Cryptography


The expansion of the connectivity of computers make ways of protecting data and messages from tampering or reading important. Even the US courts have ruled that there exists no legal expectation of privacy for email. It is thus up to the user to ensure that communications which are expected to remain private actually do so. One of the techniques for ensuring privacy of files and communications is Cryptography.

What follows is a list of freely available crypto systems, with comments based on my limited reading in books and on the net. I am not an expert in cryptography, and the following comments are therefor not to be taken as anything but an introductory words on the subject. For another more extensive source for Cryptography available on the net, go to The International Cryptographic Software Pages...


Index


Return to Index

Legal:


As mentioned above, the export of cryptograpy was controlled in the USA by a set of regulations called ITAR. Athough designed to control military, not civilian, technology, the sudden expansion of the use of civilian cryptograpy has left these regulations still controlling it as though it were of purely military significance. There is also a feeling that certain branches of the US government would like to keep it this way, despite the overwhelming demand for civilian cryptography. Recently the USA has promulgated a change to ITAR allowing the export of crypto for temporary personal use. If software, it must reside on an export controlled hardware device, and in all cases detailed records of the export must be kept for five years.

The above situation changes in the new year (Jan 1997) when control of civilian cryptography was removed from the ITAR regulations and put under the control of the Dept. of Commerce. These new regulations (See especially Part 742 section 15 and Supplement 6, and Category 5 part 2. Also 740.13(e) gives the general exemption for open source, royalty free software, and the requirements for making use of this.) These are unfortunately far less readable than are the ITAR regulations so figuring out what is allowed and what not has become far more complicated. These regulations appear to have expanded, rather than contracted, the control over cryptography. although application can be made for freedom from license for mass market software using symmetric keys with no more than 56 or 64 bit key.

However the whole of the regulations controling the export of cryptography in the USA has been thrown into confusion by the Bernstein case. Dan Bernstein, then a graduate student at UC Berkeley, launched a civil First Ammendment suit agianst the US Government, when it refused to allow him to publish, either in printed or electronic form an encryption algorthm that he had designed. Judge Pattel ruled that source code was protected speech under the First Ammendment and that the ITAR and Commerce regulations violated the First Ammendment by not instituting sufficient safeguards against capricious and arbitrary decisions by the executive branch. This decision will probably be appealed by the US government.

Canada also has a set of laws governing the export of military technology called the Export Control List. A copy of a Guide to Canada's Export Controls may be obtained from the Government International Trade Offices across the country.

The status of PGP and other publicly available cryptography under this set of regulations is somewhat unclear to me. The key sections of relevance to PGP are

Whether or not the above comments have any legal validity, I have no idea. Thus you should check with competent legal council before exporting PGP or any other cryptographic software from Canada.

Evidence that the Canadian situation may be much freer than the US one is that the Entrust Solo software is exported to all countries in the world( except for seven exceptions) from Canada. As a subsidiary of Nortel, a major Canadian company, they have presumably received permission for this export.

[Note that I am not a lawyer, and base the above interpretation purely on my reading of the law as a layman. It is not legal advice, nor should it be taken as such.]

Marc Plumb has tested the ECL by applying for permission to export various cryptographic products from Canada. For his experience and his comments on the ECL see http://www.efc.ca/pages/doc/crypto-export.html

Canada is in the process of reviewing its policies on Cryptography. See the paper A Cryptographic Policy Framework for Electronic Commercepublished Feb. 1998

For a survey of cryptography laws worldwide see http://rechten.uvt.nl/koops/cryptolaw/index.htm

Return to Index


Last Updated Mar 1998 Bill Unruh

Return to Theory Home Page