Tech Insider					   Technology and Trends

			   USENET Archives

Xref: sci.crypt:16581
From: (Mark Riordan)
Subject: Exportable RIPEM/SIG Available
Date: 15 Mar 1994 14:55:01 GMT
Organization: Michigan State University
Lines: 53
Message-ID: <2m4i85$>
Summary: Free Signature-only version of RIPEM
X-Newsreader: TIN [version 1.2 PL1]

Announcing the availability of RIPEM/SIG, an exportable signature-only
version of RIPEM, a public-key encryption program.

RIPEM/SIG is a version of RIPEM 1.2 with encryption and decryption
taken out.  RSA Data Security has obtained a US State Department
Commodities Jurisdiction ruling determining that RIPEM/SIG is
exportable from the USA.  At this writing, RIPEM/SIG is undergoing
a classification to determine what countries it may not
be exported to.  (Worst case is that RIPEM/SIG may not be exported
to such countries as Libya, Iraq, and North Korea.)

While this ruling certainly does not fully address the strong concerns 
of myself and many others regarding the USA's overly restrictive 
export laws, it does ease things a bit for individuals wishing to 
exchange authenticated messages across international borders.

RSA Data Security has granted a free license to users worldwide
of RIPEM/SIG to use the software for any purposes other than
direct commercial services.  (I.e., selling the software itself or 
selling a service directly based on the program's functions.)  
It is allowable to make use of the software at a commercial 
location or on commercial computer systems.   Use for personal 
communication, or even corporate communications, is permitted.
These rights will be clarified in a new RSAREF license and new 
RSA software, to be available in a few weeks.  For a license to 
use RIPEM/SIG to deliver commercial services, contact RSA Data 
Security for terms.  

It is believed that RIPEM/SIG is the only US-exportable signature 
software in the world available for free to US users.   
(Non-US users are not bound by RSADSI's US patents, but would
be bound by copyright laws.)

RIPEM/SIG is built from RIPEM 1.2a sources; thus, RIPEM/SIG
source code is not exportable.  The executables are exportable.
I have compiled RIPEM/SIG for several popular architectures
and have placed the executables on, available
for anonymous FTP from /pub/crypt/ripem/ripemsig/binaries.
Other USA and Canada citizens are welcome to obtain the RIPEM 1.2a
source distribution and create and export executables for 
other platforms.

I also wish to announce the availability of RIPEM 1.2a.
There were no algorithic changes between 1.2 and 1.2a;
simply code changes to create RIPEM/SIG and to accomodate 
some brain-dead C compilers.

RIPEM is available via non-anonymous FTP from
See the file GETTING_ACCESS to get an account.
RIPEM/SIG is, as mentioned above, available from the same site
via anonymous FTP.

Mark Riordan  

Xref: sci.crypt:16784
From: (Jim Bidzos)
Subject: Re: Exportable RIPEM/SIG Available
Date: 18 Mar 94 17:14:11
Organization: RSA Data Security, Inc.
Lines: 95
Message-ID: <>
References: <2m4i85$>
In-reply-to:'s message of 15 Mar 1994 14:55:01 GMT

More info: Kurt Stammberger, RSA Data Security, Inc. 415/595-8782
To download RSAREF and RIPEM, send  any message to
or ftp from


Information superhighway gets free tool to authenticate information;
an answer to Vice-president Gore's concerns over Internet break-ins


Redwood City, Calif. (March 21, 1994) - RSA Data Security, Inc.
announced today a first: digital signature software that is both free
and legal worldwide.

RSA applied for and received a "commodities jurisdiction," or CJ for a
software package called RIPEM/SIG, which was built with RSA Data
Security's RSAREF toolkit, a freeware package. A CJ, which is a ruling
that the software falls under the Commerce Department's jurisdiction
as opposed to the State Department, allows RIPEM to be freely and
legally exported.  Further, RSA has relaxed the use restrictions in
its free crypto toolkit. RSAREF, and any application built with it,
may now be used in commercial settings as long as it is not sold or
used to provide a direct for-profit service.

Digital signatures are produced using the RSA cryptosystem, which is a
public-key cryptosystem.  Each user has two keys - one public and one
private.  The public key can be disclosed without compromising the
private key.  The RSA cryptosystem was invented and patented in the
late 1970's by Drs. Rivest, Shamir, and Adleman at the Massachusetts
Institute of Technology, and was based on work by Whitfield Diffie and
Martin Hellman at Stanford University.

Electronic documents can be "signed" with an unforgeable "signature"
by using a document/private-key combination to produce a signature unique
to the author/document.  Anyone, by using only RIPEM and the public
key of the author, can verify the authenticity of the document.

