Anand Abhyankar <anand@querisoft.com> asked:
1) is it illegal to develop an encryption tool (s/w) outside the US which uses > 40 bit size session keys and then import that s/w inside of the US.
anand....
Hi Anand, Nope! Unless there are export controls in India, your wizards in Bombay or Dehli (pardon, I forget) can offer their US customers the full and unrestricted product of their creativity and genius in algorithms, crypto implementations, and/or crypto protocols. There are no restrictions on encryption software being _imported_ into the US, nor are there (at the moment <sigh>) any legal (as opposed to patent or copyright) restrictions on any encryption software of any strength being _used_ in the US. For that matter, there are no restrictions on encrypted data being transmitted across the US border. And (while it may require a license, apparently an exemption for the product, as opposed to a sales-by-sale license) there are seemingly no -- or at least less -- restrictions on the use of specialized encryption products (within the US) which can generate a "self-decrypting" secure packet which can be transmitted (cross-border, outside the US) and opened, anywhere, by a recipient who has been provided with a password/key out of band. That is how RSA's SecurPC has been able to offer full 128-bit RC4 encryption to secure US-to-Anywhere international file transfers. (As with DES, the US Govt is apparently trying to control the export of a full implementation package -- not the international distribution of a widely-known algorithm, per se. As I understand it, the self-decrypting PCSecure packet does not contain the user interface which allows automatic encryption, the interface can only decrypt. The RC4 algorithm, of course, has to be included in the transmission, and it is inherently reversible -- only the user interface is "crippled" to restrict its use to encrypt. Corrections welcome, if I don't have this exactly right.) The international traffic in self-decrypting "128-bit" products is separate and distinct from the issues involved in the recent modifications of the US export regs, which allow vendors to get approval to export a 56-bit secret-key encryption product (eg. RC4, RC5, or DES) only if the vendor submits a concrete plan, and schedule of implementation, to redesign their (export) product to require key-escrow or trusted-party key-recovery/storage. (In addition whatever recovery key is required by corporate backup policies, this is also, obviously, a mechanism for GAK, "government access to keys" --under US law, hopefully with a court warrant -- and/or whatever backup/key-recovery/GAK-access mechanism might be required various other nations in which those products will be imported, used, or transhipped from.) And with those GAK-adapted implementations, the US govt. will then approve, for the first time, general export of robust 128-bit secret-key products... as they reportedly have for Open Market's SSL, and TIS and Digital crypto products. I hope this is helpful, Suerte, _Vin