[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] Dependency of iSaSiLk2.5b1 classes onIAIK-JCE2.5b1classes ?



> 1) Just like we set the IAIK Provider with a code like :
> Security.setProvider(new IAIK())
> how do we set :
> a) JCE Provider ?  Refer from Andreas : "If you want to use IAIK JCE as
> the crypto provider for iSaSiLk ..."
> b) IAIK's own Crypto Provider ie, what is the name of the default

See
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/doc/javadoc/iaik/security/ssl/provi
der/SecurityProvider.html and
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/doc/javadoc/iaik/security/ssl/IaikP
rovider.html
and
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/doc/javadoc/iaik/security/ssl/SSLCo
ntext.html#setSecurityProvider
and the attached IaikProvider as an example.

> 2) In my last email, I pointed out to 19 classes which inherit from
> classes in javax.crypto pkg, and 2 + 4  classes which implement i/fs
> from javax.crypto and javax.crypto.interfaces pkgs. It therefore appears
> that one cannot use these 19 + 6 classes without also including JCE
> related classes. Therefore, is it then a must to also have IAIK-JCE2.5b1
> ? Pl confirm and clarify.
The javax-classes can also be taken from Sun, but as they are
export-regulated, we have re-implemented them for our customers outside the
US. I am not aware of what other suppliers of the JCE are providing.

> 3) (Why) is it mandatory in USA to use only RSA implementation ? Does it
> imply that using JCE 1.2 impl is illegal in USA. Also this is not fully
> clear :
> "RSA considers the use of any implementation other than their's illegal.
> However, I don't believe they have a hold over SSL."
See http://jcewww.iaik.tu-graz.ac.at/legal/patent.htm

There is a patent in the US concerning the RSA algorithm and RSA Inc. is
licensing that and they require you to. You have to talk to them directly
for additional info. If you use the JCE without RSA it is perfectly legal,
if you use our RSA implementation, it would be violating their patent.
Therefor

> 4) Somewhere, I have also seen rsa_rc4.jar. This probably contains
> classes exclusive to RSA. Is this IAIK's default CryptoProvider ? Is
> this the one which is supposed to be legal in US ?
.... we provide rsa_rc4 which contains rsa and rc4 (rc4 is claimed by RSA to
be a trade secret). Our iaik_jce.jar does not contain rsa and rc4 to make it
easier for US-customers to avoid getting into problems with RSA:


HTH
Dr. Peter Lipp

Institute for Applied Information Processing
and Communications
Graz, University of Technology

_______________________________________________________________
Inffeldgasse 16a, A-8010 Graz, Austria

email: Peter.Lipp@iaik.tu-graz.ac.at
web:   http://www.iaik.tu-graz.ac.at
Tel.   +43 316 873 5513
Fax    +43 316 873 5520
_______________________________________________________________




IaikProvider.java

smime.p7s