Slashdot Mirror

← Back to Stories (view on slashdot.org)

Details About New Crypto Export Regulations

Posted by CmdrTaco on from the stuff-to-read dept.

Codex The Sloth writes "The Industry Standard has a story about industry feedback to the Clinton Administrations new Crypto Regulations which are being developed behind closed doors. Evidently it's requires high security like Hillary Clinton's health care reform plan..." Worth a read. It sounds like we're getting somewhere, although not everywhere.

10 of 72 comments (clear)

  1. My expected outcome to this by renegade187 · · Score: 4

    Encryption is now limited to rot13 so theres no need for key escrow. Of course all governmental encryption will be increased to tripleDES!

    If I have data needing protection, i RAR it with a password, then put it on cd and hide the cd.

    --
    icq:=22921393;
  2. Here's some conjecture.... by Dwarf_Sibling · · Score: 4

    I have some third party knowledge from a DoD official regarding the new regs. The information was current as of Comdex last week. Take this with several grains of salt as it is most definitely hearsay. I'm only offering it up because the included article seemed to raise more questions than it posed answers to.

    According to this individual, they are completely relaxing any bit-length restrictions on encryption technology. When sold through "retail", it is completely free of restriction. However, when sold to government at least, or perhaps major corporations, encryption vendors are required to track the end user. It wasn't specified whether or not this information needed to be expressly given to the government at point-of-purchase or only after a subpoena. If its the latter, I'll sleep better. If its the former, I think we just traded relaxation of one regulation for a tightening of another. Btw, countries like Iran, Iraq, Lybia, etc. are still on the black list. But we can't even sell them a stick of gum, let alone an encryption device.

    -DS

    --
    "Any sufficiently advanced technology is indistiguishable from magic." - Arthur C. Clarke
  3. What I dont get by True+Dork · · Score: 3

    is why Network Associates is referred to as being able to weigh in with their opinion. I personally think they showed us their opinion when they became members of the Key Recovery Alliance (http://www.kra.org). After I saw they had joined, we promptly banned all Network Associates products in our offices. Does this not bother anyone else?

  4. Re:i wish the usa would lighten up by EngrBohn · · Score: 3

    You realize, of course, that any license which forbids use by residents of the U.S. would not satisfy the the Open Source Definition. Of course, neither would one that would forbid use by residents of Cuba, Syria, Iraq, etc.
    Christopher A. Bohn

    --
    cb
    Oooh! What does this button do!?
  5. Unacceptable by bnenning · · Score: 3
    The fact that the regulations are being developed secretly is not a good sign. I seriously doubt the revised laws will offer any improvement in the area of personal freedom. They may make it easier for commercial companies to make money selling their products, but as long as the FBI and NSA are calling the shots don't expect to be able to freely distribute strong crypto.

    I don't believe compromise is possible on this issue. Either I can write open source crypto code and post it publicly without going to jail, or I can't. I see no indication that the FBI and NSA are prepared to allow that. My guess is that they're stalling for time, since they know if this issue ever gets before the Supreme Court all restrictions are likely to be struck down.

    --
    How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
  6. Who needs organized cryptography, neway?? by EL8+DOOD · · Score: 3

    Mainstream crytography is for wusses! If you use your own proprietary crypto system, then not only will the cracker have to factor to hell, they will also have to figure out what the fsck is going on first. It's too easy to crack these days with evereyone using normal des.

    Anyway, I have a new super crypto algorithm that is freely exportable, I think. Feel free to use it all you want, just give credit where it is due.

    THE NINJA/LINE NOISE ALGORITHM by EL8 DOOD

    Ok, here is the basic idea: Say you have a 2000 word secret message you want to send to someone. You could just substitute letters for new letters, ie a=x, b=d, etc, but that would die to a stastical analysis attack since the most common letter would be e, and so on.

    Now, here is where the line noise comes in: After doing a substitution cypher, you fill a file with a billion random characters! Then you randomly insert the secret message somewhere in the middle of the randomness! There will be so many characters that those in the actual message will not be stastically significant and will thus be undetectable. There is _NO WAY_ to crack this unless you want to go through every possible substitution cypher(26 factorial possibilities) and search a billion bytes for something which resembles English.

    In short, my algorithm is better than des and freely exportable too. Once word gets out on my great achievement, Reno might try to get my algorithm banned overseas, so use it while you can!

    --
    Linux rools and Microsoft drools, so moderate this post up already
  7. Re:Not Good Enough by Floyd+Turbo · · Score: 3
    Someone needs to just open a Strong Encryption company outside the US (Mexico? That's where I'd put the factory anyhow) and start mass-shipping crypto-enabled software and phones to the US.


    It's called www.kerneli.org. They have a pretty good ftp site, too :)
  8. This part bothers me... by diaphanous · · Score: 3

    "Last night, the government group released a preliminary draft to several companies that manufacture encryption products. The government asked the firms to keep the details secret for the time being" I don't see any reason for the government to restrict the public from reading the report except to minimize nettlesome grass roots opposition to the new regulations. In a democracy the whole/B public (not just a selct few corporations) is supposed to able to review, discuss, and agitate for or against rules that will affect everyone. Though by and large it seems as if most companies have tried to stand up to the NSA and the Clinton administration when faced with absurd crypto regulations, I worry that they may find a path that optimizes their profits but minimizes our privacy.

  9. New regulations don't help free software by Anonymous Coward · · Score: 3

    The administration says that the regulations were modified to allow noncommercial source code export. But then the draft of the regulations says that it is specifically still illegal to send source code to the Seven (e.g. Cuba). Since that's the case, it could still be illegal to post crypto code on the web, in anonymous CVS, on an anonymous FTP site, or in a newsgroups -- just as it is now. Unless the government specifically says that open and unrestricted electronic publication of crypto code is legal, the situation may not change at all -- because FTP site operators and so on could still be threatened with prosecution, because someone in Cuba can still download the code.

  10. Re:Here it Is by nowan · · Score: 3

    Ok, so:

    Sec.740.13 (e) Non-Commercial Source Code

    (1) Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export. Submit the notification to BXA and send a copy to ENC Encryption Request Coordinator (see Section 740.17(g)(5) for mailing addresses).

    (2) Source code released under this provision remains of U.S. origin even when used or commingled with software or products of any origin, and any encryption product developed with source code released under this provision is subject to the EAR (see Section 740.17).

    (3) The source code may be exported or re-exported to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

    -----

    * So does this mean that if a single line of the code is written in the US it's subject to this business? (see 2)

    * And what's this notification clause (1) mean?

    * I can't figure out what EAR is, but in section 740.17 which it refers to I find:

    (f) Open cryptographic interfaces. License Exception ENC shall not apply to exports or re- exports of encryption commodities and software including components, if the encryption product provides an open cryptographic interface (as defined in part 772).

    And below that in the definition of terms:

    Open Cryptographic Interface. A mechanism which allows a customer or other party to insert cryptography without the intervention, help or assistance of the manufacturer or its agents, e.g., manufacturer's signing of cryptographic code or proprietary interfaces.

    So all in all I'm not too positive on this, though I can't say as I really understand it.