[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU Crypto] JKS and reverse engineering
From: |
Casey Marshall |
Subject: |
Re: [GNU Crypto] JKS and reverse engineering |
Date: |
Sat, 21 Jun 2003 07:52:13 -0700 |
User-agent: |
Mutt/1.4i |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, Jun 21, 2003 at 09:42:42PM +1000, Raif S. Naffah wrote:
> On Sat, 21 Jun 2003 09:03 pm, Casey Marshall wrote:
> > Hi list,
> >
> > I've been working on an implementation of the JKS keystore algorithm,
> > which is Sun's proprietary keystore format. I have done this by
> > reverse engineering Sun's implementation.
> >
> > What is the position here with regard to reverse engineering?
>
> can you explain what you mean by reverse-engineering?
>
I did two things: 1) study hex dumps of keystores to determine the file
format, and 2) used the public API of the JDK to obtain a trace of the
calls made by the encryption and signature algorithms to message digest
and secure random classes. The program I wrote to do this is also
available.
> i'm looking at the license text that comes with the J2SE and i notice,
> for example, in article 3.0 LICENSE RESTRICTIONS, section 3.2:
>
> "...
> 3.2 Except as otherwise provided by law, Licensee may not
> modify or create derivative works of the Licensed Software,
> or reverse engineer, disassemble or decompile binary
> portions of the Licensed Software, or otherwise attempt to
> derive the source code from such portions."
>
I am well aware of what Sun *says*, and I address this briefly in the
source file.
I don't believe that Sun has the authority to forbid what I did; after
all it only involved looking at my own personal data *created by* the
software (which is not Sun's property) and using the *public API* in a
new program. Copyright does not cover the use of a piece of software, no
matter what these EULAs claim.
The "encryption" algorithm is trivial -- it is a repeated SHA-1 hash
XORed with the plaintext -- and could never be patented [1]. The
signature algorithm is just SHA-1, with the string "Mighty Aphrodite"
used as a whitener. Sun owns no trademarks for this phrase; Woody Allen
got there first.
Besides, other vendors (IBM in particular) distribute a JDK that
includes a compatible implementation but whose licenses do not forbid
reverse engineering of this type -- they only forbid "reverse assembling"
and "reverse compiling". So what's to do?
Phooey. I always get worked up over these things.
[1] Probably.
- --
Casey Marshall || address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+9HETgAuWMgRGsWsRAhJFAJ0U88eVIWJNs5PSUAnBDkrJMWhj7wCfc/LD
CxvjZ0+o30M/cKnzdY3cZtg=
=5FZN
-----END PGP SIGNATURE-----