

Details About New Crypto Export Regulations 72
Codex The Sloth writes "The Industry Standard has a story about
industry feedback to the Clinton Administrations new Crypto Regulations which are being developed behind closed doors. Evidently it's requires high security like Hillary Clinton's health care reform plan..." Worth a read. It sounds like we're getting somewhere, although not everywhere.
i wish the usa would lighten up (Score:1)
Looks interesting... (Score:2)
If this made sense to you, please post and clear it up for us. This doesn't even look like the government is considering giving us more bits for encryption! (They don't allow enough bits, and no kibbles, so write to your Congressman!)
---
pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
A comment on regulating crypto. (Score:2)
Now, I like the fact that DVD is now just data stored on a medium. But I suspect Hollywood is wishing that they had bought into a non-USA standard that was allowed to be as strong as the builders wanted it to be.
Re:Looks interesting... (Score:1)
Here it Is (Score:2)
My expected outcome to this (Score:4)
If I have data needing protection, i RAR it with a password, then put it on cd and hide the cd.
Not Good Enough (Score:2)
Someone needs to just open a Strong Encryption company outside the US (Mexico? That's where I'd put the factory anyhow) and start mass-shipping crypto-enabled software and phones to the US.
Of course, it's all for naught -- quantum encryption means that they'll have to mass deploy cranial implants to be sure of what I'm up to.
----
A Wholly Uninformative Article (Score:1)
Nothing except rumours. And a date of Dec 15 for release of the draft.
Government vs Private use ????????!!!?!?! (Score:2)
Why are there different laws for foreign Govenments and foreign private use?
That has got to be one of the most stupid things I've ever heard of, even compared to the stupidity of the laws at the moment.
A (non-US) country's citizens are allowed to buy strong crypto, but that govenment isn't???
Maybe (and this maybe wayyyyy wrong) foreign govenments might not like that much?
If anything, this is going to encourage non-US software companies to enter the crypto market.
Imagine this: Network Associates spends millions of $'s on a big advertising campaign in Europe, so some govenment department decides they need strong crypto.
They head down to the local computer shop with a nice $10 Mil to equip all their offices only to be told "Sorry - you are govenment, we can't sell this to you, because it made in the US"
"Oh no! I've got this $10 Mil for strong crypto software. How can I use it?"
"Well... there is this local company.. it is crappy bit of software, but we can sell it to you"
So the govenment buys CrappySoft Encrypter, and CrappySoft then enters the US market, with a nice claim "We are the official supplier to a million European govenment workers" - what US company can boast that?
--Donate food by clicking: www.thehungersite.com [thehungersite.com]
Here's some conjecture.... (Score:4)
According to this individual, they are completely relaxing any bit-length restrictions on encryption technology. When sold through "retail", it is completely free of restriction. However, when sold to government at least, or perhaps major corporations, encryption vendors are required to track the end user. It wasn't specified whether or not this information needed to be expressly given to the government at point-of-purchase or only after a subpoena. If its the latter, I'll sleep better. If its the former, I think we just traded relaxation of one regulation for a tightening of another. Btw, countries like Iran, Iraq, Lybia, etc. are still on the black list. But we can't even sell them a stick of gum, let alone an encryption device.
-DS
What I dont get (Score:3)
Re:i wish the usa would lighten up (Score:3)
Christopher A. Bohn
Unacceptable (Score:3)
I don't believe compromise is possible on this issue. Either I can write open source crypto code and post it publicly without going to jail, or I can't. I see no indication that the FBI and NSA are prepared to allow that. My guess is that they're stalling for time, since they know if this issue ever gets before the Supreme Court all restrictions are likely to be struck down.
Who needs organized cryptography, neway?? (Score:3)
Anyway, I have a new super crypto algorithm that is freely exportable, I think. Feel free to use it all you want, just give credit where it is due.
THE NINJA/LINE NOISE ALGORITHM by EL8 DOOD
Ok, here is the basic idea: Say you have a 2000 word secret message you want to send to someone. You could just substitute letters for new letters, ie a=x, b=d, etc, but that would die to a stastical analysis attack since the most common letter would be e, and so on.
Now, here is where the line noise comes in: After doing a substitution cypher, you fill a file with a billion random characters! Then you randomly insert the secret message somewhere in the middle of the randomness! There will be so many characters that those in the actual message will not be stastically significant and will thus be undetectable. There is _NO WAY_ to crack this unless you want to go through every possible substitution cypher(26 factorial possibilities) and search a billion bytes for something which resembles English.
In short, my algorithm is better than des and freely exportable too. Once word gets out on my great achievement, Reno might try to get my algorithm banned overseas, so use it while you can!
