[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wassenaar summary (and a funny new loophole)

> The Wassenaar Arrangement has put up the Dec. 3 lists
> agreed to by members:

To summarize the crypto rules:

Software is freely exportable if it has been made available without
restrictions upon its further dissemination. Copyright restrictions
do not count.

Mass market cryto software is no longer covered by the General Software
Note, but by a Cryptography Note. Under that note, mass market software
and hardware is not controlled if it does not use symmetric keys longer
than 64 bits and the cryptographic functionality cannot easily changed
by the user.

Systems that do not meet those conditions are export-controlled if they
use symmetric encryption with more than 56 bit keys, algorithms based 
on factorization or on logarithms in finite fields with more than 512
bit keys (e.g. RSA, DH) or on discrete logarithms in other groups (such
as elliptic curves) with more than 112 bits. They may be exported for
personal use.

There are exceptions for execution of copy-protected software and
read-only media and for phones without end-to-end encryption.

The list contains an amusing editorial error which would for the first
time allow the export of strong crypto hardware. "Symmetric algorithm"
is defined to mean 'a cryptographic algorithm using an identical key for
both encryption and decryption', whereas an algorithm using 'different
mathematically-related keys for encryption and decryption' is an "asymmetric

Since the definition differentiates algorithms by symmetry rather than by
their cryptographic properties, there is no restriction whatsoever on
asymmetric secret-key encryption algorithms. Those algorithms typically
are not based on factorization or discrete logarithms. That is, they are
no longer controlled by the Wassenaar arrangement.

Better yet, mass-market crypto systems are not controlled if they
'do not contain a "symmetric algorithm" employing a key length exceeding
64 bits'. So you can use, say, 2048 bit RSA with an asymmetric secret-key
algorithm of 128 bit key length (so the system does not contain a symmetric
algorithm), and you're free to export it.