Last Updated 3 February 2001: Add USUC 20.

This a growing list. Contributions welcome; send to: <>

Please mirror this page, or scavenge it to make your own. Let us know about additional sites or your page and we'll make a link.

See also:

Cryptome for news
Ritter's Learning About Cryptography
Ritter's Crypto Glossary and Dictionary of Technical Cryptography
Program URL Notes
Cracking DES The Shmoo Group is proud to present...
for the first time...
available legally for download in the United States...
from the jurisdiction of the 9th US Circuit Court of Appeals...
USUC 2 Secure Office


Charles Booher's site, formerly under attack by the USG
Secure Remote Password (SRP) distribution A cryptographically secure remote-access suite, featuring Telnet and FTP with full strength 128-bit encryption. Open Source, unrestricted downloads.  Available from mirror sites worldwide.
PGP 2.62 Mirror of US military web site offering of PGP 2.62

Available also at USUC 1

Bernstein's Snuffle program, centerpiece of Bernstein v. USDOJ
GSM A5/1 A Pedagogical Implementation of A5/1
PGP 5.0 In Focus offering
GSM A5/1 and A5/2 A Pedagogical Implementation of A5/1 and A5/2
Des.c Ariel Glenn's offering of
Eric Young's des.c
Moola Shmoo's offering of
"Cracking DES," the book, and Bernstein's Snuffle; Eric Cordian's PERL crypto; and more
Crypto++ Wei Dai's Crytpo++ Library
PGP 6.5.8
August 26, 2000: CAUTION -- Do not use v6.5.2a due to ADK bug. See:

Use instead:

PGPFreeware v6.5.8 Windows 95/98/NT/2000

PGPfreeware 6.5.8 Windows 95/98/NT/2000 and
which have ADK-bug fixed.
Speak Freely Brian Wiles'
Speak Freely
Internet Telephone

Site Michael Paul Johnson's Encryption Algorithms
Diamond 2 Block Cipher source code in

Diamond 2 Block Cipher and Sapphire II Stream Cipher Delphi Component in

One-time pad source code in

Crypto shareware object code in

Ruby Mark 5 Hash Cipher source code in

Sapphire II Stream Cipher source code in

Pretty Good Privacy Source Code

Version 6.0.2 Macintosh source code and signature

Version 6.0.2 Windows source code and signature


RSAEuro RSA toolkit

Kerebos by Michael Paul Johnson
Variety Open list of crypto offerings
PKI This is the source code that Netscape used in Communicator and is now used in the iPlanet servers (
CP4Break CP4Break by Eddy Jansson and Matthew Skala
MIT Kerberos V5 release 1.2.1 In order to provide people outside the US with access to open source cryptography, the Cryptography Publishing Project is making MIT Kerberos V5 release 1.2.1 available without restriction, in compliance with the changes in US export regulations since January, 2000.

The Project was started to make open source cryptographic software freely available in situations where it difficult to obtain the software from its original authors.

PGP 7.0.3
PGP Freeware v 7.0.3 Windows (7.5 MB)
PGP Freeware v 7.0.3 MacOS (6.2 MB)
PGP Freeware 7.0.3
Country URL Notes
Australia 1  
Australia 1  
Australia 2 No access logging
Australia 3

A seriously vast array of other security and cryptography related material

AusMac Crypto Library

Austria 1 Stuff related to crypto
Austria 2 Stuff related to steganography
Austria 3 For very welcome contributions of all sorts: binaries, texts, sources, etc. related to cryptography, cryptanalysis, steganography, information hiding, etc.
Brazil 1 Selected links, public domain crypto software, mostly related to elliptic curves and block ciphers
Brazil 2 NOTICE: Neither Novaware nor this site are subject to restrictions from the Wassenaar Agreement on the control of Cryptography
Brazil 3 Cryptix mirror
Canada 1 CanCrypt, a directory of Canadian cryptographic resources. It is intended to be a clearing house of Canadian related cryptographic resources.

Although the relaxing of US export regulations has reduced some of its importance, Canada still has a more liberal cryptographic policy for export and usage. Compared to both the USA (re: export) and UK (re: RIP) it is very crypto-friendly.

