[2721] in cryptography@c2.net mail archive
Re: FYI: I believe Microsoft has knowingly violated the export rules
daemon@ATHENA.MIT.EDU (Mok-Kong Shen)
Wed May 20 09:46:13 1998
Date: Wed, 20 May 1998 10:42:31 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
To: Rich Salz <rsalz@shore.net>, cryptography@c2.net
Rich Salz wrote:
> When a user wants full privacy, the MSRPC component requests the SSPI
> to encrypt the data. In export versions, the SSPI returns an error
> code, and MSRPC returns the status back to the user's program
> indicating that this level of protection is not supported. In the
> domestic US versions, the SSPI actually does encrypt the data.
>
> The problem is that the NSA ordinarily calls the technique used by
> Microsoft "crypto with a hole," and they routinely deny export approval
> for such products. Their reasoning is that it would be fairly
> straightforward to "add in" the cryptography. Their reasoning is
> accurate: It is much easier to write a "plug in" -- a small bit of
> crypto code based on a published paper -- than it would be to write an
> entire RPC component.
Having just joined the present list, I can't understand the current
issue very well. A user can certainly encrypt his message using an
independent strong encryption program and then feed the result for
transmission. So whether there is SSPI at all doesn't matter much
in my view, if the user indeed needs very high level of security.
M. K. Shen
