Subject: Commerce Classification Request submitted: #40243 Date: Thu, 24 Feb 1994 13:30:15 -0800 From: John Gilmore John Gilmore Generalist Cygnus Support 1937 Landings Drive Mt. View, CA 94043 +1 415 903 1418 +1 415 903 0122 fax ATTN: Commerce Classification Technical Support Staff U.S. Department of Commerce PO Box 273 Washington, DC 20044 Fax +1 202 482 5708 Subject: COMMERCE CLASSIFICATION REQUEST (ECCN REQUEST) We would like to export authentication software for computer networks. The product is called "Kerberos 900104 bones.tar.Z patchlevel 6". It has already been cleared by the State Department in OTDC Case CJ-012-94. The State Dept. reports that the CJ was referred to the Commerce Dept. for review, so you may have a record of it. Please see the technical details in the attached Commodity Jurisdiction Request, State Dept. response, technical paper on the software, and list of changes made to increase its exportability. We believe that our ECCN is 5D11A. The software is for information security, though the cryptographic code has been removed from it in order to make it easier to export. Please confirm or clarify our belief. We believe that we can make this product available to ALL destinations as publicly available software, under General License GTDA. It is currently available to the public in the United States without charge. See Supplement No. 2 to EAR section 799.1, note 2 ("General Software Note"). Please confirm that we can use the GTDA license. When exporting this product over telecommunications links, such as the Internet or an ordinary telephone line, it is not clear whether a Shipper's Export Declaration or a Foreign Trade Statistics Regulation statement must be filed, or who it should be filed with. This is particularly true when the file transfer is initiated by a foreign party without any human assistance on the U.S. end. It is frequently hard or impossible to know what telecommunications company is the carrier who actually moves the bits across the border -- if we can tell that an export is occurring at all! (When we receive a phone call or an Internet connection, we cannot tell who is calling, where they are in the world, or which of many competing domestic or international carriers handled their call.) Please guide us in this matter. Thank you! John Gilmore Generalist John Gilmore Generalist Cygnus Support 1937 Landings Drive Mt. View, CA 94043 +1 415 903 1418 +1 415 903 0122 fax ATTN: Maj Gary Oncale - 15 Day CJ Request U.S. Department of State Office of Defense Trade Controls PM/DTC SA-6 Room 200 1701 N. Fort Myer Drive Arlington, VA 22209-3113 Fax +1 703 875 5845 ATTN: 15 Day CJ Request Coordinator National Security Agency P.O. Box 246 Annapolis Junction, MD 20701 Subject: Mass Market Software with Encryption - 15 Day Expedited Review Requested Subject: Commodity Jurisdiction Request for "Kerberos 900104 bones.tar.Z patchlevel 6" INTRODUCTION This is a Commodity Jurisdiction Request for mass market software with encryption capabilities. The name of the software product is "Kerberos 900104 bones.tar.Z patchlevel 6". We have no DTC registration code. We have reviewed and determined that the software, which is the subject of the CJ request, meets paragraph 1 of the "Criteria for Determining the Eligibility of A Mass Market Software Product for Expedited Handling." A duplicate copy of this CJR has been sent to the 15 Day CJ Request Coordinator. DESCRIPTION The software is an authentication system for networked computers. It is a component of the MIT Athena project, which built various software for automating the administration and operation of large networks of computers. The Kerberos software is undoubtedly familiar to your agency. We believe that previous CJR's have been made on it, including at least one from Digital Equipment Corporation. The Kerberos system authenticates individual users in a network environment. It bases security on a `secret' which is shared between a central Kerberos server and the user. This secret is a cryptographic key based on the user's password, with which the user can prove who they are by being able to decrypt sealed messages from the server. After the user has authenticated herself to Kerberos, she can use familiar Berkeley Unix network utilities such as rlogin, rcp, and rsh, without having to present passwords to remote hosts and without having to rely on insecure ``.rhosts'' files. These utilities will work without passwords only if the remote machine supports the Kerberos protocols. If not, the normal facilities will be used. Kerberos provides the following benefits: * Security against outside attackers. * Security against inside attackers. * Convenience in a distributed workstation environment. * Augmentation of an existing security organization. * Standardized access control mechanisms. I have enclosed a technical paper, "Kerberos: An Authentication Service for Open Network Systems", from the 1988 Winter USENIX Conference Proceedings. This "Bones" version of the Kerberos software has been specially prepared for export by removing the encryption routines and the calls to the encryption routines. We are submitting this CJ to confirm the the official opinion of the Department of State on whether we require a State Department and/or Commerce Department license to export this software. ORIGIN OF COMMODITY The item was originally designed for its current use. It was created as part of MIT's Project Athena in the 1980's. It was designed for commercial use without concern for military use. An example of its commercial use is in authenticating students who work from various workstations on a campus, connected via local-area and wide-area networks. The item was developed with private funding. The item is currently publicly available on the Internet via FTP (file transfer protocol) from the machine athena-dist.mit.edu (18.71.0.38) in directory /pub/kerberos/dist/900104/bones.tar.Z. Its documentation is available as /pub/kerberos/dist/900104/doc.tar.Z.aa and doc.tar.Z.ab. We obtained the item and documentation from that location. CURRENT USE The current use of this item is to provide user authentication for computer users in a network. The software provides: * a server which runs on a physically secured computer and which stores the password of each user * library routines which establish communication between the server and other programs * utility programs for administering the authentication