- Email: [email protected]
US encryption regulations
June 1993
Computer Fraud 81Security Bulletin
cryptographer key modulus.
need only keep lengthening
his
The history of cryptography is one of leap frog between the cryptographer and cryptanalyst. However, the race is always to the cryptographer. History teaches us whatever technology reduces
applications must be provided by NSA. Historically, all mechanisms used by the government for other applications have been vetted by NSA. Recently a secret algorithm developed by NSA has been proposed by the Clinton administration for public use.
the job of breaking today’s codes to triviality, will also enable much more complex and powerful codes. After all, that is the definition. The essence
There are government programmes that permit and encourage the use of particular mechanisms in favour of others. The NSA
of secret codes. That is, they are codes where the
encourages
cost of decoding
encryption and actively discourages software-based mechanisms.
is cheaper
for parties to the
secret than to others. William Hugh Murray
the
The Clinton the
right
use
of hardware-based
administration
of American
the use of
has questioned
citizens
to strong
encryption. They assert that they believe that the use of such powerful mechanisms is inimical to
US encryption
regulations
In the April 1993 issue on page 4 in an article entitled “Hackers switch sides and become encryption developers”, Mike Moeller says, “It is against the law in the US to sell encryption software that has not been approved by the NSA.” While this is the kind of disinformation that the NSA loves and while it is impossible in the US, where legislation is rampant, to demonstrate the absence of a law, I follow this field very closely and am aware of no such law. A citation of any such law by Mr. Moeller would be very helpful. The US regulates all commerce across its borders. Specifically, there are laws that regulate the import and export of munitions and the US government classifies all encryption mechanisms as munitions. It is unlikely that the government would sanction the export of any secret (from them) and proprietary algorithm. There are regulations, some rooted in law, that govern how the government itself will use encryption. Such regulations would generally prohibit the use by the government of any secret and proprietary mechanism unless the government itself were the proprietor. Under these regulations encryption mechanisms used for national security
6
the interests
of law and order.
widespread use of any encryption efficient signals intelligence.) However, knowledge,
(In fact,
the
is inimical to
to the very best of my informed
there is no law that prohibits or even
regulates the sale of any encryption software within the US. This field is sufficiently mined with fear, uncertainty,
and doubt. Please do not add
to the confusion.
William Hugh Murray
WHEN SHOULD YOU PERFORM A RISK ASSESSMENT ? Charles Cresson Wood The
underpinnings
of every
successful
information systems security effort invariably include risk assessments. Please note that the plural has been used. A single risk assessment is never enough. The complexity of and rapid changes made to today’s computing environments can only be understood through periodic risk assessments.
01993
Elsevier Science Publishers
Ltd
Computer Fraud 81Security Bulletin
cryptographer key modulus.
need only keep lengthening
his
The history of cryptography is one of leap frog between the cryptographer and cryptanalyst. However, the race is always to the cryptographer. History teaches us whatever technology reduces
applications must be provided by NSA. Historically, all mechanisms used by the government for other applications have been vetted by NSA. Recently a secret algorithm developed by NSA has been proposed by the Clinton administration for public use.
the job of breaking today’s codes to triviality, will also enable much more complex and powerful codes. After all, that is the definition. The essence
There are government programmes that permit and encourage the use of particular mechanisms in favour of others. The NSA
of secret codes. That is, they are codes where the
encourages
cost of decoding
encryption and actively discourages software-based mechanisms.
is cheaper
for parties to the
secret than to others. William Hugh Murray
the
The Clinton the
right
use
of hardware-based
administration
of American
the use of
has questioned
citizens
to strong
encryption. They assert that they believe that the use of such powerful mechanisms is inimical to
US encryption
regulations
In the April 1993 issue on page 4 in an article entitled “Hackers switch sides and become encryption developers”, Mike Moeller says, “It is against the law in the US to sell encryption software that has not been approved by the NSA.” While this is the kind of disinformation that the NSA loves and while it is impossible in the US, where legislation is rampant, to demonstrate the absence of a law, I follow this field very closely and am aware of no such law. A citation of any such law by Mr. Moeller would be very helpful. The US regulates all commerce across its borders. Specifically, there are laws that regulate the import and export of munitions and the US government classifies all encryption mechanisms as munitions. It is unlikely that the government would sanction the export of any secret (from them) and proprietary algorithm. There are regulations, some rooted in law, that govern how the government itself will use encryption. Such regulations would generally prohibit the use by the government of any secret and proprietary mechanism unless the government itself were the proprietor. Under these regulations encryption mechanisms used for national security
6
the interests
of law and order.
widespread use of any encryption efficient signals intelligence.) However, knowledge,
(In fact,
the
is inimical to
to the very best of my informed
there is no law that prohibits or even
regulates the sale of any encryption software within the US. This field is sufficiently mined with fear, uncertainty,
and doubt. Please do not add
to the confusion.
William Hugh Murray
WHEN SHOULD YOU PERFORM A RISK ASSESSMENT ? Charles Cresson Wood The
underpinnings
of every
successful
information systems security effort invariably include risk assessments. Please note that the plural has been used. A single risk assessment is never enough. The complexity of and rapid changes made to today’s computing environments can only be understood through periodic risk assessments.
01993
Elsevier Science Publishers
Ltd