233MB+; Apache-SSL, SSLeay, cryptlib, freeswan, gnupg, mozilla-crypto, pgpi, ssh, more

Canada 2  
Canada 3

See for access procedure:

Canada 4 224! PGP and Privacy Links
Canada 5
Croatia 1  
Denmark 1 Assorted PGP Freeware
Finland 1 Multiple Sources
Finland 2 PGP, symmetric and asymmetric encryption, crypto libraries, papers 
Finland 3 International PGP Home Page
Finland 4  
France 1 L'utilisation du chiffrement en France
France 2 GnuPG
PGP Sendmail v1.4
Auto PGP 1.04
PGP 2.6.3is
PGP 5.0-b8
France 3 "Liberte pour la cryptographie internationale." UK Mirror, 10MB. PGP, DOS & Unix versions, sources, GNUPG, ScramDisk, the PGP 6.0 & 2.62 french manuals, etc. All are freeware and none have been exported from USA (only PGP international versions). 
France 4 A French version of ScramDisk, the famous hard disk encryption program for Windows 95/98 written by Aman & Sam Simpson. Fabien Petitcolas, a cryptographer from the Cambridge University (UK) supervised this work:
Germany 1  
Germany 2  
Germany 3  
Germany 4 Disk and file encryption, PGP, stego, voice encryption
Germany 5 SSL site
Germany 6 The GNU Privacy Guard
Germany 7

Autosyncing mirrors:  -- Amsterdam Science Park, The Netherlands -- Ottawa, Canada -- Sydney, Australia -- Oxford, UK -- Italy (Files-only mirror)

munitions is a mega-archive of cryptographic software for the linux operating system. here you'll find free software tools for building and maintaining secure, tamperproof linux installations and achieving electronic privacy in the highly intrusive networked environments of today.

<network> <data haven> <email> <anonymizers> <secure ip> <secure tcp> <ssh> <ssl> <www> <key mgmt> <libraries> <maths> <pgp> <gnupg> <system> <kernel> <kerberos> <unix> <password> <filesystem> <steganography> <voice>

Hong Kong 1; or, if broken; or, if also busted

Mirrors of; (SSLeay and SSH); Fortify; and the Speakfree distribution from 
About 180 Mb. More stuff will be hopefully added later.
Hungary 1

Full description:

SSH, SSL, SSL applications, libdes, OPIE, PGP, SRP and other non-cryptographical-security tools.
Ireland 1 Contains SSH, SSL, SSL apps, PGPI. More to come.
Italy 1  
Japan 1 Tsuruta's MacPGP Page
Kyrgyzstan 1  
Netherlands 1 Apache, Applied Crypto files, encryption, Java, PGP, remailers, security, voice encryption files 
Netherlands 2  
Netherlands 3 Crypto++ 3.0, a major revision of a free C++ class library of cryptographic primitives.
Netherlands 4 GSM A5/1 and A5/2.
New Zealand 1 A Comprehensive List of Worldwide Sources
New Zealand 2

(Not yet active; meanwhile see NZ 1 above)

Peter Guttman: This currently contains a mostly blank page because it'll take a few days to get things set up, but I thought I'd get the ball rolling.  Once it's ready I'll use it to make all sorts of crypto available to anyone anywhere until ordered by a NZ court to stop doing so (this is a long way removed from being ordered by the Ministry of Foreign Affairs and Trade to stop doing so), or alternatively until the machine sh*ts itself and dies, which may happen somewhat sooner :-).

The archives (when ready) will be stored on a machine for which accesses are not logged.  It may also allow SSL access (with strong encryption, obviously), which will include making available dummy files of various sizes so that it's not possible to prove (based on traffic analysis) exactly what was downloaded ("Crypto? Certainly not, I was downloading this paper on the history of Ethiopian pottery in 4000BC").

Norway 1  
Norway 2 Main distribution site for crypt() in glibc
Norway 3  (the same as Main distribution site for pgpi
Norway 4
PGP International  Mirrors
Norway 5
( which is which is )
Main distribution site for the international kernel patch for Linux
(collection of crypto-patches for the linux kernel)
Russia 1  
Spain 1  
Spain 2 Criptología by Jesús Cea Avión
Sweden 1 Swedish University Network Security Archives
Switzerland 1 IBM Zurich Security and Cryptography Sources
Switzerland 2
Gerrit Bleumer's Cryptography Enhanced Products
United Kingdom 1 DES, SSL, cryptanalysis, documentation, PGP, miscellaneous 
United Kingdom 2 Adam Back's Resources
United Kingdom 3 Ross Anderson's FTP Sources
United Kingdom 4 pgutlinks.html 245K
SSLeay-0.9.0b.tar.gz 1.3M
crypto-free.htm 28K
Fortify-README 2K
Fortify-1.3.1-unix-x86.tar.gz 372K
apache_1.3.3+ssl_1.29.tar.gz 37K 394K
nhs-rpt.wp 88K
aba_zergo.txt 142K
bnlib.tar.gz 142K
cfs-1.3.3bf-1.i386.rpm.tar.gz 192K
crypto.html 8K
ssh 1.2.27

United Kingdom 5 The Bunker open source FTP repository is housed in an ex-military data centre, buried deep below the earth in a nuclear, chemical and biological warfare proof bunker.