Re:Looks interesting... (Score:1)
in no way to they do away with the requirement that you obtain a license before exporting strong crypto.
of course, the getting of a license takes money, and, gee, free software folks don't have the money...
shit happens again, the gov't looks after its sponsors first. they're not doing this becuase they want to free crypto, or because we're making a noise or because they reasise that it's stupid. they're doing it because the companies will take thier campaign money elsewhere if they don't. bah.
Re:Not Good Enough (Score:3)
It's called www.kerneli.org [kerneli.org]. They have a pretty good ftp site, too
Maybe the US / FBI are wising up... (Score:2)
This part bothers me... (Score:3)
Re:My expected outcome to this (Score:2)
Re:A comment on regulating crypto. (Score:1)
Purpose? (Score:1)
What exactly is the point of banning strong crypto products? I was under the impression that the reason crypto is "bad" is because "bad people" can use it for nefarious purposes. Aren't there any "bad people" in the US? If people in the US can use crypto for benign purposes, why can't people in other countries do the same?
It might make sense to restrict the sale of cryptographic products going to governments with a known track record of abusive behavior. Anything more than this is lunacy. It appears (from my reading of the article) that Netscape won't be able to ship a strong-crypto version of Navigator to people in Cuba. Where is the logic there? The Cuban government might get a hold of it and be able to order missiles from www.nukes.com and not have to worry about their credit card number being stolen?
-Nathan Whitehead
New regulations don't help free software (Score:3)
Re:i wish the usa would lighten up (Score:1)
All coding a key into the thing is going to do is allow A) them to snoop on everyone, b) invite some (un)srupulous person to find it, then send it out.
Sounds alot like DVD.
Basis for understanding all this (Score:2)
I wish... (Score:2)
I wish our fucking politicians would get their god damned heads out of their fucking asses so I could get some actual fucking work done.
You know what should be criminal? It should be criminal that I have to ftp to finnland to get my crypto products because no one will post them here in the states. It should be criminal to say that if I do that and then send the source to my friends in, say, Romania, that I could and probably would be arrested for what amounts to trafficking in arms over international borders. It should be criminal that I can't get a mail program that incorporates strong crypto here in the states because of the government stance on cryptography, including "Crypto enabling APIs." I think it should be criminal that in 10 years my country is going to be a fucking THIRD WORLD COUNTRY because even goddamn ETHOPIA will have surpassed us in the new world economy. That's what I think should be criminal.
</flame>
How about the discordian cypher? 100% unbreakable! (Score:2)
Take your message. Say... "Hail Eris"...
Put all the vowels at the end ("HLRSAIEI")
Reverse Order ("IEIASRLH")
Convert letters to numbers: (9-5-9-1-19-18-12-8)
Put into numerical order (1-5-8-9-9-12-18-19)
Convert back to letterse ("AEHIILRS")
This cryptographic cypher code is GUARANTEED to be 100% unbreakable.
Scrap them (Score:2)
In order to comply with the export regulations, we had to cripple our software (56bit DES instead of 3DES), because we plan to offer our software for download over the internet but we don't have the resources to limit our software to people in the US only. Even then, there are still more problems. We have to submit our software for a "one time technical review". After spending hours and hours pouring through the regulations and making phone calls to the BXA, we finally figure out what has to be done. There are half are dozen forms to fill out, we have to describe our software in detail, spend time modifying our code so that the encryption strength cannot be easily increased, etc. etc.
We haven't managed to find the time or energy to do this yet. I'm still studying and my friend holds a full time job. We barely have time to work on the software proper, let alone deal with legal crap like this. Perhaps someone has some advice to offer on how we should go ahead?
The point is... (Score:2)
Nukes to Saddam? They couldn't care less.
Re:I can't wait for 128bit encryption on IRC (Score:2)
--
Harvey
Re:New regulations don't help free software (Score:1)
Something to do with acceptible use tarrifs requiring that you cannot connect your network to a network in a country on the perscribed list. Am I right, or are Cuba, Libia, Iraq, et al on the net w/o me realizing it...
Warner
Re:A comment on regulating crypto. (Score:1)
Re:Basis for understanding all this (Score:2)
Cheers,
Re:Not Good Enough (Score:1)
Sure, it's done all the time (Datafellows ssh, Stronghold Apache etc.). The only losers are the IT industry in the states, who can't export similar stuff that others importing every day!
Re:Who needs organized cryptography, neway?? (Score:1)
BTW for 99% of all Applications bloating the Data is just not acceptable.
Re:Government vs Private use ????????!!!?!?! (Score:1)
Where does GnuPG come from? Where are OpenSSL and FreeSWAN developed. Not to speek of the russian, chineese and indish Math gurus.
