[2354] in cryptography@c2.net mail archive
Re: Rivest's Wheat & Chaff - A crypto alternative
daemon@ATHENA.MIT.EDU (P. J. Ponder)
Tue Mar 24 23:12:49 1998
Date: Tue, 24 Mar 1998 22:04:25 -0500 (EST)
From: "P. J. Ponder" <ponder@freenet.tlh.fl.us>
To: Lucky Green <shamrock@netcom.com>
cc: Rick Smith <rsmith@securecomputing.com>, cryptography@c2.net
In-Reply-To: <Pine.SUN.3.91.980324151605.13068B-100000@netcom4>
I seem to recall that SHA-1, which I believe is included in FIPS Pub
180-1, states right in the FIPS Pub that it is subject to export controls
(although that may now be the older controls under State Dept.) When I
raised a question about this on a mailing list, Perry M. replied that the
reason for the export control was that a cryptographic hash algorithm can
be used to build a block cipher encryption program (if I recall my facts
and attributions correctly).
Have there been actual cases of authentication products restricted from
export? Do the new export controls explicitly state that authentication
software is not subject to export restrictions?
--
pjp
On Tue, 24 Mar 1998, Lucky Green wrote:
> On Tue, 24 Mar 1998, Rick Smith wrote:
>
> > At 12:26 PM -0600 3/24/98, Mike Rosing wrote:
> >
> > >The beauty is that you don't have to *apply* for an export license
> > >because authentication is already exempt. Until the rules get rewritten
> > >of course :-)
> >
> > This is the fly in the ointment. As long as an authentication product does
> > *not* use encryption algorithms it does not need an export license.
> > Unfortunately, encryption algorithms are a standard part of most strong
> > authentication products. So, the products usually need to be reviewed.
>
> This is of course incorrect. It is irrelevant what algorithms are used by
> the product. All that matter is the purpose of the product. The
> authentication product can contain RSA and 3DES, in source code form, and
> will still be exportable.
>
> To give an example, DNSSEC is freely downloadable from the US and has
> been deemed outside the scope of US encryption related export regs by both
> the State Department and the Commerce Department. And this *despite* the
> fact that DNSSEC ships with a full copy of RSAREF in source code form.
> See http://www.toad.com/dnssec/pressrel1.txt
>
> US export regs do not reach authentication-only software, nor do they
> make any attempt to do so. Regardless of how easy it might be for
> "somebody" to turn the authentication-only product into an encryption
> product after legal export.
>
> -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred
>
>
