All cryptographic products need export licenses from the
State Department, acting under authority of the International Traffic in Arms
Regulation (ITAR). ITAR defines cryptographic devices, including software, as
munitions. The U.S. government has historically been reluctant to grant export
licenses for encryption products it sees as stronger than a certain
non-publicly assigned level. Under current regulations, a vendor seeking to export
a product using cryptography first submits a request to the State Department’s
Defense Trade Control office. Export jurisdiction then can be passed to the
Department of Commerce, whose export procedures generally are simple and
efficient. If jurisdiction remains with the State Department, then further
(perhaps lengthy) review must occur before export can be approved or denied.
The NSA sometimes becomes directly involved at this point. The details of the
export approval process change frequently.
The NSA has de facto control over export of cryptographic
products. The State Department does not grant licenses without NSA approval and
routinely grants them whenever NSA does approve. Therefore, policy decisions
concerning exporting cryptography ultimately rest with the NSA.
The NSA’s stated policy is not to restrict export of
cryptography for authentication. Its concern lies only with the use of
cryptography for privacy. A vendor seeking to export a product for
authentication is granted an export license only so long as it can demonstrate
that the product cannot be easily modified for encryption. This is true even
for very strong systems, such as RSA with large key sizes. Furthermore, the
bureaucratic procedures are simpler for authentication products than for
privacy products. An authentication product needs NSA and State Department
approval only once, whereas an encryption product could need approval for every
sale or every product revision.
The U.S. State Department and the NSA strictly regulates
export of DES, in hardware or software. The government rarely approves export
of DES, although DES is widely available overseas. Software developers in many
countries have produced DES products from the published specifications. These
products are functionally compatible with U.S. products. Financial institutions
and foreign subsidiaries of U.S. companies are exceptions.
Export policy currently is a matter of great controversy.
Many software and hardware vendors consider current export regulations overly
restrictive and burdensome. The Software Publishers Association (SPA), a
software industry group, has recently been negotiating with the government to
get export license restrictions eased. One agreement was reached that allows
simplified procedures for export of two bulk encryption ciphers, RC2 and RC4,
when the key size is limited. Also, export policy is less restrictive for
foreign subsidiaries and overseas offices of U.S. companies.
In March 1992, the Computer Security and Privacy Advisory
Board voted unanimously to recommend a national review of cryptography policy,
including export policy. The Board is an official advisory board whose members
are drawn from the government and the private sector.
The Board stated that a public debate is the only way to
reach a consensus policy to best satisfy competing interests. National security
and law enforcement agencies like restrictions on cryptography, especially for
export, whereas other government agencies and private industry want greater
freedom for using and exporting cryptography. Export policy has traditionally been
decided solely by agencies concerned with national security, without much input
from those who want to encourage commerce in cryptography. U.S. export policy
could undergo significant changes in the next few years.
Note: The legal
status of encryption in many countries has been placed on the World Wide Web.
You can access it using the following URL:
http://web.cnam.fr/Network/Crypto/
In much of the civilized world, encryption is legal or at
least tolerated. In some countries, however, such activities can land you
before a firing squad! Check with the laws in your country before you use any
encryption product. Some countries in which encryption is illegal are Russia,
France, Iran, and Iraq.
No comments:
Post a Comment