[2350] in cryptography@c2.net mail archive
Re: Rivest's Wheat & Chaff - A crypto alternative
daemon@ATHENA.MIT.EDU (Rick Smith)
Tue Mar 24 17:54:02 1998
In-Reply-To: <Pine.BSF.3.95.980324122326.7829B-100000@Jupiter.Mcs.Net>
Date: Tue, 24 Mar 1998 16:33:57 -0600
To: Mike Rosing <cryptech@Mcs.Net>
From: Rick Smith <rsmith@securecomputing.com>
Cc: cryptography@c2.net, rsmith@securecomputing.com
At 12:26 PM -0600 3/24/98, Mike Rosing wrote:
>The beauty is that you don't have to *apply* for an export license
>because authentication is already exempt. Until the rules get rewritten
>of course :-)
This is the fly in the ointment. As long as an authentication product does
*not* use encryption algorithms it does not need an export license.
Unfortunately, encryption algorithms are a standard part of most strong
authentication products. So, the products usually need to be reviewed.
However, Rivest's proposal reflects what IMHO is a vital truth -- if we
deploy really strong authentication all over the place, then we can use it
to bootstrap all sorts of strong encryption mechanisms. The strong
authentication mechanism may require export review, but it doesn't by
itself violate either the letter or the spirit of the export laws. Once
it's out there it provides the essential hook on which one can hang all
sorts of secrecy mechanisms. We can do Rivest's wheat and chaff, or we can
do something more practical. For example, we could digitally sign
comfortably large but temporary Diffie-Hellman credentials for use in
perfect forward secrecy protocols. But the authentication infrastructure is
the essential step in this bootstrapping process.
Rick.
rsmith@securecomputing.com Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores
