Re: rc2 export limits..
keywords: ITAR, SHA, beneficial and innocuous crypto The persistent reputation known as Bill Stewart wrote:
Date: Wed, 04 Sep 1996 23:09:17 -0700 From: Bill Stewart <stewarts@ix.netcom.com> To: Kent Briggs <72124.3234@compuserve.com> Cc: cypherpunks@toad.com Subject: Re: rc2 export limits..
I'm afraid my source is "Read it on the net and was surprised to hear it". My assumption is that the limit is for software that implements both signature and verification, since ITAR doesn't ban export of pure-authentication software.
The FIPS Pub (?180? ?181?) for the Secure Hash Algorithm (SHA) states in the fine print at the beginning that SHA is export controlled. I don't have the document to refer to right now, but it plainly states that SHA falls under ITAR. As a cryptographic hash function, why would it be controlled in this way? How can I use SHA to encrypt something for someone else to decrypt? I know how to use it for authentication; am I missing something here? ANFSCD: I tried that OnNet32 e-mail software from FTP software. It runs under Windows95. It is a lot of material to download, and way too intrusive to install. It wants to metastasize itself into the innards of Microsoft Exchange and Inboxes, etc. What is it with all this complexity anyway? Why not just have a POP client that will check mail on the server? It also wants you to store your mailbox password in it, as opposed to letting you enter it on a session-by-session basis. I don't like that. sticking with PINE, PGP, and Xywrite II for now....
"P. J. Ponder" writes:
The FIPS Pub (?180? ?181?) for the Secure Hash Algorithm (SHA) states in the fine print at the beginning that SHA is export controlled. I don't have the document to refer to right now, but it plainly states that SHA falls under ITAR. As a cryptographic hash function, why would it be controlled in this way?
Because the feds aren't stupid -- they know you can use any good hash algorithm as the core for a block cipher. Perry
keywords: block cipher, Bruce Schneier, SHA, ITAR Thanks to Perry Metzger and Andrew Loewenstern for their responses to my question viz: Why is SHA export controlled? I should always check _Applied Cryptography_ first before I ask a question. And I guess now that I have two copies, I could leave the red one at the office and bring the blue one home. I didn't reply to Andrew Loewenstern and Perry Metzger separately, because I think they both read the list, and I think replying to both might be bad form in those cases where the person is known to read the list. on the subject of anonymity, maybe some folks have yet to understand the binary nature of it. If there are exceptions to anonymous writing that can be enforced against the writer, then it's over. Either others will be able to compel discovery of anonymous writers' True Names or they won't. If methods exist that permit writers to remain anonymous with very high degrees of assurance that their true identities will not be found out, then we will have anonymity. It's either one or the other. Anonymity can be used to produce hate speech, lies, posting of intellectual property, and other things that many of us would rather not see. But, that is the price of having anonymity where it is needed and valuable.
P J Ponder writes:
How can I use SHA to encrypt something for someone else to decrypt? I know how to use it for authentication; am I missing something here?
Check Applied Cryptography for info on ciphers such as "Karn", "Luby-Rackoff", and "MDC" ... These are encryption algorithms that use one-way hashes as their block functions. Attached is a version of the Karn cipher I implemented as an export-a-crypt-system .sig a while back... I used python because it's my favorite language and has MD5 built-in. I implemented the Karn cipher since it was the simplest (and therefore shortest) of the MD ciphers, not because it's the most secure. andrew #!/usr/local/bin/python -- -export-a-crypt-system MD5 CBC-mode Karn Cipher from md5 import *;from sys import *;from string import *;M=md5;il=ir=M(argv[3]\ ).digest();ki=M(argv[2]).digest();K,k=ki[:8],ki[8:];p=stdin.read(32);c={'-e':'\ l=x(l,il);r=x(r,ir);R=x(M(l+K).digest(),r);L=x(M(R+k).digest(),l);il=L;ir=R','\ -d':'L=x(M(r+k).digest(),l);R=x(M(L+K).digest(),r);L=x(L,il);R=x(R,ir);ir=r;il\ =l'};main="def x(a,b):return joinfields(map(lambda m,n:chr(m^n),map(lambda m:o\ rd(m),a),map(lambda m:ord(m),b)),'');\nwhile(p):p=ljust(p,32);l,r=p[:16],p[16:\ ];exec(c[argv[1]]);stdout.write(L+R);p=stdin.read(32)";exec(main) #try: echo 'TESTING 1 2 3' | karn -e 'key' 'I-V' | karn -d 'key' 'I-V'
isn't this what Bernstein's program that is the subject of a lawsuit in california does? On Thu, 5 Sep 1996, P. J. Ponder wrote:
keywords: ITAR, SHA, beneficial and innocuous crypto
The persistent reputation known as Bill Stewart wrote:
Date: Wed, 04 Sep 1996 23:09:17 -0700 From: Bill Stewart <stewarts@ix.netcom.com> To: Kent Briggs <72124.3234@compuserve.com> Cc: cypherpunks@toad.com Subject: Re: rc2 export limits..
I'm afraid my source is "Read it on the net and was surprised to hear it". My assumption is that the limit is for software that implements both signature and verification, since ITAR doesn't ban export of pure-authentication software.
The FIPS Pub (?180? ?181?) for the Secure Hash Algorithm (SHA) states in the fine print at the beginning that SHA is export controlled. I don't have the document to refer to right now, but it plainly states that SHA falls under ITAR. As a cryptographic hash function, why would it be controlled in this way?
How can I use SHA to encrypt something for someone else to decrypt? I know how to use it for authentication; am I missing something here?
ANFSCD:
I tried that OnNet32 e-mail software from FTP software. It runs under Windows95. It is a lot of material to download, and way too intrusive to install. It wants to metastasize itself into the innards of Microsoft Exchange and Inboxes, etc. What is it with all this complexity anyway? Why not just have a POP client that will check mail on the server?
It also wants you to store your mailbox password in it, as opposed to letting you enter it on a session-by-session basis. I don't like that.
sticking with PINE, PGP, and Xywrite II for now....
[This message may have been dictated with Dragon Dictate 2.01. Please be alert for unintentional word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U.. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And #@&*! humid.
participants (4)
-
Andrew Loewenstern -
Michael Froomkin - U.Miami School of Law -
P. J. Ponder -
Perry E. Metzger