I think the main mistake the American Government is making is that they assume they can prevent anyone from using strong encryption. Actually they cant.
Re:Scrap them (Score:1)
AFAIK There is one way around that:
You should check the actual Laws before. You should be able to label your Book as "Scientific Work". AFAIK you allowed to export that.
Re:Purpose? (Score:1)
Milk is bad because bad people can drink it...
I am not a professional cryptographer (Score:1)
That said: I can't figure out if your post is satire or meant to be factual, or some delirious blend of the two. There are portions which are factual, portions which are obviously satirical, and a lot that's in between.
Most US citizens don't bother with crypto either, because they can't get a mail program that integrates strong crypto. So they send all the E-Mail in the clear, allowing Echelon to work much more efficiently...
Pretty accurate, except that it isn't a dearth of cryptographic EMail clients that's doing us in; rather, crypto is too daunting technically for the average user. When PGP 5.0 came out it was hailed as making it accessible to the masses, but in independent testing it was shown that one Real User in three was unable to use PGP properly in a way which did not compromise the security of PGP.
Crypto has been widely available to the technically knowledgable since the '70s, with the invention of public-key crypto and DES, the first truly modern symmetric algorithm. IMO -- and remember, I am not a cryptographer, and my opinion on this may not count for much -- by the time breaking DES became a trivial task for world intelligence agencies, TripleDES was already known.
Basically, we've had good crypto tools available for the last twenty-five years or thereabouts. We've had the algorithms and we've had the software. What we lacked twenty-five years ago -- and what we still lack now -- is, IMO:
1. A way to educate the public about crypto and security without requiring anything more advanced than 9th Grade algebra. I may be overestimating the mathematical education of the general public here, but it's hard to imagine talking about crypto without using any mathematics.
2. PKI (Public Key Infrastructure). Somehow, there needs to exist a mechanism for the safe and trusted exchange of public keys. To the best of my knowledge, at present there is no suitable PKI anywhere in the world. PGP's Web of Trust is not scalable to the worldwide community (and has a whole host of other problems, besides).
3. A political climate which considers cryptography, privacy and information security to be worthy topics in the national discourse. Almost every time I see privacy brought up in the mainstream news media, it's always in the context of "you are losing your privacy", never "you are losing your privacy, but there are things you can do about it, on a personal level through your own action, and on a national level through our collective action". People who discount the "unwashed masses" are in for a rude surprise. The hordes of Real Users out there will either make or break national policy. Remember that. You want to get ITAR and those other silly rules thrown out? You need the help of John Q. Public. The forces who want to restrict crypto access even more than they're already restricted are also courting John Q. Public.
I hope this is satire with a kernel of truth. Yes, factoring has never been proven to be a difficult problem, merely conjectured to be so. However, if a polynomial-time factorization algorithm were to be discovered, it would have such revolutionary impacts on the computer industry that I don't think it could be concealed. Honestly. If factorization can be done in P time, then all sorts of related problems can be done in P time, and suddenly... wow. All sorts of incredibly thorny problems suddenly become made clear.
Re:Looks interesting... (Score:2)
I like the Fiat example. At what point is a company a government entity and thus different restrictions apply?
RAR seems like a bad choice. (Score:2)
Use PGP, or ScramDisk, or SFS, or similar systems which at least tell you what algorithms they're using.
--
The regs REALLY DO stop people from using crypto. (Score:2)
Actually, they can, and have.
There is a difference between "preventing anyone from using strong encryption" and "preventing everyone...". They can't stop everyone from using crypto but they can stop some people.
In fact, they've stopped most people from using strong encryption. Most people don't have crypto-aware email software. Most people continue to use "export-grade" web browsers. Less than one percent of internet traffic is strongly encrypted. Cellphones are still using weak crypto or none at all. Landline phone traffic is almost completely unencrypted.
The mess of government regulations has successfully slowed the spread of strong encryption. Promises about lifting those regulations have been used repeatedly to keep the industry from forming an effective opposition (why actively oppose something which will go away on its own "RSN").
Don't be fooled into thinking that we've won. That's exactly what they want us to think.
Re:Who needs organized cryptography, neway?? (Score:2)
Re:Who needs organized cryptography, neway?? (Score:1)
(These claims from the publisher's website. Too bad that I forget who the publisher was.) Does this sound similar to what you are talking about?
What I don't get: (Score:2)
As it says in the article, there's >800 other crypto products which are freely importable to US, so the terrorists can just use those. If I wanted to hide data from the govt, I'd just download PGP (the war on that one has already been lost) and encrypt my data. I could use ssh with 1024 bit encryption to keep my data secure over the network.
