|
Cryptome DVDs. Donate
$25 for two DVDs of the Cryptome collection of 47,000 files from June 1996
to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John
Young, 251 West 89th Street, New York, NY 10024. The collection includes
all files of cryptome.org, cryptome.info, jya.com, cartome.org,
eyeball-series.org and iraq-kill-maim.org, and
23,100 (updated)
pages of counter-intelligence dossiers declassified by the US Army Information
and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere
worldwide without extra cost. |
|
10 December 1998
Comments on the Information
Security section of the Wassenaar Arrangement agreement of December 3
published today at the Wassenaar
Web site. Others to be added.
To: ukcrypto@maillist.ox.ac.uk
Subject: http://www.dti.gov.uk/export.control/
Date: Thu, 10 Dec 1998 14:34:30 +0000
From: Martin Hamilton <martin@net.lut.ac.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hi folks,
I'm not sure if this has come up already, but I was just grazing
through the UK Department of Trade and Industry's Export Control List
at the above address and found the following:
"In the public domain" (GTN NTN GSN), as it applies herein, means
"technology" or "software" which has been made available without
restrictions upon its further dissemination (copyright restrictions
do not remove "technology" or "software" from being "in the public
domain").
[...]
Controls on "technology" transfer do not apply to information "in the
public domain", to "basic scientific research" or to the minimum
necessary information for patent applications.
I hadn't realised how clearly this stuff was spelled out!
That document appears to have been last updated in January 1998, BTW.
The Wassenaar list of dual-use technologies also says, in its 'General
Technology Note':
Controls do not apply to "technology" "in the public domain", to
"basic scientific research" or to the minimum necessary information
for patent applications.
The 'General Software Note' has this to add:
The Lists do not control "software" which is either:
1. Generally available to the public by being:
a. Sold from stock at retail selling points without restriction,
by means of:
1. Over-the-counter transactions;
2. Mail order transactions; or
3. Telephone call transactions; and
b. Designed for installation by the user without further
substantial support by the supplier; or
N.B. Entry 1 of the General Software Note does not release
"software" controlled by Category 5 Part 2.
2. "In the public domain".
See <URL:http://www.wassenaar.org/List/GTNGSN.doc>. Category 5 is the
section on 'Information Security', of course. Last updated 10th
December 1998.
"In the public domain" is defined as:
This means "technology" or "software" which has been made available
without restrictions upon its further dissemination.
N.B. Copyright restrictions do not remove "technology" or "software"
from being "in the public domain".
See <URL:http://www.wassenaar.org/List/Def.doc>.
So, these two documents say quite explicitly that public domain
software (as defined above!) is specifically excluded from export
control under both the (new) Wassenaar Agreement list and the
(pre-existing) UK DTI list. <Breathes sigh of relief :->
Ciao!
Martin
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBNm/b9NZdpXZXTSjhAQHCbwP/XoT5Ph4LX7i8vDMLekSqHibJ9+UXElOT
mmzUCum6o8TbYgeKBe8YXq3sojd4uAfyms7TSBDjmg2UyMn7HTi6/f3Nusuwwofk
wiMH+ux2ToSmq/LmN9sRqoaMk1uBn1rga0QjSWFFsaIxnthhlefSsGTqvUVx+q2u
3kVguLMX2ms=
=RoP4
-----END PGP SIGNATURE-----
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: Wassenaar List avialable
Date: Thu, 10 Dec 1998 15:22:01 +0100
From: Casper Dik <casper@holland.Sun.COM>
>The text is available from URL:
>
>http://www.wassenaar.org/List/
>
>It seems that Public Domain software is still
>exempt ..
Yes, so it seems; the "over-the-counter" exemption is specified as not
applying to Cat 5 part 2; the "public domain" exemption is not restricted
in such a fashion.
Another interesting bit:
Note 2 Category 5 - Part 2 does not control products when accompanying
their user for the user's personal use.
Casper
Date: Thu, 10 Dec 1998 15:59:10 +0000
To: ukcrypto@maillist.ox.ac.uk
From: Brian Randell <Brian.Randell@newcastle.ac.uk>
Subject: Re: http://www.dti.gov.uk/export.control/
Hi Martin:
At 2:34 pm +0000 10/12/98, Martin Hamilton wrote:
[Snip; see preceding message.]
