Raul Miller <[EMAIL PROTECTED]> writes: > If the hook supports, say, an 8 bit key, that means it's not a restricted > piece of munitions, right? But if a hook supports, say, a 448 bit key, > that means it's a restricted piece of munitions, right? But what about > a hook that doesn't care about keys? <SNIP> > Ok, nothing illegal about that. Replace hash() with a 16 or 32 bit > checksum, and you're fine, regardless of the size of your key. But, > replace hash with md5sum (use Digest::MD5 'md5'), and all of a sudden > you've got a 128 bit algorithm you can't export. But that didn't make > the stupid xor encryption routine illegal. <SNIP>
A common misconception. Under the old (1999 and earlier) encryption export controls, _all_ encryption had to apply for an export license - even the stupid "xor with some fixed byte" method. _However_, RSA inc. had reached an agreement with the US government allowing for an automatic export license for encryption technology _using_RSA_ with a key length of less than n bits, where n too small to provide real security. My father's company once released a little one-off utility internally that required a password which was stored XOR'ed with FF. The company in question is multinational, and they had to apply for an export license to send it to their offices in Europe. (The license was granted very quickly, but they still had to apply) Also, it is my belief that secure hashes were not in and of themselves considered to be cryptographic technologies requiring export permission, but I'm uncertain on that detail.