Re: Solution for US/Foreign Software?
1. Write a program with limited encryption (40 bit?), with the encryption module in a file external to the main program. 2. Get export approval for this program. 3. Write a module which replaces the encryption file, increasing key size to whatever you REALLY wanted in the first place. (128-bit IDEA, 2000-bit PGP, etc.) 4. Ship that new module with the old software to US customers. Naturally, that new module will "leak," so anybody who buys the old program out of the country can convert to a fully-functional version by downloading it from a foreign bbs that just happens to have it. The module can be encrypted/signed by the manufacturer so everyone can be sure of its identity and genuineness.
Better than nothing, I suppose.
"Crypto hooks," basically the scheme you are proposing, were thought of by the authorities and are not a bypass of the crypto export laws. --Tim May
I'm not saying they are a "bypass" of the laws. Rather, I'm saying that if the goal is to: 1. Let companies like Netscape make foreign sales. 2. Still comply with the letter of the law. Then this would be an excellent way to achieve both those goals. (I accept as axiomatic that if the only exportable encryption is GAKked, they're not going to be viewed seriously as a product. A way around GAK would actually increase their profits.) BTW, the fact that they might be "thought of" by the authorities is not going to be enough to stop them. If the USG claims that it WILL approve GAK-ified software, it is unclear how they will decide if a given program qualifies. Since every program of length "N" is only an XOR away from every OTHER program of length "N", modifying or disabling this software is always possible. Remember, the reason (or, at least, one of them!) they put Clipper into a physical chip as opposed to releasing the algorithm was to prevent modifications that would subvert the algorithm. Their decision to allow software key-escrow presumably forces them to accept certain possibilities they otherwise wanted to avoid. If the USG tries to take the position that "any program which can be modified into another program that gets around GAK is prohibited from export," then they're going to have to stop allowing the export of pre-formatted floppy disks because they're likewise an XOR away from PGP. So we're back to square one: Does the USG intend to allow ANY programs to be exported?
One potential "clean room" solution would be to publish precise interface specifications for the product. Overseas vendors and users could produce their own patches that match the interface. This is of course a kind of "hook", and the gov may sabre-rattle about it but I doubt it will stand up in court. Certainly publishing specs is no different than publishing "Applied Cryptography". Jay Holovacs <holovacs@ios.com> PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email me for key
I'm not saying they are a "bypass" of the laws. Rather, I'm saying that if the goal is to:
1. Let companies like Netscape make foreign sales.
2. Still comply with the letter of the law.
It takes more than one or two people to coordinate an international effort. Once more than a few people know about it, it becomes "company policy" or "corporate objective", in which case, the NSA/DoS will eventually figure it out and start levying heavy fines and jailing the individuals. The main point is that there is no such thing as the "letter of the law". What they enforce is much broader than that, and how they enforce it is much more subtle than clear-cut criminal prosecution. Therefore, you cannot just use literal loop holes just because it's not clear, because the law they are enforcing is not clear either. This response should almost be an FAQ for this crowd. Ern
participants (3)
-
Ernest Hua -
Jay Holovacs -
jimbell@pacifier.com