I trust that the rules about "open source software", as given at
http://www.opensource.org/osd.html
e.g. "The program must include source code, and must allow distribution in
source code as well as compiled form. Where some form of a product is not
distributed with source code, there must be a well-publicized means of
downloading the source code, without charge, via the Internet. . . . The
license must allow modifications and derived works, and must allow them to
be distributed under the same terms as the license of the original software"
do not constitute "restrictions upon further dissemination". Perhaps some
of the readers of this mailing list can reassure me on this point, and
allow me to join you in your sigh of relief! :-)
Cheers
Brian
Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 191 222 7923
FAX = +44 191 222 8232 URL = http://www.cs.ncl.ac.uk/~brian.randell/
Date: Thu, 10 Dec 1998 17:14:47 +0000
To: ukcrypto@maillist.ox.ac.uk
From: Nicholas Bohm <nbohm@ernest.net>
Subject: Re: http://www.dti.gov.uk/export.control/
At 03:59 PM 12/10/1998 +0000, Brian Randell wrote:
[Snip; see preceding message.]
The rules you quote are not "restrictions upon ... dissemination", they are
prohibitions against restrictions on dissemination, and therefore not a
problem.
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 871272 (+44 1279 871272)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
Subject: Wassenaar summary (and a funny new loophole)
To: cryptography@c2.net, cypherpunks@toad.com
Date: Thu, 10 Dec 1998 19:15:03 +0100 (NFT)
From: ulf@fitug.de (Ulf Möller)
> The Wassenaar Arrangement has put up the Dec. 3 lists
> agreed to by members:
To summarize the crypto rules:
Software is freely exportable if it has been made available without
restrictions upon its further dissemination. Copyright restrictions
do not count.
Mass market cryto software is no longer covered by the General Software
Note, but by a Cryptography Note. Under that note, mass market software
and hardware is not controlled if it does not use symmetric keys longer
than 64 bits and the cryptographic functionality cannot easily changed
by the user.
Systems that do not meet those conditions are export-controlled if they
use symmetric encryption with more than 56 bit keys, algorithms based
on factorization or on logarithms in finite fields with more than 512
bit keys (e.g. RSA, DH) or on discrete logarithms in other groups (such
as elliptic curves) with more than 112 bits. They may be exported for
personal use.
There are exceptions for execution of copy-protected software and
read-only media and for phones without end-to-end encryption.
The list contains an amusing editorial error which would for the first
time allow the export of strong crypto hardware. "Symmetric algorithm"
is defined to mean 'a cryptographic algorithm using an identical key for
both encryption and decryption', whereas an algorithm using 'different
mathematically-related keys for encryption and decryption' is an "asymmetric
algorithm".
Since the definition differentiates algorithms by symmetry rather than by
their cryptographic properties, there is no restriction whatsoever on
asymmetric secret-key encryption algorithms. Those algorithms typically
are not based on factorization or discrete logarithms. That is, they are
no longer controlled by the Wassenaar arrangement.
Better yet, mass-market crypto systems are not controlled if they
'do not contain a "symmetric algorithm" employing a key length exceeding
64 bits'. So you can use, say, 2048 bit RSA with an asymmetric secret-key
algorithm of 128 bit key length (so the system does not contain a symmetric
algorithm), and you're free to export it.
Date: Thu, 10 Dec 1998 19:06:29 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: "Ulf Möller" <ulf@fitug.de>
CC: cryptography@c2.net, cypherpunks@toad.com
Subject: Re: Wassenaar summary (and a funny new loophole)
Ulf Möller wrote:
> Since the definition differentiates algorithms by symmetry rather than by
> their cryptographic properties, there is no restriction whatsoever on
> asymmetric secret-key encryption algorithms. Those algorithms typically
> are not based on factorization or discrete logarithms. That is, they are
> no longer controlled by the Wassenaar arrangement.
Hmm - so if I defined a new crytpo algorithm, SED3, say, that looks like
this:
SED3(k,x)=3DES(backwards(k),x)
where backwards(k) is k with its bits written backwards, then the
3DES/SED3(k1,k2) combination is exportable (where k1 is related to k2,
of course, by k2=backwards(k1))?
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
Date: Thu, 10 Dec 1998 20:26:04 +0100
From: Anonymous <nobody@replay.com>
Subject: Text of Wassenaar regulations, with comments
To: cypherpunks@cyberpass.net, cryptography@c2.net
> Web version:
> http://www.fitug.de/news/wa/
>
> Word- or RTF-version:
> http://www.wassenaar.org/List/
Here are the contents of Category 5, Part 2, of the Wassenaar list,
which controls information security. It has been converted to text,
somewhat clumsily, so pay attention to the use of numbers and letters
to depict the outline format. Some comments are included.
