law office of Lee Tien 1452 Curtis Street Berkeley, California 94702 _______________ tien@well.com voice: (510) 525-0817 fax: (510) 525-3015 December 15, 1996 RE: Commodity Jurisdiction Request for "Integrated DNSSEC," containing TIS/DNSSEC (by Trusted Information Systems, Inc.) and RSAREF (by RSA Data Security, Inc.) U.S. Department of State Office of Defense Trade Controls PM/DTC, Room 200, SA-6 Bureau of Political-Military Affairs Washington, D.C. 20522-0602 SENT VIA FEDERAL EXPRESS to: U.S. Department of State Bureau of Political-Military Affairs Office of Defense Trade Controls PM/DTC, Room 200, SA-6 2201 C Street, N.W. Washington, D.C. 20520-0602 Dear Sir or Madam: This is a Commodity Jurisdiction (CJ) Request by Mr. Hugh Daniel for the following commodity: Integrated DNSSEC, which is authentication software for improving the security of the Internet's Domain Name System. We hereby submit this CJ Request pursuant to the International Traffic in Arms Regulations (ITAR) and ask that this commodity be determined to be outside the licensing jurisdiction of the State Department as a product within one or more exemptions of Category XIII(b) of the U.S. Munitions List, 22 C.F.R. Sec. 121.1 Category XIII(b)(1)(v) ("access control") or (vi) ("data authentication"). Integrated DNSSEC is an authentication application consisting of an implementation of Domain Name System Security Extensions (DNSSEC) developed by Trusted Information Systems, Inc. (TIS) under DARPA sponsorship (TIS/DNSSEC), integrated with the RSAREF 2.0 tool kit (RSAREF) released by RSA Data Security, Inc. A primary goal of the DARPA contract work performed by TIS was to make the TIS implementation freely available to DNS implementers on the Internet. Mr. Daniel seeks to make Integrated DNSSEC freely available to DNS implementers on the Internet. He works with various free, non-proprietary software distributors, such as those who distribute the non-proprietary version of UNIX known as GNU. After approval for distribution is obtained, he plans to make the software available for download from the Internet Software Consortium web page at www.isc.org, and from TIS. He also expects that it will be integrated with several free operating system releases, such as Linux (www.linux.org) and FreeBSD (www.freebsd.org), which are available both online and on CD-ROMs. Integrated DNSSEC is implemented to provide authentication and integrity assurance mechanisms for the DNS. It provides no confidentiality capability to users. Although the application contains cryptographic algorithms present within RSAREF, the application contains no interface to RSAREF other than for authentication and test purposes. No user access to RSAREF's encryption capabilities is provided; the only uses of encryption for confidentiality are within a restricted internal function protecting private keys used for signature generation, and within a test scaffold that uses pre-selected, known key values. In June 1996, TIS submitted a CJ Request for TIS/DNSSEC, which was determined by the Office of Defense Trade Controls (ODTC) not to be within the licensing jurisdiction of the State Department. (ODTC Case CJ 261-96). TIS/DNSSEC, however, is not a functional authentication application on its own; the application which ODTC evaluated requires RSAREF to function. Because the commodity for which review is now sought is merely TIS/DNSSEC integrated with those cryptographic routines necessary for TIS/DNSSEC to perform authentication and integrity assurance, we believe that this commodity should also be outside the licensing jurisdiction of the State Department as a mass-market authentication application "[l]imited to data authentication . . . to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication." In accordance with State Department guidelines, the following information is presented for your review and analysis: 1. Description: Integrated DNSSEC adds authentication to the Internet's Domain Name System (DNS). The main function of the DNS is to associate an Internet address with an Internet host name. It is a critical operational part of the Internet infrastructure. The DNS, however, currently has no security capabilities. It is easy to insert false data into it, and by altering DNS data, a person can pretend to be someone else or redirect communications to go to other than the originally intended destination. Thus, malicious or erroneous information can corrupt the DNS and significantly harm the Internet. To address this problem, the Internet Engineering Task Force (IETF) designed security extensions based on digital signatures to assure security, integrity and reliability. Under DARPA sponsorship, Trusted Information Systems, Inc., implemented the IETF specifications into its TIS/DNSSEC. These extensions specifically do not provide users with encryption confidentiality; instead, the DNS Security Extensions provide for the distribution and storage of authenticated public keys in the DNS structure. This capability can support other Internet functions