The NSA Visits Compendium

[Peter Wayner]

I don't know anything about uninvited visits, but I did once interview the
designer of a major product about getting an export license. He said that
the NSA were fairly thorough in their review of the product. The most
interesting thing that he mentioned was thatthe company had to guarantee
that the data would never be encrypted sequentially by two _different_
algorithms. Apparently double encryption by 40-bit RC-4 was okay, but using
different algorithms was
verboten. This seemed odd to me at the time and I asked him twice about it.
He agreed that it was weird, but they had no problem with guaranting it.

This led me to these notions:

*) Maybe double or triple DES isn't that great an idea. Maybe the NSA knows
some neat algorithms that can create group-like actions even if the
encryption process isn't a group.

*) Maybe there was a communications problem and no one knew what was being
asked.

*) Maybe the cryptanalysis boys never really talked that much to the folks
who go around regulating export. After all, denying export licenses for
small details is like telling people that certain small details can
confound analysis. This is a leak of information from the NSA which doesn't
seem to like these things.

In general, I think communications between the NSA and the companies begin
when software companies make unofficial inquiries about what is exportable.


-Peter