The summary is that there are no exemptions for public domain or
mass market products; PGP and similar software would not be legal for
export under these rules. The exemptions are narrowly drawn and could
not reasonably be used to allow for exporting cryptographic software.
It is a very restrictive set of rules. One possible loophole is the
question of what constitutes export, and whether it includes transmission
of information.
: Part 2 - "INFORMATION SECURITY"
:
: Note 1 The control status of "information security" equipment,
: "software", systems, application specific "electronic assemblies",
: modules, integrated circuits, components or functions is determined in
: Category 5, Part 2 even if they are components or "electronic
: assemblies" of other equipment.
:
: Note 2 Category 5 - Part 2 does not control products when
: accompanying their user for the user's personal use.
This means that you can still carry cryptography with you across borders,
but only for your own personal use. This does not allow taking crypto
to another country and distributing it there.
: Note 3 Cryptography Note
:
: 5.A.2. and 5.D.2. do not control items that meet all of the following:
: a. Generally available to the public by being sold, without
: restriction, from stock at retail selling points by means of any of
: the following:
: 1. Over-the-counter transactions;
: 2. Mail order transactions;
: 3. Electronic transactions; or
: 4. Telephone call transactions;
: b. The cryptographic functionality cannot easily be changed by the
: user;
: c. Designed for installation by the user without further substantial
: support by the supplier;
: d. Does not contain a "symmetric algorithm" employing a key length
: exceeding 64-bits; and
: e. When necessary, details of the items are accessible and will be
: provided, upon request, to the appropriate authority in the exporter's
: country in order to ascertain compliance with conditions described in
: paragraphs a. to d. above.
The exemption above only applies to software which meets ALL of the
above requirements. It is not enough to be generally available to the
public; it must also not contain any symmetric algorithms greater than
64 bits. This exemption would not apply to PGP, for example.
: Technical Note
: In Category 5--Part-2, parity bits are not included in the key
: length.
A reference to 5.A.2.a.1.a below, which controls software with longer
than 56 bit keys for symmetric algorithms. DES implementations are
sometimes said to take 64 bit keys because the 56 bit keys are padded
with parity bits. This note is to make clear that 56 bit DES is not
controlled, even when the keys are padded to 64 bits.
: 5. A. 2. SYSTEMS, EQUIPMENT AND COMPONENTS
:
: a. Systems, equipment, application specific "electronic assemblies",
: modules and integrated circuits for "information security", as
: follows, and other specially designed components therefor:
:
: N.B. For the control of global navigation satellite systems receiving
: equipment containing or employing decryption (i.e. GPS or GLONASS),
: see 7.A.5.
:
:
: 5. A. 2. a. 1. Designed or modified to use "cryptography" employing
: digital techniques performing any cryptographic function other than
: authentication or digital signature having any of the following:
This is where we get to the meat of the prohibition. Note that there
are two sub-headings to 5.A.2.a.1 below, namely a. and b. 5.A.2.a.1.a
controls symmetric algorithms and 5.A.2.a.1.b controls asymmetric
algorithms.
: Technical Notes
: 1. Authentication and digital signature functions include their
: associated key management function.
: 2. Authentication includes all aspects of access control where there
: is no encryption of files or text except as directly related to the
: protection of passwords, Personal Identification Numbers (PINs) or
: similar data to prevent unauthorised access.
: 3. "Cryptography" does not include "fixed" data compression or coding
: techniques.
:
: Note 5.A.2.a.1. includes equipment designed or modified to use
: "cryptography" employing analogue principles when implemented with
: digital techniques.
:
: 5. A. 2. a. 1. a. A "symmetric algorithm" employing a key length in
: excess of 56-bits; or
So 56 bit DES is legal, but nothing stronger.
: b. An "asymmetric algorithm" where the security of the algorithm is
: based on any of the following:
: 1. Factorisation of integers in excess of 512-bits (e.g., RSA);
: 2. Computation of discrete logarithms in a multiplicative group of a
: finite field of size greater than 512-bits (e.g., Diffie-Hellman
: over Z/pZ); or
: 3. Discrete logarithms in a group other than mentioned in
: 5.A.2.a.1.b.2. in excess of 112-bits (e.g., Diffie-Hellman over an
: elliptic curve);
Interesting that the public key algorithms are called out in this fasion.
There are some PK algorithms which are based on other problems than those
listed here, such as the McEliece algorithm, based on error correcting
codes. However it would no doubt be an easy matter for the Wassenaar
group to revise this definition if a new PKC system went into common use.
