warranty on any
copy and its associated documentation.
b. The Program and all Application Programs are to be used only
for non-commercial purposes. However, media costs associated
with the distribution of the Program or Application Programs
may be recovered.
c. The Program, if modified, must carry prominent notices
stating that changes have been made, and the dates of any
d. Prior permission from RSA is required for
any modifications that access the Program through ways
other than the published Program interface or for
modifications to the Program interface. RSA will grant
all reasonable requests for permission to make such
3. NO RSA OBLIGATION. You are solely responsible for all of your
costs and expenses incurred in connection with the distribution
of the Program or any Application Program hereunder, and RSA
shall have no liability, obligation or responsibility therefor.
RSA shall have no obligation to provide maintenance, support,
upgrades or new releases to you or to any distributee of the
Program or any Application Program.
4. NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED
DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR
PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF
THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA)
ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR
5. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN
SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS
BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE
PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY
DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
6. PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set
forth below, RSA, at its own expense, shall: (i) defend, or at
its option settle, any claim, suit or proceeding against you on
the basis of infringement of any United States patent in the
field of cryptography by the unmodified Program; and (ii) pay
any final judgment or settlement entered against you on such
issue in any such suit or proceeding defended by RSA. The
obligations of RSA under this Section 6 are subject to:
(i) RSA's having sole control of the defense of any such claim,
suit or proceeding; (ii) your notifying RSA promptly in writing
of each such claim, suit or proceeding and giving RSA authority
to proceed as stated in this Section 6; and (iii) your giving
RSA all information known to you relating to such claim,
suit or proceeding and cooperating with RSA to defend any such
claim, suit or proceeding. RSA shall have no obligation under
this Section 6 with respect to any claim to the extent it is
based upon (A) use of the Program as modified by any person
other than RSA or use of any Application Program, where use
of the unmodified Program would not constitute an infringement,
or (B) use of the Program in a manner other than that permitted
by this Agreement. THIS SECTION 6 SETS FORTH RSA'S ENTIRE
OBLIGATION AND YOUR EXCLUSIVE REMEDIES CONCERNING CLAIMS FOR
PROPRIETARY RIGHTS INFRINGEMENT.
NOTE: Portions of the Program practice methods described in and
subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829,
and all foreign counterparts and equivalents, issued to Leland
Stanford Jr. University and to Massachusetts Institute of
Technology. Such patents are licensed to RSA by Public Key
Partners of Sunnyvale, California, the holder of exclusive
licensing rights. This Agreement does not grant or convey any
interest whatsoever in such patents.
7. RSAREF is a non-commercial publication of cryptographic
techniques. Portions of RSAREF have been published in the
International Security Handbook and the August 1992 issue of Dr.
Dobb's Journal. Privacy applications developed with RSAREF may be
subject to export controls. If you are located in the United States
and develop such applications, you are advised to consult with the
State Department's Office of Defense Trade Controls.
8. TERM. The license granted hereunder is effective until
terminated. You may terminate it at anytime by destroying
the Program and its associated documentation. The termination
of your license will not result in the termination of the
licenses of any distributees who have received rights to the
Program through you so long as they are in compliance with
the provisions of this license.
a. This Agreement shall be governed by the laws of the State of
b. Address all correspondence regarding this license to RSA's
electronic mail address <email@example.com>, or
ATTN: RSAREF Administrator
100 Marine Parkway, Suite 500
Redwood City, CA 94065