gnu-crypto-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU Crypto] JKS and reverse engineering

From: Casey Marshall
Subject: Re: [GNU Crypto] JKS and reverse engineering
Date: Sat, 21 Jun 2003 07:52:13 -0700
User-agent: Mutt/1.4i 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Jun 21, 2003 at 09:42:42PM +1000, Raif S. Naffah wrote:

> On Sat, 21 Jun 2003 09:03 pm, Casey Marshall wrote:
> > Hi list,
> >
> > I've been working on an implementation of the JKS keystore algorithm,
> > which is Sun's proprietary keystore format. I have done this by
> > reverse engineering Sun's implementation.
> >
> > What is the position here with regard to reverse engineering?
> 
> can you explain what you mean by reverse-engineering?
> 

I did two things: 1) study hex dumps of keystores to determine the file
format, and 2) used the public API of the JDK to obtain a trace of the
calls made by the encryption and signature algorithms to message digest
and secure random classes. The program I wrote to do this is also
available.

> i'm looking at the license text that comes with the J2SE and i notice, 
> for example, in article 3.0 LICENSE RESTRICTIONS, section 3.2:
> 
> "...
> 3.2 Except as otherwise provided by law, Licensee may not
> modify or create derivative works of the Licensed Software,
> or reverse engineer, disassemble or decompile binary
> portions of the Licensed Software, or otherwise attempt to
> derive the source code from such portions."
> 

I am well aware of what Sun *says*, and I address this briefly in the
source file.

I don't believe that Sun has the authority to forbid what I did; after
all it only involved looking at my own personal data *created by* the
software (which is not Sun's property) and using the *public API* in a
new program. Copyright does not cover the use of a piece of software, no
matter what these EULAs claim.

The "encryption" algorithm is trivial -- it is a repeated SHA-1 hash
XORed with the plaintext -- and could never be patented [1]. The
signature algorithm is just SHA-1, with the string "Mighty Aphrodite"
used as a whitener. Sun owns no trademarks for this phrase; Woody Allen
got there first.

Besides, other vendors (IBM in particular) distribute a JDK that
includes a compatible implementation but whose licenses do not forbid
reverse engineering of this type -- they only forbid "reverse assembling"
and "reverse compiling". So what's to do?

Phooey. I always get worked up over these things.

[1] Probably.

- -- 
Casey Marshall || address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+9HETgAuWMgRGsWsRAhJFAJ0U88eVIWJNs5PSUAnBDkrJMWhj7wCfc/LD
CxvjZ0+o30M/cKnzdY3cZtg=
=5FZN
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]