In short, all the US regulations do is:
--
I've never understood why... (Score:2)
OTOH, and perhaps parodoxically, I have no problems in the government doing its best to snoop on the conversations of other governments. I don't think we should ever forget that World War II was essentially won by the fact that the US and UK could read German and Japanese messages. The damage at Pearl Harbour could possibly have been limited if certain messages had been decrypted and communicated faster. A lot of damage was caused by the US Governments line of "Gentleman do not read each others mail" before each World War.
Draft regulations posted on sci.crypt (Score:2)
"open source code" is mentioned in the introduction, and "non-commercial encryption source-code" in the body.
"Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export."
Re:Here it Is (Score:3)
Sec.740.13 (e) Non-Commercial Source Code
(1) Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export. Submit the notification to BXA and send a copy to ENC Encryption Request Coordinator (see Section 740.17(g)(5) for mailing addresses).
(2) Source code released under this provision remains of U.S. origin even when used or commingled with software or products of any origin, and any encryption product developed with source code released under this provision is subject to the EAR (see Section 740.17).
(3) The source code may be exported or re-exported to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
-----
* So does this mean that if a single line of the code is written in the US it's subject to this business? (see 2)
* And what's this notification clause (1) mean?
* I can't figure out what EAR is, but in section 740.17 which it refers to I find:
(f) Open cryptographic interfaces. License Exception ENC shall not apply to exports or re- exports of encryption commodities and software including components, if the encryption product provides an open cryptographic interface (as defined in part 772).
And below that in the definition of terms:
Open Cryptographic Interface. A mechanism which allows a customer or other party to insert cryptography without the intervention, help or assistance of the manufacturer or its agents, e.g., manufacturer's signing of cryptographic code or proprietary interfaces.
So all in all I'm not too positive on this, though I can't say as I really understand it.
Re:Here it Is (Score:1)
(c) Retransfers. Retransfers of encryption items listed in paragraph (a) of this section to other end-users or end-uses are prohibited without prior authorization.
They seem to be trying to rule out GPL/BSD style licenses here.
Re:New regulations don't help free software (Score:2)
While people in the US are restricted, the rest of the world isn't. As there isn't any particular reason to connect directly to the US, and plenty of non-US/non-restricted equpiment to use.
Re:Who needs organized cryptography, neway?? (Score:2)
Re:Who needs organized cryptography, neway?? (Score:1)
break the stream into, say, 64-byte chunks. Then perform your statistical analysis on each chunk. Once you get english from one of the chunks, apply the same translation to the other chunks. Search for dictionary words.
Voila, you have plaintext english sandwiched between gibberish.
Re:Government vs Private use ????????!!!?!?! (Score:1)
Exactly! (Score:2)
That is exactly what I mean - and if Netowrk Associates can't sell their stuff anyway, that helps even more.
I'm not from the US, BTW
--Donate food by clicking: www.thehungersite.com [thehungersite.com]
Re:The regs REALLY DO stop people from using crypt (Score:1)
They really can't.
Everyone can change his browser to use strong encryption. At least everyone using a platform that is supported by netscape, but on the Atari e.g there is also a solution.
Everyone can get and use a strong and legal copy of PGP or GnuPG, etc. That people don't do it doesn't relate to the US export restrictions.
So they can not prevent anyone from using strong encryption (who thinks he needs it).
As for Cell Phones: In GSM networks - which are almost any in Europe - an Encryption is used that is considered to be at least secure for this special purpous.
There have been published attacks that can clone the SIM card, but you need the card for about one day - people will know when they don't have it for such a long time. Also this attack only applies to a recomendation in the standard that has been used by only one Network in Germany (there is a new one and I don't knot if they use it).
Another attack is possible against the encryption itsself, but it is an adaptive chosen plaintext attack. You don't get that into the phone.
We get back to the point that everybody who thinks he needs it can use strong encryption and not care about US export restrictions.
Re:Draft regulations posted on sci.crypt (Score:1)
(Why is preview showing me "t here" when I have "there" in the text? View source shows the space. Happens with both HTML Formatted and Plain Old Text. Oh well.)
Re:Who needs organized cryptography, neway?? (Score:1)
Re:The regs REALLY DO stop people from using crypt (Score:1)
I still maintain that export restrictions have stopped people from using crypto.
Export restrictions prevent strong crypto from being integrated with most common software applications. By forcing encryption software to be a seperate product, it makes encryption more difficult to use. Also, because export restrictions have prevented encryption from being installed by default on most computers, there are few people to exchange ciphertext with and therefor little incentive for people to install and learn the encryption software that does exist.
The end result is that export restrictions have prevented the critical mass / network effect required for strong encryption to become widespread.
Re: (Score:1)
Re:What I dont get (Score:1)
Thanks!