Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

by David Sims

You've got to hand it to RSA Security's marketing team: By releasing its license on the RSA encryption algorithm three weeks before the patent expires, it changed the tone of the story. RSA didn't lose out on something: It gave it up willingly, into the public domain.

The end of the patent means that companies who want to use the RSA encryption algorithm in the United States no longer have to license it from the firm, RSA Security. The patent hasn't extended to products sold outside the United States, because the algorithm was published in 1977 before the Massachusetts Institute of Technology applied for its patent. (See section on History, on page two.)

The fact that RSA released it two weeks early means that the company wanted to take advantage of "a giant P.R. opportunity," according to Forrester Research senior analyst Frank Prince.

"I mean, why not? It's taking something that was going to happen, and it's taking advantage of a chance to make something out of it."

Observers were unimpressed. Simson Garfinkel, who wrote about the origins of RSA in his 1995 book, "PGP: Pretty Good Privacy" (O'Reilly & Associates), wrote, "By releasing the patent three weeks early, they changed the news story to that they were releasing it into the public domain. If they wanted to make a difference, they should have released it ten years ago."

The end of the licensing

As for what it means to the revenue streams of RSA Security and other encryption companies, analyst Prince said the end of the patent means "nothing and nothing."

More RSA News

Also New This Week:

Digital Slide Shows on Your Palm

Previous Features

More from the Linux DevCenter

"Patents have a 17-year life, so this comes as no surprise to RSA," Prince said. "A few years ago, they started rebuilding their business so that licensing the algorithms was a very small part of the revenue."

Although competing firms could distribute products using RSA outside the United States, Prince says very few firms have gone that route, since the United States makes up such a large part of the international cryptography market.

In some ways, the end of the patent puts RSA in a situation like businesses that rely on open source software: the jewel at the center of their product offerings is free. But the company's revenue model is based on

As a poster known as "Cardinal Biggles" noted on Slashdot:

"Patents grant an exclusive right to exploit an invention, in exchange for the publication of the way it works. What expires about RSA in two weeks is that exclusive right, not any form of secrecy. So 'public' is used in two ways here: the way RSA works always has been public. The right to use it hasn't been, but will now become, public."

On the next page, we'll talk briefly about the origins of the RSA algorithm and its patent.

History of RSA

The key breakthrough in the RSA encryption was that it allowed for encryption in a multi-user environment. In other words, there didn't need to be any active participation between the person encrypting the data and the person (or people) decrypting it at the other end.

According to Simson Garfinkel's "PGP: Pretty Good Privacy" (O'Reilly & Associates), the algorithm came out of work by Ronald Rivest, Adi Shamri, and Len Adelman (their last names are RSA) at MIT's Laboratory for Computer Science in 1976-77.

The group had been inspired by earlier work at Stanford University by Whitfield Diffie and Martin Hellman, who were pursuing multi-user cryptographic techniques. Diffie and Hellman had demonstrated a methodology that would let two people with public keys exchange a third, secret key that would allow encrypted communication.

Related Reading:

PGP: Pretty Good Privacy

PGP: Pretty Good Privacy
by Simson Garfinkel

Garfinkel writes that Rivest was struck by the idea while nursing a headache on a couch. Rivest devised the system based on the notion that it is easy to multiply two large prime numbers to create an even larger number, but hard to start with the big number and find the prime factors. Encrypted communication relies on each party having a public key and a secret key. By obtaining someone's public key, it's possible to independently agree upon a formula that lets you exchange encrypted information.

Before they could present the system, however, Rivest was contacted by an employee of the National Security Administration, who warned him that if he presented the cryptography scheme at an upcoming conference, he risked violating the 1954 Munitions Control Act. The act prohibited exporting knowledge about cryptography, and since foreign nationals would be at the conference where he was scheduled to present, he could well be exporting prohibited encryption technology. MIT was able to resolve that issue with the NSA, which later said that the employee who contacted Rivest was acting on his own.

MIT decided to patent the algorithm, but because it had been published before the patent was applied for, it couldn't get foreign rights to it. Thus the ongoing issue between licensing for US products, and not having to license it for foreign products. MIT received the patent on September 20, 1983, and granted an exclusive license to the company, RSA Security.

Now, with the patent expired and the algorithm in the public domain, we can expect to see more open source and public domain programs like PuTTY, Simon Tatham's telnet and SSH client for Windows users. Or, at the very least, expect to see them operating legally in the United States, for the first time.

David Sims was the editorial director of the O'Reilly Network.

More RSA News

Also New This Week:

Digital Slide Shows on Your Palm


Copyright © 2009 O'Reilly Media, Inc.