SRP is being patented - don't be so quick to use it.

[David Wheeler <dwheeler () IDA ORG>]

On Wed, 20 Dec 2000, Ajax wrote:
> Allow me to refer everyone to the SRP protocol (http://srp.stanford.edu/),
> which accomplishes a cryptographically strong password exchange and uses
> it to establish a session key.

Trouble is, I understand that SRP is in the process of being patented,
a fact never mentioned on the SRP website as far as I can tell.
Here's my source:
   http://www.securityportal.com/closet/closet19991208.html

A _very_ large number of developers, including essentially all open source
developers, _automatically_ avoid all patented algorithms unless there's
a generous patent grant. Patented algorithms cannot be used at all
in open source programs unless there's a patent grant to permit it.
Even proprietary software developers only use
patented algorithms if they are absolutely necessary: not only do they add
cost, but they also make the developer hostage to the patent holder.
Patents also harm interoperability with other systems: developers of
other systems will avoid the patented algorithm for the same reasons, and
most standards bodies either oppose or gingerly treat patented algorithms.

The exception would be if the patent holder creates a patent grant to
developers (at least for open source or GPL programs) using the magic words
"non-exclusive, irrevocable, world-wide, & royalty-free".
Having a free implementation isn't enough, since the patent holder can
always change the usage conditions (causing great pain to everyone).
You can see an example of a patent grant at
 http://www.advogato.org/article/89.html.

I believe Mr. Wu has excellent intentions, and I really like many of
the things that his says on his web site.  However, I understand that
_Stanford_ (not Mr. Wu) is applying for the patent, so only a
representative of Stanford (and not Mr. Wu) can make a patent grant.
Obviously you can't give away what isn't yours.
I haven't found any official patent grant for SRP from someone
asserting to be the owner of the patent.

Note that this is different than the situation of DES and SHA-1.
In the case of DES, the patent owner (IBM) gave up all US rights
(see Bruce Schneier, 28 Sep 1998, http://www.io.com/~ritter/NEWS3/AESPAT.HTM).
For SHA-1, the designers were NIST and NSA, who didn't patent it, and
FIPS 186-1 declares "The Department of Commerce is not aware
of any patents that would be infringed by this standard."

For an example of the troubles of patents, look at the Unisys patent that
impacts GIF compression.  Unisys originally said free programs could use it,
then later on said that they couldn't.  Suddenly many users & developers
using GIF were hurt!  Unisys is now trying to extort $5,000 from
every website using GIFs unless the site meets hard-to-prove criteria
(see http://www.burnallgifs.org for more about this).

The problem with patents is so serious that NIST's AES requirements
specifically stated that they "desire to have the AES available worldwide
on a royalty free basis"; clearly at least one U.S. government agency
has decided that royalty-imposing patented algorithms (at least in this case)
aren't worth it. Due to recent patent expirations, developers are finally
free to use RSA & Diffie-Hellman; let's not put the chains back on so quickly.

I looked at this last year, and abandoned SRP once I learned of its
patent status.  If there's more information, I'd love to hear about it.
In particular, I would LOVE to hear that its patent situation has improved.
I don't think the issue is Wu, I think the issue is what Stanford intends
to do. Given a generous patent grant, I'd be happy to use SRP, and it's
quite possible things have changed (I hope they have).


--

--- David A. Wheeler
    dwheeler () ida org