SSH Encryption Licensing Issues

Secure Shell gives a variety of choices for data encryption.  Here is the current list according to the most recent RFC:

SSH_CIPHER_NONE   0      No encryption
SSH_CIPHER_IDEA   1      IDEA in CFB mode
SSH_CIPHER_DES    2      DES in CBC mode
SSH_CIPHER_3DES   3      Triple-DES in CBC mode
SSH_CIPHER_TSS    4      An experimental stream cipher
SSH_CIPHER_RC4    5      RC4

All implementations must support SSH_CIPHER_3DES, the rest are optional.  We'll also need an MD5 implementation for data integrity checking.  RSA is also used for intial authentication.
RSA provides RSAREF is a public library that allows you to use RSA encryption for non-profit uses.  Otherwise you need to license the RSA encryption technology from them. 

Here's a small extraction from the Free Software Foundation's Other Project's Task List Page (the GNU wish list).  Notice which algorithms are legal to use and which are not.

Here's the licensing agreement that comes with the UNIX distribution of the SSH source.
5. General.

Some of the source code aggregated with this distribution is licensed by
third parties under different terms, so the restrictions above may not
apply to such components.

We do not imply to give any licenses to any patents or copyrights held by
third parties.  As far as we know, all included source code is used in
accordance with the relevant license agreements and can be used and
distributed freely for any purpose (the GNU license being the most
restrictive); see below for details.

The RSA algorithm and even the concept of public key encryption are
claimed to be patented in the United States.  These patents may interfere
with your right to use this software.  It is possible to compile the
software using the RSAREF2 library by giving --with-rsaref on the
configure command line. This may or may not make it legal to use this
software for non-commercial purposes in the United States (we have sent a
query about this to RSADSI (on July 10, 1995), but have not received a
final answer yet).  The RSAREF2 distribution is not included in this
distribution, but can be obtained from almost any ftp site world-wide
containing cryptographic materials.  Using RSAREF is not recommended
outside the United States.  See "" if you have
trouble finding the RSAREF library.

The IDEA algorithm is claimed to be patented in the United States and
several other countries.  We have been told by Ascom-Tech (the patent
holder) that IDEA can be used freely for non-commercial use.  A copy of
their letter is at the end.  The software can be compiled without IDEA by
specifying the --without-idea option on the configure command line.

The DES implementation in this distribution is derived from the libdes
library by Eric Young <>.  It can be used under the Gnu
General Public License (libdes-COPYING) or the Artistic License
(libdes-ARTISTIC), at your option.  See libdes-README for more
information. Eric Young has kindly given permission to distribute the
derived version under these terms.  The file crypt.c is fcrypt.c from
SSLeay-0.4.3a by Eric Young; he permits free use.

The GNU Multiple Precision Library, included in this release and linked
into the executable, is distributed under the GNU Library Public License.
A copy can be found in gmp-2.0/COPYING.LIB.

The zlib compression library is copyright Jean-loup Gailly and Mark Adler.
Anyone is permitted to use the library for any purpose.  A copy of the
license conditions can be found in zlib-1.0.4/README.

The make-ssh-known-hosts script was contributed by Tero Kivinen
<> and is distributed under the GNU General
Public License.  A copy can be found in gnu-COPYING-GPL.

Some files, such as memmove.c and random.c, are owned by the Regents of
the University of California, and can be freely used and distributed.
License terms are included in the affected files.  The file scp.c is
derived from code owned by the Regents of the University of California,
and can be used freely.

The TSS encryption algorithm implementation in tss.c is copyright Timo
Rinne <> and Cirion Oy.  It is used with permission, and
permission has been given for anyone to use it for any purpose as part of

The MD5 implementation in md5.c was taken from PGP and is due to Colin
Plumb.  Comments in the file indicate that it is in the public domain.

The 32-bit CRC implementation in crc32.c is due to Gary S. Brown. Comments
in the file indicate it may be used for any purpose without restrictions.

In some countries, particularly France, Russia, Iraq, and Pakistan, it may
be illegal to use any encryption at all without a special permit, and the
rumor is that you cannot get a permit for any strong encryption.

If you are in the United States, you should be aware that while this
software was written outside the United States using information
publicly available everywhere, the United States Government may
consider it a criminal offence to export this software from the United
States once it has been imported.  The rumor is that "the federal
mandatory sentencing guidelines for this offence are 41 to 51 months
in federal prison".  The rumor says that the US government considers
putting the software available on an ftp site the same as exporting
it.  Contact the Office of Defence Trade Controls if you need more
information.  Also, please write to your congress and senate
representatives to get these silly and unconstitutional restrictions

Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office world-wide.  More
information can be found e.g. at "".

The legal status of this program is some combination of all these
permissions and restrictions.  Use only at your own responsibility. You
will be responsible for any legal consequences yourself; we are not making
any claims whether possessing or using this is legal or not in your
country, and we are not taking any responsibility on your behalf.

Below is a copy of a message that we received from Ascom, the holder of
the IDEA patent.

Date: Tue, 15 Aug 95 09:09:59 CET
From: (Licensing Systec)
Encoding: 3001 Text
Subject: Phone Call 15.8.95

     Dear Mr. Ylonen
     Thank you for your inquiry about the IDEA encryption algorithm.
     Please excuse the delay in answering your fax sent 26.6.95.
     Here is the information you requested :
     Non commercial use of IDEA is free. The following examples (regarding
     PGP) should clarify what we mean by commercial and non-commercial use
     Here are some examples of commercial use of PGP:
     1. When PGP is used for signing and/or encrypting e-mail messages
     exchanged between two corporations.
     2. When a consultant uses PGP for his communications with his client
     3. When a bank makes PGP available to its clients for telebanking and
     charges them money for it (directly or indirectly).
     4. When you use the software you receive from a company for commercial
     purposes (telebanking included).
     Some examples of non commercial use:
     1. When an individual uses PGP for his private communications.
     2. When an individual obtains PGP on the Internet and uses it for
     telebanking (assuming this is approved by the bank).
     3. When you use the software you receive from a company for private
     purposes (telebanking excluded).
     You may use IDEA freely within your software for non commercial use.
     If you include IDEA in your software, it must include the following
     copy right statement :
     1. Copyright and Licensing Statement
        IDEA(tm) is a trademark of Ascom Systec AG. There is no license fee
        required for non-commercial use. Commercial users of IDEA may
        obtain licensing information from Ascom Systec AG.
        fax: ++41 64 56 59 54
     For selling the software commercially a product license is required:
     The PRODUCT LICENSE gives a software developer the right to implement
     IDEA in a software product and to sell this product worldwide. With
     the PRODUCT LICENSE we supply a source listing in C and a software
     manual. We charge an initial fee per company and a percentage of sales
     of the software product or products (typically between .5 and 4 per
     cent of the sales price, depending on the price and the importance of
     IDEA for the product).
     For further information please do not hesitate to contact us.
     Best regards,
     Roland Weinhart
     Ascom Systec Ltd
     IDEA Licensing                    @@@@@ @@@@@ @@@@@ @@@@@ @@@@@@@
     Gewerbepark                           @ @     @     @   @ @  @  @
     CH-5506 Maegenwil                 @@@@@ @@@@@ @     @   @ @  @  @
     Switzerland                       @   @     @ @     @   @ @  @  @
     Phone ++41 64 56 59 54            @@@@@ @@@@@ @@@@@ @@@@@ @  @  @
     Fax   ++41 64 56 59 98

Here's additional information I've extracted from the docs.txt page of cryptlib, one of the freely available cryptographic libraries written in C.  It also gives a very good description of the various patent issues.

Patent Issues

This library contains a number of algorithms which are covered by patents.
These algorithms are Diffie-Hellman, DSA, IDEA, RC5, and RSA.  A number of
patent holders have very generously granted a license for royalty-free use of
the algorithms in the library under certain circumstances, as explained below.

Diffie-Hellman and DSA:

  The practice of Diffie-Hellman key exchange is covered by United States
  Patent No 4,200,770 ('Cryptographic Apparatus and Method') which expires in
  September 1997.  The Canadian equivalent expires in September 1998.

