Rumors of Liberalized US Crypto Policy

GoBears writes "A "high-placed" AC within the federal government leaked the news. The Merc says: Exporters of the strongest encryption products, which generally have keys of 128 bits or more, will no longer need to license each shipment. Instead, they will in most instances only need to have a one-time technical review of the product. " At least its a step in the right direction. Of course, the real end is no restrictions on any kind of software, but we can dream, right?

Re:"Technical review"

For this I'm sure I want to be an AC...

When I was at Apple, I heard a bit about the "technical review" that the NSA did on AOCE. The NSA apparently insisted that a function be inserted into the key generation. My understanding is that the function reduced the keyspace from 2^64 to about 2^40, though the keys remained 64 bits in length. The function also avoided classes of keys known to be weak. I have to believe that there are more than 2^40 strong keys in that space.

So, while in some sense strengthening the product - by avoiding weak keys - they also, in my opinion, enabled their ability to decrypt communication.

Now, I never knew what the function was - I really don't want to know - but I doubt that it would take more than a few weeks for an attacker with MacNosy to find the function in AOCE.

Do you think that other "technical reviews" are significantly different? Lets hear from someone directly involved in one.