SSLapps, SSLeay, argus, crack5, cracklib, MD5, SHA, l6, satan, ssh, stunnel, syn, tcp_wrappers, more coming.

United States 1

North American Cryptography Archives. Archive of crypto software, only available from the US and Canada. Crypto++ 3.0, a major revision of a free C++ class library of cryptographic primitives.
United States 2 Crypto Sites Outside North America
United States 3 Quadralay Cryptography Archive
United States 4 Ron Rivest's Links
United States 5

Packet Storm is now owned by Kroll-O'Gara, an international security corporation, thanks to the cowardice of Harvard University and LEA-tool AntiOnline Ahole. The archive is to be activated in September 1999 (stripped of offensive stuff; too bad, RIP Infamous Original Packet Storm):

Tattooman has blessed this "re-education," but beware of being snooped at the new site. Tattooman has zipped-lip since what smells like a forced confession.

Maintainer:  Ken Williams. Contents:  Crypto Libraries, SecureOffice, Source Code for all AES Candidates, Applied Crypto, Cryptanalysis, GNUGP, Kerberos, PGP, Skip, Snow, Snuffle, SSH, Steganography, Voice Encryption, source code, crypto papers, much more, and more on the way. Size: 300+ MB, 2000+ files, and growing every day.
United States 6  URL revised 29 November 2000
United States 7 Crypto++ 3.0, a major revision of a free C++ class library of cryptographic primitives.
United States 8 Nautilus, with links to non-US sites.
United States 9 Bruce Schneier's Sources for Software and Source Code
United States 10 Carl Ellison's FTP Sources
United States 11 Neil Johnson's Cryptography and Encryption Sources
United States 12 Adam Shostack's Cryptographic Libraries
United States 13 Terry Ritter's Codes, Links, Tutorials
United States 14 Crypto-Log: Codes, papers and policies
United States 15 Paul Kocher's Cryptography Resources Online
United States 16 Mirror of this page, updated 4 times daily.
United States 17 PGP Crypto: QDPGP, XCrypt, MAilPGP, Peics
United States 18 The A.R.G.O.N. Security and Crypto Site
United States 19 John Perry's PGPdomo for secure mailing lists, and other programs
United States 20 CryptoCards - strong encryption with deck of cards
United States 21 PR0 Death's PGP Message Shifter Applet
United States 22
United States 23 Phil Karn's Software Packages and Utilities

ACE demod - Software demodulator for Advanced Composition Explorer spacecraft telemetry
psn-patch - Linux kernel patch to disable Pentium III CPU serial number
cpuid - x86 CPU identification utility
FEC - Forward error correction with Reed-Solomon, Viterbi and Fano algorithms updated 5/99
httproute - Web router, ad blocker, cache & cookie cutter
dupmerge - Merge duplicate files in a filesystem
KA9Q NOS - Self-contained TCP/IP stack for DOS
firs.s - Finite impulse response filter for x86
DES - Fast implementation of DES/3DES in x86 asm

US 24 US Navy offers Netscape with 128-bit crypto. More programs in other directories.
US 25 Brookhaven National Laboratory offers IRIS ELF for PGP 2.62
Note 1: John Gilmore's proposal is to mirror the contents of cryptography sites not just the URLs.

We've been asked what to mirror if it is not possible to mirror large archives (200 MB and up), or you can't easily decide which programs are most important.

John Gilmore recommends:

The top things I'd suggest for a mirror site are (see sources at sites above):
PGP source code (various versions)
Matching PGP binaries (for easy downloading and use)
SSH source code and matching binaries
SSLEAY - Eric Young's crypto library from Australia
Kerberos source code (various versions)
IPSEC source code (various versions for BSD and Linux)
Crypto-Mozilla source code (web browser with good crypto)
DNS Security source code (domain name with good crypto)

My criterion for these things is:  what building blocks will people be able to use every day for to improve their privacy?  And then, what pieces of infrastructure will permit people to build secure networks that protect their users?

