crypto restrictions

Vin McLellan vin at shore.net
Fri Feb 14 15:58:02 PST 1997 

Anand Abhyankar <anand at querisoft.com> asked:

>1) is it illegal to develop an encryption tool (s/w) outside the US
>which uses > 40 bit size session keys and then import that s/w inside of
>the US.
>
>anand....

Hi Anand,

        Nope! Unless there are export controls in India,  your wizards in
Bombay or Dehli (pardon, I forget) can offer their US customers the full and
unrestricted product of their creativity and genius in algorithms, crypto
implementations, and/or crypto protocols.

         There are no restrictions on encryption software being _imported_
into the US, nor are there (at the moment <sigh>) any legal (as opposed to
patent or copyright) restrictions on any encryption software of any strength
being _used_ in the US. 

         For that matter, there are no restrictions on encrypted data being
transmitted across the US border.  

        And (while it may require a license, apparently an exemption for the
product, as opposed to a sales-by-sale license) there are seemingly no -- or
at least less -- restrictions on the use of specialized encryption products
(within the US) which can generate a "self-decrypting" secure packet which
can be transmitted (cross-border, outside the US) and opened, anywhere, by a
recipient who has been provided with a password/key out of band.

         That is how RSA's SecurPC has been able to offer full 128-bit RC4
encryption to secure US-to-Anywhere international file transfers.  

        (As with DES, the US Govt is apparently trying to control the export
of a full implementation package -- not the international distribution of a
widely-known algorithm, per se.  As I understand it, the self-decrypting
PCSecure packet does not contain the user interface which allows automatic
encryption, the interface can only decrypt. The RC4 algorithm, of course,
has to be included in the transmission, and it is inherently reversible --
only the user interface is "crippled" to restrict its use to encrypt.
Corrections welcome, if I don't have this exactly right.)  

        The international traffic in self-decrypting "128-bit" products is
separate and distinct from the issues involved in the recent modifications
of the  US export regs, which allow vendors to get approval to export a
56-bit secret-key encryption product (eg. RC4, RC5, or DES) only  if the
vendor submits a concrete plan, and schedule of implementation, to redesign
their (export) product to require key-escrow or trusted-party
key-recovery/storage. 

        (In addition whatever recovery key is required by corporate backup
policies, this is also, obviously, a mechanism for GAK, "government access
to keys" --under US law,  hopefully with a court warrant -- and/or whatever
backup/key-recovery/GAK-access mechanism might be required various other
nations in which those products will be imported, used, or transhipped from.)

        And with those GAK-adapted implementations, the US govt. will then
approve, for the first time, general export of robust 128-bit secret-key
products... as they reportedly have for Open Market's SSL, and TIS and
Digital crypto products.

      I hope this is helpful,

        Suerte,
                        _Vin

More information about the cypherpunks-legacy mailing list