in addition to the DNS, so fielding the TIS security extensions for DNS will provide improved security, integrity and reliability for the overall Internet. Integrated DNSSEC consists of the source code for TIS/DNSSEC integrated with the source code for the RSAREF crypto tool kit (by RSA Data Security, Inc.). TIS/DNSSEC is a modified version of the Berkeley Internet Name Daemon (BIND) software, the software most widely used for implementing the DNS on the Internet, which is written in the C programming language. It uses RSAREF, also written in the C programming language, as an authentication tool. It does not use any of RSAREF's cryptographic functionality other than in service of authentication. The majority of TIS/DNSSEC is dedicated to handling new resource records (stored information entries in the DNS database) and processing requests and responses for these records. Only a small portion of the TIS/DNSSEC implementation deals with RSAREF. As part of this CJ Request, we have attached copies of: (1) the TIS/DNSSEC CJ Request (ODTC Case CJ 261-96); (2) the ODTC letter determining that TIS/DNSSEC is outside the licensing jurisdiction of the State Department; and (3) floppy disks containing the subject source code. The floppies each contain a DOS file system. There is a single file on each floppy, called "tisdnssc.tgv". This is a gzip'd tar file which contains the complete source code distribution for TIS/DNSSEC. Using these commands: gzip -d tisdnssc.tar tar xvvf tisdnssc.tar the distribution can be extracted. This will create a new directory called sec_bind494-b131-complete, which has all the files in it. In that directory is a file named README_COMPLETE which is in addition to the files from the TIS release and the RSAREF release. The README_COMPLETE simply states: " Complete distribution of TIS/DNSSEC This directory integrates the Trusted Information Systems release of TIS/DNSSEC and the RSA Data Security release of RSAREF. The only changes are minor edits in the top-level Makefiles of the two distributions. The result is a single distribution which provides complete source code for authenticated domain name services. See TIS's README_SEC for details on the program, and INSTALL_SEC for the installation instructions." The only changes from the two distributions are: Removed packing materials from the RSAREF release. Renamed top-level directory to add -complete. Edited Makefile to add rsaref/lib to the SUBDIRS list and to change the default compiler on SunOS to gcc. Copied rsaref/install/unix/makefile to rsaref/lib/makefile. Edited rsaref/lib/makefile to avoid a name conflict with the top-level Makefile. Added README_COMPLETE file. The commodity has been tested and it compiles without further integration, following the directions in the INSTALL_SEC file, on SunOS using GCC. The RSAREF distribution includes a sample program that can do file encryption, for testing the distribution. The program cannot be removed from the distribution because the RSAREF program license agreement requires consent from RSA Data Security for changes to the release. However, this program is restricted to using one of three keys, two of which are wired into the program (and are thus known) and the third of which is "randomly" generated by RSAREF itself (to test the key generator). However, the random number generator in the test program has been crippled so that it only gets fed zeros: its output is completely predictable. In other words, the program is not useful for file encryption; it provides no confidentiality because all possible keys are pre-compromised. 2. Origin of Commodity: The specifications for the DNS Security (DNSSEC) Extensions were published by the Internet Engineering Task Force. The extensions provide the specific mechanisms (data origin authentication, data integrity, key distribution, transaction authentication, request authentication) to integrate security, integrity and reliability into the DNS. Under DARPA sponsorship (Contract # DABT63-94-C-0001, "Internet Infrastructure Protection," March 1, 1994), TIS developed a reference implementation of the DNSSEC specification, TIS/DNSSEC. Integrated DNSSEC will, after compilation and installation by a trained person, perform authentication on its own. It is designed for installation without further substantial support by the supplier. TIS/DNSSEC, as released by TIS, did not function to authenticate on its own; it requires that the DNS implementer obtain and compile RSAREF separately. RSAREF is software developed by RSA Data Security, Inc., and made available without cost per the RSA Program License Agreement. Although RSAREF has cryptographic functionality, Integrated DNSSEC does not use any of RSAREF's cryptographic functionality other than that needed to perform authentication. TIS obtained approval to make TIS/DNSSEC freely available to DNS implementers on the Internet. However, although TIS/DNSSEC requires RSAREF to be functional, it is published without RSAREF. Thus, TIS/DNSSEC is of limited value because DNS implementers must obtain and compile RSAREF separately before being able to authenticate. The goal of this CJ Request is to make it possible for DNS implementers to have DNS authentication in a single integrated package. 