At first, the archives will be "rough and ready", but as people worldwide start writing documentation, e.g. "How to secure your MS-Windows system using this archive", "How to secure your Linux system", etc, it will become easier for the end users.

Jim Gillogly recommends:

One way to determine which programs are the best for this purpose would be to study what various governments have taken some action on.  Some obvious ones (See US 5):
PGP (various versions, high level of government interest)
Snuffle (extended US litigation against Daniel Bernstein)
All the AES candidates (strictly-controlled dissemination from NIST)
SecureOffice (Charles Booher's program -- US government has taken action)
Applied Cryptography disk (US export license denied Phil Karn)

It would also be nice to have an infrastructural component, such as (when ready for mass distribution) the Linux/FreeSWAN IPSec release; this doesn't have quite the cachet of programs on which the government has already weighed in, though.

Jim Choate recommends that cryptography documentation be mirrored to encourage understanding and creation of strong encryption -- the best assurance that it will grow and spread.

Mirror whatever you can until better advice for selections comes along. Prime need: many mirrors of the strongest cryptography, especially anything allowing the use of key lengths above 40-bits, that is, anything that requires a US export license for general public use (the US standard appears to be the model for latest Wassenaar restrictions). Next, mirror any program that appears to be a target for latest Wassenaar restrictions as they may be implemented in your country.

For complaints about the restrictions on privacy to be implemented due to US pressure, contact your government's cryptography control ministry:

Note 2: Please forward news and information on the recent Wassenaar Arrangement restrictions in your country to John Young <>. Anonymous and encrypted messages welcome. PGP public keys of John Young. Check Cryptome for news.

Note 3: For information on cryptography export issues see:

Global Internet Liberty Campaign (GILC)

EFF "Privacy - Crypto - ITAR Export Restrictions" Archive

John Gilmore's Cryptography Export Control Archives

Note 4: More mirror sites are needed in countries which are not members of the Wassenaar Arrangment so that when the doors are slammed shut by new WA laws there will still be free sources of strong encryption. For list of WA members see:

Note 5:

From: Richard Stallman <>
Subject: Encryption software volunteers needed in countries without 
         export control

We need to find volunteers in countries which are not signatories to
Wassenaar to take over development and distribution of encryption 
software such as the GNU Privacy Guard and PSST.  We are looking for 
(1) an ftp site from which to distribute the software, and (2) people 
to carry on the development work.

If you have contacts in any non-signatory country, please circulate
this message as widely as possible in your country, looking for people
who might want to volunteer for GNU software development.
Non-signatory countries that come to mind as possible places where
free encryption software can be developed include Mexico, India,
Croatia, China, South Africa, and perhaps Israel.  However, any
country is ok if its laws do not prevent the work.

"Declan: This point is worth clarifying.  The new regs remove restrictions from the posting of publicly available encryption source code for downloading.  The regs say:

a) If you post encryption source code to a site on the net and anyone can access it, you do not need to have it reviewed by BXA or obtain a license.

b) Simply posting this "publicly available" encryption source code does not count as an export and does not trigger all the terrorist sanctions and other requirements created by various Federal sanctions laws.

(what this means is that if you post some code and Saddam Hussein downloads it, you are not liable.  If Saddam calls you up and asks you to e-mail him the code, and you send the e-mail without applying for and receiving a license, you are liable).

c)  You do need to send BXA an E-mail with the internet location of the posted source code and you are prohibited from sending (as opposed to posting) the encryption source code to a terrorist country or an individual on one of our denial lists.

d) if a foreign person makes a new product with the source code you've posted, there are no review or licensing requirements for that foreign product.  If they pay you a royalty or licensing fee for a product they've developed for commercial sale, however, you may have to report some information to BXA.