Applications of digital signatures are endless.  One reason that the
paperless office has never materialized is that paper must still be
printed so that handwritten signatures can be applied.  RSAREF and
RIPEM solve that problem.  Expense reports, any electronic forms,
administrative documents, even tax returns can be electronically
signed to speed electronic document flow and eliminate fraud.
Information on the Internet can be signed and verified to prevent
spoofing.  Recently, unauthenticated messages at Dartmouth College
caused an important test to be cancelled; messages impersonating
faculty were sent out.

"Data mailed, posted, or put on servers on the Internet is inherently
untrustable today," said Jim Bidzos, president of RSA. "Tampering with
electronic documents takes no special skills, and leaves no trace.
With the availability of a free, legal, and exportable tool such as
RIPEM, there's no need for such a situation to continue. It can be
used by individuals, corporations, and government agencies at no

In a February 4th announcement, Vice-president Gore stated that the
recent Internet break-ins could have been prevented with digital
signatures. "Here they are," said Bidzos.  Recently, cryptography has
caused clashes between government and industry, over privacy issues,
law enforcement concerns, and export issues.  "The US government has
approved this software for export," said Bidzos. "Clearly, it's no
threat to them. And it's free."

Digital signatures can also be used to detect any virus before a
program is executed, since any change whatsoever is detected.

The RIPEM application was developed using the RSAREF toolkit by Mark
Riordan of Michigan State University. A Macintosh version, developed
by Ray Lau of MIT, the author of the popular "Stufit" program, is also
available.  Versions for DOS, Unix, and all popular platforms are
supported. "PEM" stands for Privacy Enhanced Mail, a published
Internet standard for secure electronic mail.  Other innovative
applications can also be built with RSAREF and distributed at no cost.
The full encryption-capable RIPEM is available only in the US.

RSA digital signatures are a standard feature of Lotus Notes, the
Apple System 7 Pro Operating System, Novell NetWare, Microsoft Windows
at Work, Windows NT, IBM System Security Products, DelRina PerformPro,
WordPerfect InForms, SHANA InFormed, BLOC F3 Forms, Fischer
International Workflow, and numerous other products. Over 3 million
commercial products in the market today already use RSA signatures
under license from RSA Data Security. Other RSA licensees include
General Magic, Hewlett-Packard, Oracle, Unisys, Digital Equipment
Corp, Motorola, and numerous others.

RSA Data Security, Inc. designs, develops, markets, and supports
cryptographic solutions toolkits and products.  The company was
founded by the inventors of the RSA cryptosystem in 1982 and is
headquartered in Redwood City, California.

Xref: sci.crypt:16787
From: (Tomaz Borstnar)
Subject: Re: Exportable RIPEM/SIG Available
Date: 21 Mar 1994 20:08:50 +0100
Organization: ARNES [Academic and Research network of Slovenia]
Lines: 25
Message-ID: <2mkrc2$>
References: <2m4i85$>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

In article <2m4i85$>,
Mark Riordan <> wrote:
>Announcing the availability of RIPEM/SIG, an exportable signature-only
>version of RIPEM, a public-key encryption program.
>RIPEM/SIG is built from RIPEM 1.2a sources; thus, RIPEM/SIG
>source code is not exportable.  The executables are exportable.
>I have compiled RIPEM/SIG for several popular architectures

How can we know that it doesn't contain any trapdoors since we're unable to
verify it? Do we have any guarentee that code is clean? Maybe ripem/sig also
searches disk while signing, etc? I don't have any proof for this so this are
purely my speculations.

>Mark Riordan  

ARNES (Academic and research network of Slovenia) News admin
Phone:+386-61-125-9199 ext. 422; fax:+386-61-219-385
E-mail: | Arnes, Jamova 39, Ljubljana, Slovenia

Xref: sci.crypt:16820
From: (Mark Riordan)
Subject: Re: Exportable RIPEM/SIG Available
Date: 22 Mar 1994 14:33:52 GMT
Organization: Michigan State University
Lines: 15
Message-ID: <2mmvkg$>
References: <2m4i85$> <2mkrc2$>
X-Newsreader: TIN [version 1.2 PL1]

Tomaz Borstnar ( wrote:
: How can we know that it doesn't contain any trapdoors since we're unable to
: verify it? Do we have any guarentee that code is clean? Maybe ripem/sig also
: searches disk while signing, etc? I don't have any proof for this so this are
: purely my speculations.

As you know, to my dismay I am unable to export the source code
to RIPEM/SIG.  However, the source is available to millions of
citizens of the US and Canada.  If you get enough people from
those countries to look at the source and declare it free of 
trapdoors, there's a pretty good chance it's clean.  Any of those
millions can build and export the executables of RIPEM/SIG, so you
don't have to rely upon the copies that I built.


			   USENET Archives

The materials and information included in this website may only be used
for purposes such as criticism, review, private study, scholarship, or 

Electronic mail:			      WorldWideWeb: