Encryption Algorithms Widely Embedded in Open Source Software

Black Duck Export 5.0 Release Helps Developers Manage Export Compliance

WALTHAM, Mass., October 21, 2009 - Companies that use open source code in commercial products face a hidden threat from the undetected presence of encryption algorithms, says Black Duck Software, the leading global provider of products and services for accelerating software development through the managed use of open source software.

A search of the Black Duck® KnowledgeBase™, which contains information on more than 220,000 open source projects with tens of billions of lines of code, revealed that over 4,000 projects include encryption algorithms strong enough to require a filing with the US Department of Commerce Bureau of Industry and Security (BIS), if the code is exported from the US. From a regulatory perspective, companies assume responsibility for the encryption content of any open source code in their commercial products, whether sourced from the OSS community or developed in-house. Open source projects, on the other hand, are allowed to publish software containing encryption under license exception TSU. This special exemption is further explained in Black Duck's guide to export laws for open source software referenced below. Violators of US encryption export controls can be subject to significant fines and even imprisonment.

The Black Duck analysis also uncovered an additional 3,900 projects that could potentially require a BIS filing. For example, some projects use algorithms that support a variable key length that, if sufficiently strong, would fall under strict controls.

“Software that uses encryption, even common encryption for only a minor function, must comply with encryption export control requirements,” said export regulation compliance expert Benjamin H. Flowe, Partner, Berliner, Corcoran & Rowe, L.L.P. “It is awkward at best to discover encryption functions only after a company or project has been exporting code.”

The Black Duck analysis also identified the top encryption algorithms present in open source software.

Top 10 Encryption Algorithms Used in Open Source Projects

Algorithm
%
Type
Encryption Only
RSA
13%
Asymmetric
 
DSA
9%
Signature
*
DES
9%
Symmetric
 
MD5
8%
Hash
*
SHA
8%
Hash
*
Blowfish
6%
Symmetric
 
Diffie-Hellman
6%
Keyman
 
HMAC
5%
Mac
*
ElGamal
5%
Asymmetric
 
AES
5%
Symmetric
 
Sub Total
74%
 
 
Other26%  
Total100%  


Black Duck Export 5.0 Helps Developers Identify Encryption Algorithms

The release of Black Duck’s analysis of encryption in open source projects coincides with the 5.0 release of Black Duck Export, a component of the Black Duck Suite which assists companies in complying with export regulations by scanning software and identifying the presence of encryption algorithms. In today’s multi-source development process, developers increasingly download and integrate open source from the Internet. Software tools are needed to assist developers in uncovering what’s in the code they use and controlling its use. Black Duck Export 5.0, which features more than 450 encryption algorithms, has been enhanced with the latest changes to US export regulations to help companies address these challenges.

“With software reuse on the rise, many companies are unaware of hidden encryption technology in their software product and the potential ramifications for exporting the product,” said Eran Strod, Director of Product Marketing, Black Duck Software. “Ballooning code bases pose challenges to uncovering hidden encryption algorithms. Black Duck Export enables companies to detect encryption vulnerabilities and comply with regulations proactively.” Filing requirements for open source projects are generally much simpler than those for commercial products that include open source code.

About Black Duck Software

Black Duck Software is the leading provider of products and services for automating the management, governance and secure use of open source software, at enterprise scale, in a multi-source development process. Black Duck™ enables companies to shorten time-to-market and reduce development costs while mitigating the management, security and compliance challenges associated with open source software. Black Duck Software powers Koders.com, the industry’s leading code search engine for open source, and is among the 500 largest software companies in the world, according to Softwaremag.com. The company is headquartered near Boston and has offices in San Francisco, Paris, Tokyo and Hong Kong, as well as distribution partners throughout the world.

Black Duck, Know Your Code and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and other jurisdictions. Koders is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders.

Press Contacts

Peter Vescuso
Black Duck Software
press@blackducksoftware.com
+1 781-891-5100
Ann Dalrymple
TopazPartners
adalrymple@topazpartners.com
+1 781-404-2432

 

Latest Tweets

Black Duck Software (4 hours ago)
RT @mrhinkle: Infoworld - "No, Citrix did not kill CloudStack"- http://t.co/iVhSIwMHID by @webmink <-They couldn't if they tried...nice art…
Black Duck Software (5 hours ago)
The True Measure of a Successful Open Source Project | http://t.co/0itDGjBChH http://t.co/euG59zhuit
Black Duck Software (7 hours ago)
Facebook Unveils Plans to Work on Open-Source Software | Bloomberg http://t.co/UsvGLGEj5E
Black Duck Software (8 hours ago)
RT @gcvp: Check out leading OSS Logistics solutions provider & GCVP co, @black_duck_sw, at this year’s #AppSecUSA conference: https://t.co/…
Black Duck Software (9 hours ago)
Black Duck & Lyra were at yesterday's Singapore #RedHatForum! Did you stop by to get a duck? http://t.co/6qtaGFAzmV http://t.co/f8IKY3beCR

Black Duck Software
8 New England Executive Park
Burlington, MA 01803

Contact Us

Legal Notices | Privacy Policy | Site map
Open Source Delivers | Open HUB
Open Source Think Tank