From bloom-beacon!mintaka!yale!cs.utexas.edu!know!sdd.hp.com!elroy.jpl.nasa.gov!ncar!gatech!mcnc!decwrl!sgi!shinobu!odin!nelson Sat Oct 20 04:31:34 EDT 1990 Article: 3977 of sci.crypt Path: bloom-beacon!mintaka!yale!cs.utexas.edu!know!sdd.hp.com!elroy.jpl.nasa.gov!ncar!gatech!mcnc!decwrl!sgi!shinobu!odin!nelson From: nelson@sgi.com (Nelson Bolyard) Newsgroups: sci.crypt Subject: Re: Cryptography and the Law... Summary: DES CAN be exported under these conditions Message-ID: <1990Oct16.203545.4347@odin.corp.sgi.com> Date: 16 Oct 90 20:35:45 GMT References: <47143@cornell.UUCP> Sender: news@odin.corp.sgi.com (Net News) Distribution: na Organization: Silicon Graphics, Inc., Mountain View, CA Lines: 154 Disclaimer: Views expressed herein do not represent the views of my employer. In article <47143@cornell.UUCP> wayner@kama.cs.cornell.edu (Peter Wayner) writes: [ previous quotations deleted ] ... >Yes, the NSA or the Commerce department bans the export of things >like DES. Read the label of Borland Sidekick or some other pieces >of software with encryption. This ban DOES effect US citizens. I've seen numerous arguments in this newsgroup caused because one person, who (like me) tends to view the U.S. Gov't as a monolith, refers to the wrong part of the government in a statement like "XXX does YYY", only to be reproved by someone else who says "no, XXX doesn't do YYY" but who then fails to complete the reproof with "instead, ZZZ does YYY". The export of encryption technology is *controlled* (not *ban*ed) by two departments of the U.S. Gov't. They control it by issuing (or not issuing) export licenses. The two controlling groups are: (1) the Department of Commerce, Bureau of eXport Administration (BXA), Office of Export Licensing (OEL), and (2) the State Department Office of Defense Trade Control (DTC) - formerly known as the Office of Munitions Control (OMC). I've recently spoken with people in both those departments, and even (gasp) the NSA (whom I've promised not to quote, and will not quote here). A DTC employee told me that they use the NSA's help to decide what can and cannot be exported. From this, I infer that NSA does indeed substantially influence and indirectly control what cryptographic systems get exported. I WILL quote verbatim (with permission) from an article published in the December 1989 issue of the "OEL Insider", kindly sent to me by an OEL insider. It explains very clearly those things that can be (and are) licensed by the BXA OEL for export without additional review and approval by DTC (and NSA). Export of cryptographic systems not mentioned here is controlled by the DTC. ----------- From OEL Insider, December 1989, pages 6-7 --------------- Transfer of Encryption Software and Devices From the Office of Munitions Control to Commerce On August 11, 1989, BXA accepted jurisdiction from the office of Munitions Control (OMC), Department of State, for the following items previously controlled by OMC because of their encryption capabilities: 1. Authentication. Equipment or software that calculates a Message Authentication Code (MAC) or similar result to assure no alteration of text has taken place, or to authenticate users, but do not allow for encryption of data, text, or other media other than that needed for the authentication. 2. Access control. Equipment or software that protect passwords or Personal Identification Numbers (PIN) or similar data to prevent unauthorized access to computing facilities, but do not allow for encryption of files or text, except as directly related to the password and PIN protection. 3. Proprietary software protection. Decryption-only routines for encrypted proprietary software, fonts, or other computer-related proprietary information for the purpose of maintaining vendor control when such decryption routines are not accessible to users of said software, font, or other information, and cannot be used for any other purpose. 4. Automatic teller devices. Devices limited to the issuance of cash or traveler checks, acceptance of deposits, account balance reporting, and similar financial functions. Exporters are advised to follow the procedures of Part 799.1, section (f) in seeking commodity classifications for commodities meeting the above description. Commerce is continuing discussion with OMC on additional commodities having encryption capabilities as possible candidates for jurisdictional transfer to BXA from OMC. The following commodities are subject to transfer based on a product by product review by OMC: 1. Mass market software. Software packages designed to run on microcomputers, employing non-standard cryptographic algorithms, not of strategic value and for which encryption is not the primary function of the package. 2. Simple analog television descramblers. Devices that descramble analog television signals for the purpose of entertainment. This does not include video conferencing security devices, nor devices using digital encryption schemes. 3. Simple voice scramblers. Analog voice scramblers that do not make use of, or are not capable of, transposition changes occurring more frequently than one every ten seconds. 4. Smart cards and related equipment. Smart cards and related equipment and software that are capable of implementing cryptographic applications onto smart cards or controlling these applications, for use in a financial environment. ----------- END OF QUOTATION ------------------------------------- ... >Some of the latest versions of DEC Kerberos do not contain encryption >routines because DEC does not want to have two versions of the >product-- one exportable and one embargoed. Costs are too high. >The headaches of support are too great. Etc. Not quite. This subject has been discussed at length in the newsgroup comp.protocols.kerberos. My understanding, based solely on having read several postings to comp.protocols.kerberos ostensibly from a Kerberos engineer at DEC, is that DEC's one and only Kerberos DOES include DES. They have eliminated any way for the Kerberos DES to be used to encrypt and decrypt normal data (e.g. no krlogin -x). The only use of DES in their Kerberos is in the authentication functions, which, as you can see from the above quoted OEL Insider article, is exportable. >No. The problem is not cryptography for the Bavarian Illuminati >and the Drug Runners. These people wouldn't care about breaking >the law. The problem is privacy for everyone else. If these things >are against the law, normal, law-abiding people will avoid them. >People caught with drug paraphenalia go to jail. ... >I think it is reasonable and logically conceivable that the government >will try to ban cryptographic procedures because they can be used >so successfully by criminals. The argument could be made that normal Americans >don't need this sort of thing. They don't need assault rifles. Etc. >This has been done too many times in the past. One smart fellow >invented a cheap, phone scrambler and tried to patent it. One day he >received a letter from the patent office that told him his invention >was now classified. Since he wasn't even cleared to know about it, he >needed to destroy all documentation of its existence. When Goldwasser, >Micali and some other MIT dudes tried to announce Zero Knowledge >Proofs, the government tried to stop them and they only failed because >the MIT people were foreign nationals. After James Bamford wrote _The >Puzzle Palace_, the NSA followed the tracks of his research and >reclassified documents. They went into private libraries, removed >books and reclassified them. I share your concerns. Operation sundevil made it clear that having information about the phone system (even publicly published information) is grounds for having your computer equipment confiscated. I'd hate to see having encryption software on your computer be added to the list of things that make you a seizure target. Here's another angle to consider. The D.A. says "Your Honor, members of the jury, the fact, proven in this court, that the defendent encrypted the data on this disk, which I hold in my hand, just as any drug dealer, given the chance, will flush incriminating evidence down the toilet, to obstruct the pursuit of justice, demonstrates beyond any reasonable doubt that the defendant believed he had done something illegal, he had something to hide." >Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850 >EMail:wayner@cs.cornell.edu Office: 607-255-9202 or 255-1008 >Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678 ----------------------------------------------------------------------------- Nelson Bolyard nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson Disclaimer: Views expressed herein do not represent the views of my employer. -----------------------------------------------------------------------------