It appears that the only requirement for Mr. Young is to notify us of the location of the source code ("

-- James Lewis, BXA, BXA On "Is this man a crypto-criminal?", January 18, 2000
   "The EAR is amended as follows:
    1. In Sec. 734.2, Important EAR Terms and Principles, unrestricted
encryption source code under Sec. 740.13(e), commercial encryption
source code under Sec. 740.17(a)(5)(i) and retail products under
Sec. 740.17(a)(3) are exempted from Internet download screening
requirements in Sec. 734.2 (b)(9)(iii). A revised screening mechanism
for other encryption products exported to government end-users is
added. Please note that Sec. 734.2(b)(9) contains the relevant
definitions for the export of encryption source code and object code
software. In addition, cross-referencing changes are made to
Secs. 734.7, 734.8, and 734.9.
    2. In Sec. 740.13, Technology and Software Unrestricted, changes
are made to reflect amendments to the Wassenaar Arrangement.
Specifically, encryption software is no longer eligible for mass market
treatment under the General Software Note. Encryption commodities and
software are now eligible for mass market treatment under the new
Cryptography Note in Category 5--Part 2 of the CCL. This Note
multilaterally decontrols mass market encryption commodities and
software up to and including 64-bits. Such products, after review and
classification by BXA, are classified under Export Commodity Control
Numbers (ECCNs) 5A992 or 5D992, thereby releasing them from ``EI''
(Encryption Items) and ``NS'' (National Security) controls, and making
them eligible for export and reexport to all destinations (see
Sec. 742.15(b)(1)(iii) of the EAR). Once mass market encryption
software and commodities are released from ``EI'' controls they may be
eligible for de minimis and publicly available treatment (see part 734
of the EAR).
    3. Also in Sec. 740.13, to, in part, take into account the ``open
source'' approach to software development, unrestricted encryption
source code not subject to an express agreement for the payment of a
licensing fee or royalty for commercial production or sale of any
product developed using the source code can, without review, be
released from ``EI'' controls and exported and reexported under License
Exception TSU. Intellectual property protection (e.g., copyright,
patent, or trademark) would not, by itself, be construed as an express
agreement for the payment of a licensing fee or royalty for commercial
production or sale of any product developed using the source code. To
qualify, exporters must notify BXA of the Internet location (e.g., URL
or Internet address) or provide a copy of the source code by the time
of export. These notifications are only required for the initial
export; there are no notification requirements for end-users
subsequently using the source code. Notification can be made by e-mail
-- Bureau of Export Administration, Revisions to Encryption Items, January 14, 2000

"Q Mr. Marshall, on her point, please.  The head of the DEA and the FBI have repeatedly -- and Ms. Reno -- have repeatedly warned of the dangers of not being able to break the codes of criminals.  And of course encryption legislation is being debated at length. Is this an indication that maybe that's not so great a problem after all?

MR. MARSHALL (Drug Enforcement Adminstration): Well, that was not a significant impediment in this particular investigation.  We've encountered that in many, many other investigations. We're encountering it ever more frequently. And we hope that we don't lose the ability to intercept encrypted communications.

ATTY. GEN. RENO: I would point out -- I would point out in that regard that in this instance, it was not an obstacle.  But as more and more drug traffickers and others engaged in organized crime and other activities, including terrorism, encrypt their communication, it is going to be more and more difficult for law enforcement.  And that is the reason it is so important law enforcement work with the private sector and with others to ensure the protection of our national security interests and to make sure that we balance the privacy concerns that are so important with law enforcement's legitimate concerns."

-- DoJ Press Conference, Arrest of Colombian Drug Trafficers in Operation Millennium, October 13, 1999

"Much work remains to be done. In particular, I believe we must soon address the risks posed by electronic distribution of encryption software. Although the Wassenaar Nations have now reached agreement to control the distribution of mass market encryption software of certain cryptographic strength, some Wassenaar Nations continue not to control encryption software that is distributed over the Internet, either because the software is in the 'public domain' or because those Nations do not control distribution of intangible items. While I recognize that this issue is controversial, unless we address this situation, use of the Internet to distribute encryption products will render Wassenaar's controls immaterial."

-- US Attorney General Janet Reno, Ban Encryption on the Internet, May, 1999

"Never has our ability to shield our affairs from prying eyes been at such a low ebb. The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost. Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty."

-- US Appeals Court Judge Betty Fletcher, in the Bernstein opinion, May 6, 1999.

New US section for:

Heeding Hugh Daniels' call today to let 1,000 US crypto sites flower
free of unconstitutional encryption export restrictions in the light of
the May 6 Bernstein opinion, we invite contributions of
unlimited-strengh encryption programs and/or links to such programs
for the new US unrestricted cryptography section here. See also
formerly restricted US sites below.

Dec. 3 Wassenaar Arrangement Lists in original DOC format and HTML format
Encryption and Security Tutorial
Free Crypto Logos
Free Crypto Org
Electronic Civil Disobedience (ECD) <- look to last section