  The practice of all other public key algorithms is covered by United States
  Patent No 4,218,582 ('Public Key Cryptographic Apparatus and Method') which
  expires in October 1998.  Numerous equivalent patents have been issued in
  Europe and Japan which expire in October 1998.  These patents are licensed
  exclusively by Cylink Corporation of Sunnyvale, California.  Cylink has
  granted a license to all users of this library for non-commercial use,
  including research by non-profit institutions.  This means you may
  incorporate this library in software which is distributed for free, provided
  you include the following notice in the software and all collateral
  documentation which states:

  The use of the public key algorithms in this software is covered by US
  Patents No 4,200,770 ('Cryptographic Apparatus and Method') and 4,218,582
  ('Public Key Cryptographic Apparatus and Method') which are licensed
  exclusively by Cylink Corporation.

  In order to promote open standards for public key algorithms, Cylink has
  initiated a low cost licensing program for commercial use of public key.  For
  more information, contact Cylink's web page at or e-mail


  The IDEA algorithm is patented by Ascom Systec Ltd. of CH-5506 Maegenwil,
  Switzerland, who allow it to be used on a royalty-free basis for certain
  non-profit applications.  Commercial users must obtain a license from the
  company in order to use IDEA.  IDEA may be used on a royalty-free basis under
  the following conditions:

  Free use for private purposes:

  The free use of software containing the algorithm is strictly limited to non
  revenue generating data transfer between private individuals, ie not serving
  commercial purposes.  Requests by freeware developers to obtain a
  royalty-free license to spread an application program containing the
  algorithm for non-commercial purposes must be directed to Ascom.

  Special offer for shareware developers:

  There is a special waiver for shareware developers.  Such waiver eliminates
  the upfront fees as well as royalties for the first US$10,000 gross sales of
  a product containing the algorithm if and only if:

  1. The product is being sold for a minimum of US$10 and a maximum of US$50.
  2. The source code for the shareware is available to the public.

  Special conditions for research projects:

  The use of the algorithm in research projects is free provided that it serves
  the purpose of such project and within the project duration.  Any use of the
  algorithm after the termination of a project including activities resulting
  from a project and for purposes not directly related to the project requires
  a license.

  Ascom Tech requires the following notice to be included for freeware

  This software product contains the IDEA algorithm as described and claimed in
  US patent 5,214,703, EPO patent 0482154 (covering Austria, France, Germany,
  Italy, the Netherlands, Spain, Sweden, Switzerland, and the UK), and Japanese
  patent application 508119/1991, "Device for the conversion of a digital block
  and use of same" (hereinafter referred to as "the algorithm").  Any use of
  the algorithm for commercial purposes is thus subject to a license from Ascom
  Systec Ltd. of CH-5506 Maegenwil (Switzerland), being the patentee and sole
  owner of all rights, including the trademark IDEA.

  Commercial purposes shall mean any revenue generating purpose including but
  not limited to:

  i) Using the algorithm for company internal purposes (subject to a site

  ii) Incorporating the algorithm into any software and distributing such
      software and/or providing services relating thereto to others (subject to
      a product license).

  iii) Using a product containing the algorithm not covered by an IDEA license
       (subject to an end user license).

  All such end user license agreements are available exclusively from Ascom
  Systec Ltd and may be requested via the WWW at or
  by email to

  Use other than for commercial purposes is strictly limited to non-revenue
  generating data transfer between private individuals.  The use by government
  agencies, non-profit organizations, etc is considered as use for commercial
  purposes but may be subject to special conditions.  Any misuse will be


  The RC5 algorithm is patented by RSA Data Security Inc. 100 Marine Parkway,
  Redwoord City, California 94065, ph.+1 415 595-8782, fax +1 415 595-1873, and
  cannot be used commercially in the US without a license.


  The RSA algorithm is patented by RSA Data Security Inc. 100 Marine Parkway,
  Redwoord City, California 94065, ph.+1 415 595-8782, fax +1 415 595-1873, and
  cannot be used commercially in the US without a license.  RSA licenses can
  most easily be obtained by waiting until the year 2000 when the patent

Last Modified: November 23, 1997

Page Maintained by: Timothy Chen.  Opinions on this page should be freely ignored. Let us know if this page has been useful to you in some way.