3. Current Use: The TIS/DNSSEC software was recently released. Integrated DNSSEC would be a new release; after approval for distribution is obtained, Mr. Daniel plans to make the software available for download from the Internet Software Consortium web page at www.isc.org, and from TIS. He also expects that it will be integrated with several free operating system releases, such as Linux (www.linux.org) and FreeBSD (www.freebsd.org), which are available both online and on CD-ROMs. 4. Special Characteristics: Integrated DNSSEC is not designed to meet specific military standards or specifications, is not a "hardened" military device, does not contain TEMPEST capability, and is not intended for surveillance or intelligence gathering. The package's only use of encryption for confidentiality is for the protection of stored private signature-generation keys via a DES function in RSAREF, and for testing the functioning of the underlying cryptographic library using known keys, as described above. 5. Other Information: Integrated DNSSEC is implemented to provide authentication and integrity assurance mechanisms for the Internet DNS. The package contains RSAREF, but only uses RSAREF for authentication and to protect stored private signature-generation keys. Mr. Daniel seeks Commerce Department commodity jurisdiction for Integrated DNSSEC in order to make it available to DNS implementers on the Internet. Making it generally available will increase the security, integrity and reliability of the Internet, a primary goal of the DARPA-sponsored development of TIS/DNSSEC. The advantage of Integrated DNSSEC over TIS/DNSSEC is that it contains everything necessary to implement DNSSEC. Future versions are planned for the BIND 8 release, which is not yet in stable form. 6. Recommendation and Justification: Our recommendation is based on the ITAR provisions exempting software otherwise within U.S. Munitions List Category XIII(b)(1) from State Department jurisdiction if it is "[l]imited to access control" or "[l]imited to data authentication . . . to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication." 22 C.F.R. Sec. 121.1 Category XIII(b)(1)(v), (vi). Because Integrated DNSSEC will prevent persons from misdirecting Internet traffic through unauthorized alteration of DNS data, which can cause Internet outages, it should also qualify for exemption as software "designed . . . to protect against malicious computer damage." 22 C.F.R. Sec. 121.1 Category XIII(b)(1)(ix). Integrated DNSSEC is implemented to provide only authentication and integrity assurance mechanisms for the Internet DNS. Your office has previously recognized that the TIS/DNSSEC implementation is not within State Department licensing jurisdiction. This commodity, Integrated DNSSEC, is merely the already exportable TIS/DNSSEC combined with the library that makes it functional to perform authentication. I spoke with a representative of the National Security Agency about Integrated DNSSEC on Dec. 10, 1996, and she told me informally that the request appeared to be within the authentication exemption Category XIII(b)(1)(vi) of the ITAR, especially because TIS/DNSSEC has already been determined to be exempt from State Department licensing jurisdiction. Although RSAREF is included in the package, the application only provides the capability to authenticate. There is no application for general file or text encryption functionality. The basic exponentiation algorithm is of course capable of performing encryption, but the Integrated DNSSEC only uses it for authentication. Any software to perform authentication internally contains an encryption algorithm that has the potential to provide confidentiality, so the applicability of the authentication exemption should turn only on whether Integrated DNSSEC functions to authenticate. Integrated DNSSEC's interface to RSAREF encryption is limited to the use of a DES function for protecting stored private signature-generation keys. The included library validation program is incapable of meaningful encryption because it is deliberately crippled. Thus, we believe Integrated DNSSEC contains a minimal use of encryption consistent with assuring authentication and integrity of Internet domain names and addresses as specified by the IETF's DNS Security Extensions. We also believe that because Integrated DNSSEC was designed specifically to protect the Internet's infrastructure, it is not "military." We therefore respectfully request that the State Department issue a formal CJ determination stating that Integrated DNSSEC is not subject to State Department jurisdiction under the ITAR and is instead subject to Commerce Department jurisdiction. Please contact me at (510) 525-0817 (voice), (510) 525-3015 (fax) or tien@well.com (e-mail) if you need further information. Sincerely yours, Lee Tien