IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ________________________________________________ ) PHILIP R. KARN, Jr. ) ) Plaintiff, ) ) Civ. A. No. 95-1812(LBO) v. ) ) (Judge Oberdorfer) UNITED STATES DEPARTMENT OF STATE; ) and UNITED STATES DEPARTMENT OF ) COMMERCE; and WILLIAM A. REINSCH, ) Undersecretary of Commerce for the Bureau of ) Export Administration in his official capacity. ) ) Defendants. ) ) ________________________________________________) DECLARATION OF PHILIP R. KARN, JR. PHILIP R. KARN, JR., declares as follows: 1. I am the plaintiff in the captioned action. I make this declaration in opposition to the defendants' Second Motion to Dismiss or, in the Alternative, for Summary Judgment. 2. I am a Senior Staff Engineer at Qualcomm, Inc. of 6455 Lusk Blvd., San Diego, CA. I have a BS degree in Electrical Engineering from Cornell University and a MS degree in Electrical Engineering (Computer Engineering) from Carnegie-Mellon University. My previous employers were Bell Telephone Laboratories and Bell Communications Research. I have been actively involved in computer programming since the middle 1970s. My professional interests include digital radio communications, computer networking, security and encryption. 3. I have downloaded and studied the Integrated TIS/DNSSEC source code available on the Internet from http://www.toad.com/~dnssec/. 4. According to this web site, on June 4, 1997 the Bureau of Export Administration (BXA) classified this software as EAR99 (not subject to the EAR, since it is publicly available) in Commodity Classification number G006298. 5. The Integrated TIS/DNSSEC package approved for export includes the RSAREF 2.0 encryption source code library distributed by RSA Data Security Inc. The RSAREF source code, like that on the Applied Cryptography disk at issue in this case, is intended for those wishing to incorporate encryption into their applications. 6. Using the UNIX "diff" command, I compared the RSAREF 2.0 source code contained within the DNSSEC package with that from RSA Data Security Inc's FTP site, ftp://ftp.rsa.com/rsaref/. The contents are exactly identical. 7. The RSAREF 2.0 directory contained within the Integrated TIS/DNSSEC package approved for export includes C-language source code files for the US Data Encryption Standard (DES) and the RSA algorithm, a "public key" cryptographic function designed for both authentication and confidentiality. 8. The RSAREF 2.0 DES code supports both "single" and "triple" (3DES) modes. Triple-mode DES is widely believed to provide very strong encryption. The American National Standards Institute (ANSI) is now standardizing triple DES for the banking community and other users. 9. C-language source code for the single and triple DES algorithms are also provided on the Applied Cryptography Source Code disk at issue in this case. The Applied Cryptography disk does not include code for the RSA algorithm. 10. The DES/3DES code in RSAREF is not identical to the DES/3DES included on the Applied Cryptography source code disk that is at issue in this case. However, both describe the exact same algorithm. A computer executing object code compiled from the RSAREF DES source code can decrypt information that has been encrypted by a computer executing object code compiled from the DES source code on the Applied Cryptography disk, and vice versa. 11. It appears that the DES/3DES code in RSAREF was derived from the code in Applied Cryptography, or both were derived from a common ancestor. Large sections of code are identical or nearly so (e.g., except for variable name changes that do not affect the object code produced by compiling the source code). 12. The changes in the RSAREF version of DES/3DES from the Applied Cryptography version include "cleaning up" the input-output interfaces; implementing "cipher block chaining", a popular "mode" for using DES that the user of the Applied Cryptography version would have to implement himself; improving security by destroying sensitive data when it is no longer needed; and an optional "DESX" mode for increased security. For these reasons, a programmer such as myself would tend to prefer the RSAREF version rather than the Applied Cryptography version when incorporating encryption into an application. 13. There are no other meaningful distinctions between the two versions of DES. There are certainly none that would warrant classifying the Applied Cryptography version as a controlled Encryption Item while classifying the RSAREF version as EAR99. I swear under penalty of perjury that the foregoing is true and complete to the best of my knowledge and belief. Philip R. Karn, Jr.