SOURCE: Black Duck Software

Black Duck Software

October 21, 2009 09:45 ET

Encryption Algorithms Widely Embedded in Open Source Software, Says Black Duck Software

Black Duck Export 5.0 Release Helps Developers Manage Export Compliance

WALTHAM, MA--(Marketwire - October 21, 2009) - Companies that use open source code in commercial products face a hidden threat from the undetected presence of encryption algorithms, says Black Duck Software, the leading global provider of products and services for accelerating software development through the managed use of open source software.

A search of the Black Duck KnowledgeBase, which contains information on more than 220,000 open source projects with tens of billions of lines of code, revealed that over 4,000 projects include encryption algorithms strong enough to require a filing with the US Department of Commerce Bureau of Industry and Security (BIS), if the code is exported from the US. From a regulatory perspective, companies assume responsibility for the encryption content of any open source code in their commercial products, whether sourced from the OSS community or developed in-house. Open source projects, on the other hand, are allowed to publish software containing encryption under license exception TSU. This special exemption is further explained in Black Duck's guide to export laws for open source software referenced below. Violators of US encryption export controls can be subject to significant fines and even imprisonment.

The Black Duck analysis also uncovered an additional 3,900 projects that could potentially require a BIS filing. For example, some projects use algorithms that support a variable key length that, if sufficiently strong, would fall under strict controls.

"Software that uses encryption, even common encryption for only a minor function, must comply with encryption export control requirements," said export regulation compliance expert Benjamin H. Flowe, Partner, Berliner, Corcoran & Rowe, L.L.P. "It is awkward at best to discover encryption functions only after a company or project has been exporting code."

The Black Duck analysis also identified the top encryption algorithms present in open source software.

Top 10 Encryption Algorithms Used in Open Source Projects

                   Percent of               Used for
                       All                  Encryption
Algorithm          Algorithms      Type       Only
                   ----------  ------------ ----------
RSA                        13%   Asymmetric
DSA                         9%    Signature          *
DES                         9%    Symmetric
MD5                         8%         Hash          *
SHA                         8%         Hash          *
Blowfish                    6%    Symmetric
Diffie-Hellman              6%       Keyman
HMAC                        5%          Mac          *
ElGamal                     5%   Asymmetric
AES                         5%    Symmetric
                   ----------  ------------ ----------
sub total                  74%
Other                      26%
Total                     100%
                   ----------  ------------ ----------

Black Duck Export 5.0 Helps Developers Identify Encryption Algorithms

The release of Black Duck's analysis of encryption in open source projects coincides with the 5.0 release of Black Duck Export, a component of the Black Duck Suite which assists companies in complying with export regulations by scanning software and identifying the presence of encryption algorithms. In today's multi-source development process, developers increasingly download and integrate open source from the Internet. Software tools are needed to assist developers in uncovering what's in the code they use and controlling its use. Black Duck Export 5.0, which features more than 450 encryption algorithms, has been enhanced with the latest changes to US export regulations to help companies address these challenges. More information on Black Duck Export may be found at

"With software reuse on the rise, many companies are unaware of hidden encryption technology in their software product and the potential ramifications for exporting the product," said Eran Strod, Director of Product Marketing, Black Duck Software. "Ballooning code bases pose challenges to uncovering hidden encryption algorithms. Black Duck Export enables companies to detect encryption vulnerabilities and comply with regulations proactively."

Filing requirements for open source projects are generally much simpler than those for commercial products that include open source code. To assist open source and multi-source developers in complying with applicable export regulations, Black Duck has developed the Guide to Encryption Export Compliance in an Open Source World, which can be downloaded for no cost from the Black Duck Website.

For up-to-date information on open source projects, including language use, popular search terms and license use, visit

About Black Duck Software

Black Duck Software is the leading provider of products and services for automating the management, governance and secure use of open source software, at enterprise scale, in a multi-source development process. Black Duck™ enables companies to shorten time-to-market and reduce development costs while mitigating the management, security and compliance challenges associated with open source software. Black Duck Software powers, the industry's leading code search engine for open source, and is among the 500 largest software companies in the world, according to The company is headquartered near Boston and has offices in San Francisco, Paris, Tokyo and Hong Kong, as well as distribution partners throughout the world. For more information, visit

Black Duck, Know Your Code and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and other jurisdictions. Koders is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders.

Contact Information