At 03:24 PM 9/30/99 -0400, Andy Maslar wrote:
>At the risk of being flamed for being a hopeless newbie, or perhaps as
>one asking a practical question about export regs, (something that seems
>in bad taste lately) I will nevertheless proceed:
>
>Are hash functions (MD5 specifically) controlled by export regs?
"It all depends."
If you're embedding it in a product and using it just to do authentication
or integrity checking, then it falls outside of the export regulations.
If you're embedding it in a product and using it to hide information (i.e.
a stream cipher where the one way hash function generates the keystream)
then you need to submit it for review. If it has the effective strength of
a 40 bit or 56 bit cipher, then you can probably export it (assuming they
finish their review in a timely manner).
If you just want to post some source code on your web site or include it in
something that might be exported, then I don't know for sure. Read over the
regulations (BXA, the Bureau of Export Administration, has them on the web
somewhere). If there isn't language in the regulations that declares one
way hash functions to be encryption algorithms, then it should be OK. But
you might want to ask an export control lawyer.
Rick.
[EMAIL PROTECTED]
"Internet Cryptography" at http://www.visi.com/crypto/