system klist, kinit, kdestroy, ksu, ksrvtgt, kadmin, kprop * modified versions of readily available networking programs, which use the library routines for authentication, including: tftp - trivial file transfer protocol sample - a sample application knetd - user authentication daemon rsh and rshd - remote shell rlogin and rlogind - remote login rcp - remote file copy The uses of the item have not changed significantly over time. Most of the product market is commercial. SPECIAL CHARACTERISTICS There are no military standards or specifications that the item is designed to meet. There are no special characteristics of the item, including no radiation-hardening, no ballistic protection, no hard points, no TEMPEST capability, no thermal and no infrared signature reduction capability, no surveillance, and no intelligence gathering capability. The item does not use image intensification tubes. The item originally used encryption algorithms for authentication, using the DES (Data Encryption Standard), however these algorithms and the calls to them have been removed to facilitate export approval. OTHER INFORMATION We recommend that this item and its technical documentation be determined to be in the jurisdiction of the Commerce Department. We believe that it qualifies for the general license GTDA for General Technical Data to All Destinations, because it qualifies as "publicly available" and contains no encryption routines or hooks for encryption. ATTACHMENTS I have enclosed a technical paper, "Kerberos: An Authentication Service for Open Network Systems", from the 1988 Winter USENIX Conference Proceedings. I have also enclosed the README file from the MIT directory where we obtained the software, which describes what was done to the software to make it more suitable for export. If there are any technical questions, NSA has direct access to the full source code and online documentation via the Internet. The item is currently publicly available on the Internet via FTP (file transfer protocol) from the machine athena-dist.mit.edu (18.71.0.38) in directory /pub/kerberos/dist/900104/bones.tar.Z. Its documentation is available as /pub/kerberos/dist/900104/doc.tar.Z.aa and doc.tar.Z.ab. We obtained the item and documentation from that location. Sincerely, John Gilmore Generalist Cygnus Support ( ) United States Department of State ( State Dept ) Bureau of Politico-Military Affairs ( Logo ) Office of Defense Trade Controls ( ) Washington, D.C. 20522-0602 In reply refer to Feb 1 1994 OTDC Case: CJ-012-94 YOUR LETTER DATED: January 13, 1994 REQUEST FOR COMMODITY JURISDICTION FOR: "Kerberos 900104 bones.tar.Z patchlevel 6" software program This commodity jurisdiction (CJ) request was referred to the Departments of Commerce and Defense for their review and recommendations. As a result, the Department of State has determined that the referenced commodity falls under the licensing jurisdiction of the Department of Commerce. Please consult that agency's Office of Technology and Policy Analysis at (202) 482-4145 to determine their requirements prior to export. Should you require further assistance on this matter, please contact Maj. Gary Oncale at (703) 875-5655. Sincerely, (signed -- but it doesn't look anything like the name below) William B. Robinson Director Office of Defense Trade Controls John Gilmore Cygnus Support 1937 Landings Drive Mt. View, CA 94043 [A copy of "Kerberos: An Authentication Service for Open Network Systems", from the 1988 Winter USENIX Conference Proceedings.] Copyright (C) 1989 by the Massachusetts Institute of Technology Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. This is the initial public distribution of the Kerberos Authentication System. A few notes: IF YOU ARE OUTSIDE THE U.S. AND YOU WISH TO RETRIEVE THE CODE, you may retrieve the file 'bones.tar.Z' (in the distribution directory mentioned below), which is a version of the Kerberos source code WITH ALL ENCRYPTION CODE REMOVED (and hence is exportable under general export rules). This code carries the same copyright and licensing terms as found above, except that the paragraph about export licenses is not applicable. It will enable you to use the Kerberos protocols and subroutines, but won't provide any network security. You are free to add your own encryption code (which will involve identifying places in the code where an encryption routine should be called), but we cannot help you, due to export regulations. The 'bones' distribution is not at the current patchlevel; after retrieving bones and unpacking it, examine the file 'src/patchlevel.h' and get all patches with a number greater than the number in that file (all the patches are available in the directory in which you found this README file). Export of the documentation is not restricted. Read doc/installation.{mss,PS} first. It explains how to set up and compile Kerberos. The current patchlevel is 9. If you find bugs, please mail them to kerberos-bugs@ATHENA.MIT.EDU. kerberos@ATHENA.MIT.EDU is a mailing list set up for discussing Kerberos issues. It is gatewayed to the Usenet newsgroup 'comp.protocols.kerberos'. If you prefer to read it via mail, send a request to kerberos-request@ATHENA.MIT.EDU to get added. To retrieve the rest of the source code, change into the directory 'dist/900104'. [NOTE: you can't cd to this directory in steps, you must do it in one command: cd dist/900104] It contains several compressed & split tar files, plus a patch file. To put them back together, concatenate all the files with similar names: e.g. xxx.Z.aa and xxx.Z.ab get concatenated, save into xxx.Z, and uncompress it, then apply patch file #9 (using the patch program, if available). NFS CHANGES: Project Athena's changes to the Sun Network File System (NFS) are available separately, via an automatic electronic-mail retrieval system. Send mail with a subject of 'index krb-nfs' to 'archive-server@athena-dist.mit.edu' for more details. I would like to thank the following people for their assistance in getting Kerberos in shape for release: Andrew Borthwick-Leslie Bill Bryant Doug Church Rob French Dan Geer Andrew Greene Ken Raeburn Jon Rochlis Mike Shanzer Bill Sommerfeld Jennifer Steiner Win Treese Stan Zanarotti --------- John Kohl MIT Project Athena/Kerberos Development Team 24 January 1989 patchlevel 6 assembled: 02 October 1989 patch 7 assembled: 10 November 1989 patch 8 assembled: 02 January 1990 patch 9 assembled: 20 March 1990