: 2. Designed or modified to perform cryptanalytic functions;
:
: 3. Deleted;
:
: 4. Specially designed or modified to reduce the compromising
: emanations of information-bearing signals beyond what is necessary for
: health, safety or electromagnetic interference standards;
:
: 5. Designed or modified to use cryptographic techniques to generate
: the spreading code for "spread spectrum" or the hopping code for
: "frequency agility" systems;
:
: 6. Designed or modified to provide certified or certifiable
: "multilevel security" or user isolation at a level exceeding Class-B2
: of the Trusted Computer System Evaluation Criteria (TCSEC) or
: equivalent;
:
: 7. Communications cable systems designed or modified using mechanical,
: electrical or electronic means to detect surreptitious intrusion.
We now come to some more exemptions, but none of them would apply to
PGP-style encryption software.
: Note 5.A.2. does not control:
:
: a. "Personalised smart cards" where the cryptographic capability is
: restricted for use in equipment or systems excluded from control under
: entries b. to f. of this Note;
: N.B. If a "personalised smart card" has multiple functions, the
: control status of each function is assessed individually.
In other words, you can export a smartcard, but only if its crypto
functions are limited to those below.
: b. Receiving equipment for radio broadcast, pay television or similar
: restricted audience television of the consumer type, without digital
: encryption except that exclusively used for sending the billing or
: programme-related information back to the broadcast providers;
:
: c. Equipment where the cryptographic capability is not user-accessible
: and which is specially designed and limited to allow any of the
: following:
: 1. Execution of copy-protected software;
: 2. Access to any of the following:
: a. Copy-protected read-only media; or
: b. Information stored in encrypted form on media (e.g. in connection
: with the protection of intellectual property rights) when the media is
: offered for sale in identical sets to the public; or
: 3. One-time copying of copyright protected audio/video data.
Some readers of earlier summaries of exemptions proposed simply defining
their use of cryptography to be for the purpose of protecting their
intellectual property. However we see here that the I.P. requirement
applies only to material distributed on media which is offered for sale
in identical sets to the public, and the software is designed only to
allow access to such media.
: d. Cryptographic equipment specially designed and limited for banking
: use or money transactions;
: Technical Note
: 'Money transactions' in 5.A.2. Note d. includes the collection and
: settlement of fares or credit functions.
This is a relatively wide exemption for electronic commerce software.
: e. Portable or mobile radiotelephones for civil use (e.g., for use
: with commercial civil cellular radiocommunications systems) that are
: not capable of end-to-end encryption;
:
: f. Cordless telephone equipment not capable of end-to-end encryption
: where the maximum effective range of unboosted cordless operation
: (i.e., a single, unrelayed hop between terminal and home basestation)
: is less than 400-metres according to the manufacturer's
: specifications.
None of these other exemptions appear to be relevant.
The remainder of the part is included for completeness, but it is not
particularly relevant.
: 5. B. 2. TEST, INSPECTION AND PRODUCTION EQUIPMENT
:
: a. Equipment specially designed for:
:
: 1. The "development" of equipment or
: functions controlled by Category-5 - Part-2, including measuring
: or test equipment;
: 2. The "production" of equipment or
: functions controlled by Category-5 - Part-2, including
: measuring, test, repair or production equipment.
:
: b. Measuring equipment specially designed to
: evaluate and validate the "information security" functions controlled
: by 5.A.2. or 5.D.2.
:
:
: 5. C. 2. MATERIALS - None
:
:
: 5. D. 2. SOFTWARE
:
: a. "Software" specially designed or modified for the "development",
: "production" or "use" of equipment or "software" controlled by
: Category-5-- Part 2;
: b. "Software" specially designed or modified to support "technology"
: controlled by 5.E.2.;
: c. Specific "software", as follows:
: 1. "Software" having the characteristics, or performing or simulating
: the functions of the equipment controlled by 5.A.2. or 5.B.2.;
: 2. "Software" to certify "software" controlled by 5.D.2.c.1.
:
: Note 5.D.2. does not control:
: a. "Software" required for the "use" of equipment excluded from
: control under the Note to 5.A.2.;
: b. "Software" providing any of the functions of equipment excluded
: from control under the Note to 5.A.2.
:
:
: 5. E. 2. TECHNOLOGY
:
: a. "Technology" according to the General Technology Note for the
: "development", "production" or "use" of equipment or "software"
: controlled by Category-5 - Part 2.