[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Export request (CJR) filed for Kerberos Bones
- To: cypherpunks, [email protected]
- Subject: Export request (CJR) filed for Kerberos Bones
- From: gnu (John Gilmore)
- Date: Fri, 14 Jan 94 07:55:01 -0800
This is a Commodity Jurisdiction Request for the bones of the Kerberos
distribution. This "Bones" distribution has the encryption stripped
out to make it exportable (we hope). A CJR is a formal request to the
State Department for them to determine what kind of export license is
required for this item.
This request has been asigned case # 012-94. The State Department has
15 working days to tell us whether the Bones are officially exportable
or not, and under what rules. I'll post the results when they come in.
One of the games that the State Dept. and NSA play is to not reveal
exactly what is exportable, so that people will err on the side of
safety (and export fewer things with crypto in them). By sharing
information among ourselves, we can find out what the real rules are.
This CJR was made using Lee Tien's CJR kit, available for FTP on
cygnus.com:/pub/export.cjr.kit.
John Gilmore
Cygnus Support
John Gilmore
Generalist
Cygnus Support
1937 Landings Drive
Mt. View, CA 94043
+1 415 903 1418
+1 415 903 0122 fax
ATTN: Maj Gary Oncale - 15 Day CJ Request
U.S. Department of State
Office of Defense Trade Controls
PM/DTC SA-6 Room 200
1701 N. Fort Myer Drive
Arlington, VA 22209-3113
Fax +1 703 875 5845
ATTN: 15 Day CJ Request Coordinator
National Security Agency
P.O. Box 246
Annapolis Junction, MD 20701
Subject: Mass Market Software with Encryption - 15 Day Expedited Review
Requested
Subject: Commodity Jurisdiction Request for
"Kerberos 900104 bones.tar.Z patchlevel 6"
INTRODUCTION
This is a Commodity Jurisdiction Request for mass market software
with encryption capabilities.
The name of the software product is "Kerberos 900104 bones.tar.Z
patchlevel 6".
We have no DTC registration code.
We have reviewed and determined that the software, which is the subject
of the CJ request, meets paragraph 1 of the "Criteria for Determining
the Eligibility of A Mass Market Software Product for Expedited Handling."
A duplicate copy of this CJR has been sent to the 15 Day CJ Request
Coordinator.
DESCRIPTION
The software is an authentication system for networked computers.
It is a component of the MIT Athena project, which built various
software for automating the administration and operation of large
networks of computers.
The Kerberos software is undoubtedly familiar to your agency.
We believe that previous CJR's have been made on it, including
at least one from Digital Equipment Corporation.
The Kerberos system authenticates individual users in a network
environment. It bases security on a `secret' which is shared between
a central Kerberos server and the user. This secret is a
cryptographic key based on the user's password, with which the user
can prove who they are by being able to decrypt sealed messages from
the server.
After the user has authenticated herself to Kerberos, she can use
familiar Berkeley Unix network utilities such as rlogin, rcp, and rsh,
without having to present passwords to remote hosts and without having
to rely on insecure ``.rhosts'' files. These utilities will work
without passwords only if the remote machine supports the Kerberos
protocols. If not, the normal facilities will be used.
Kerberos provides the following benefits:
* Security against outside attackers.
* Security against inside attackers.
* Convenience in a distributed workstation environment.
* Augmentation of an existing security organization.
* Standardized access control mechanisms.
I have enclosed a technical paper, "Kerberos: An Authentication
Service for Open Network Systems", from the 1988 Winter USENIX
Conference Proceedings.
This "Bones" version of the Kerberos software has been specially
prepared for export by removing the encryption routines and the calls
to the encryption routines. We are submitting this CJ to confirm the
the official opinion of the Department of State on whether we require
a State Department and/or Commerce Department license to export this
software.
ORIGIN OF COMMODITY
The item was originally designed for its current use. It was created
as part of MIT's Project Athena in the 1980's. It was designed for
commercial use without concern for military use. An example of its
commercial use is in authenticating students who work from various
workstations on a campus, connected via local-area and wide-area
networks. The item was developed with private funding.
The item is currently publicly available on the Internet via FTP (file
transfer protocol) from the machine athena-dist.mit.edu (18.71.0.38)
in directory /pub/kerberos/dist/900104/bones.tar.Z. Its documentation
is available as /pub/kerberos/dist/900104/doc.tar.Z.aa and doc.tar.Z.ab.
We obtained the item and documentation from that location.
CURRENT USE
The current use of this item is to provide user authentication for computer
users in a network. The software provides:
* a server which runs on a physically secured computer and which stores
the password of each user
* library routines which establish communication between the server
and other programs
* utility programs for administering the authentication system
klist, kinit, kdestroy, ksu, ksrvtgt, kadmin, kprop
* modified versions of readily available networking programs, which
use the library routines for authentication, including:
tftp - trivial file transfer protocol
sample - a sample application
knetd - user authentication daemon
rsh and rshd - remote shell
rlogin and rlogind - remote login
rcp - remote file copy
The uses of the item have not changed significantly over time.
Most of the product market is commercial.
SPECIAL CHARACTERISTICS
There are no military standards or specifications that the item is
designed to meet. There are no special characteristics of the item,
including no radiation-hardening, no ballistic protection, no hard
points, no TEMPEST capability, no thermal and no infrared signature
reduction capability, no surveillance, and no intelligence gathering
capability. The item does not use image intensification tubes. The
item originally used encryption algorithms for authentication, using
the DES (Data Encryption Standard), however these algorithms and the
calls to them have been removed to facilitate export approval.
OTHER INFORMATION
We recommend that this item and its technical documentation be
determined to be in the jurisdiction of the Commerce Department. We
believe that it qualifies for the general license GTDA for General
Technical Data to All Destinations, because it qualifies as "publicly
available" and contains no encryption routines or hooks for
encryption.
ATTACHMENTS
I have enclosed a technical paper, "Kerberos: An Authentication
Service for Open Network Systems", from the 1988 Winter USENIX
Conference Proceedings.
I have also enclosed the README file from the MIT directory
where we obtained the software, which describes what was done
to the software to make it more suitable for export.
If there are any technical questions, NSA has direct access to the
full source code and online documentation via the Internet. The item
is currently publicly available on the Internet via FTP (file transfer
protocol) from the machine athena-dist.mit.edu (18.71.0.38) in
directory /pub/kerberos/dist/900104/bones.tar.Z. Its documentation is
available as /pub/kerberos/dist/900104/doc.tar.Z.aa and doc.tar.Z.ab.
We obtained the item and documentation from that location.
Sincerely,
John Gilmore
Generalist
Cygnus Support
--
John Gilmore [email protected] -- [email protected] -- [email protected]
``This committee has not tried to determine whether the National Security
Agency tendency to advance exaggerated claims of authority ... stems from
conscious policy or the actions of individual NSA employees.''
The Government's Classification of Private Ideas, House Report 96-1540, p. 67