facts about encryption in US

[juliusctw]

Did you guys know that it is illegal in the US to distribute anything that has encryption? I was programming a game that has encryption and I realized that what I was doing was illegal , i wonder how other company does it

[CuteAlien]

Did you guys know that it is illegal in the US to distribute anything that has encryption? I was programming a game that has encryption and I realized that what I was doing was illegal , i wonder how other company does it

Hm, i thought it's only illegal to export certain kinds of encryption from the us to other countries. And since dmca it's illegal to circumvent any kind of encryption.

[buhatkj]

huh, i thought they had repealed that export restriction thing on common encryption. i think it's only the top secret military ciphers and obviously any top secret stuff that is export-restricted now.
it used to be that just simple PGP or RSA was considered export restricted, i do remember that.
im pretty sure cutealien is right about the DMCA too...

[sRc]

it used to be illegal to distribute in digital form anything that had strong encryption that was developed inside the US to outside the US. there were ways to work around that, like what PGP did. they exported a book with the PGP source code, then scanned it up with OCR software, then compiled it. that was legal, since it wasnt in its digital form

and anyway, it did change

http://www.cdt.org/crypto/admin/000110cryptoregs.shtml

SUMMARY: This rule amends the Export Administration Regulations (EAR) to allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non-government end-users in all destinations. It also allows exports and reexports of retail encryption commodities and software to all end-users in all destinations. Post-export reporting requirements are streamlined, and changes are made to reflect amendments to the Wassenaar Arrangement. This rule implements the encryption policy announced by the White House on September 16 and will simplify U.S. encryption export rules. Restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria), their nationals and other sanctioned entities are not changed by this rule.

basically you cant distribute in terrorist nations, thats all

[juliusctw]

hello

your cuteAlien, you are allowed to export to foreign countries, except for the terroritst countries,
but the way I had understood was that putting it on the "internet" allows terrorist nations to have access to the encryption, so putting it online would be considered as "exporting", and illegal

my question is, what if i just build a binding for pgp? or to other encryption library. would that be illegal too?

[iona]

AFAIK it's legal to export all kinds of encryption technology if it uses keys shorter than (i may be wrong here) 1024 bits.

[DeusXL]

AFAIK it's legal to export all kinds of encryption technology if it uses keys shorter than (i may be wrong here) 1024 bits.

It's different on other countries and with other algorithms.. .NET's encryption system allows only keys <= 1024 bits (in France at least) for RSA (even if there is a little bug that indicates 16384) and 64 for DES...

[jam]

A very wordy paper on current US export laws.

http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us_1

• free for export are: all symmetric crypto products of up to 56 bits, all asymmetric crypto products of up to 512 bits, and all subgroup-based crypto products (including elliptic curve) of up to 112 bits;
• mass-market symmetric crypto software and hardware of up to 64 bits are free for export (the 64-bit limit was deleted on 1 December 2000, see below);
• the export of products that use encryption to protect intellectual property (such as DVDs) is relaxed;
• export of all other crypto still requires a license.

Games fall under the third option.

[juliusctw]

yeah,

I have read that paper before, I think for the purpose of verifying the server is fine ,
but what about games that involves peer to peer chatting? These p2p chatting doesn't go through "me" the central server so I have no control over the content, so i think the gov will have hell with that if i encrypted "too well"

my alternative is to build bindings for users to have encryption if they use a third party library, and I only provide encryption to verify the server, opinions?

[jam]

Well if you think your users will have enough bandwidth you could also try

chaffing and winnowing for the chatting.