[Previous] [Next] [Index]
[Thread]
Re: crypto export laws
At 3:17 AM 2/7/96, Holger Reif wrote:
>> Can anyone give me the facts on the current cryptography export laws for
>> internal corporate use? That is, if my company wants to communicate
>>safely with
>> our own branch offices abroad via WANs, can we use 128 bit encryption
>>for that
>> communication? Or are we restricted to 40 bit once the communication
>>leaves the
>> US (virtual) border?
>
>Short try:
>
>You CAN use strong _encryption_ beyond your US-Border, but
>you CAN'T use an US-Product for this since it is not allowed to be exported.
>So you must look for a non-US-Solution or develope your own (in your abroad
>office of course)
Just to push the point a bit further:
The U.S. does not impose any restriction on the *use* of cryptographic
systems, either inside the U.S. or abroad. If you are inside the U.S. and
are communicating with someone outside the U.S., you can use whatever tools
you have have.
The U.S. does impose restrictions on the export of software and hardware
which is capable of encrypting communications or files. If your
correspondent doesn't already have the necessary crypto software and you
want to ship him a copy, then you run into the restrictions.
Export of crypto to a subsidiary of a U.S. company is regulated but not
prohibited. I don't know for sure where the limit is, but when I last
checked, it was possible to export DES-based systems with full 56 bit keys.
56 bits is stronger than a 40 bit key mentioned above and singificantly
weaker than a 128 bit key. The 40 bit limit is the commonly approved
length for general export. Export to U.S. multinationals and financial
institutions are permitted to have stronger crypto.
Steve
--------------------
Steve Crocker Main: +1 703 620 4200
CyberCash, Inc., Suite 430 Desk: +1 703 716 5214
2100 Reston Parkway Fax: +1 703 620 4215
Reston, VA 22091 crocker@cybercash.com