Eric, The humorous side of me would argue that RC4 isn?t encryption anymore than ROT13 is these days.
The serious side of me says that exportation of encryption stuff has changed significantly and is full of weird and vagueness. Since you don?t state your country of origin its difficult to know what to suggest to look for, my assumption is that you are US based in which case you should probably look at the US Export restrictions available from the Dept of Commerce (?). From memory, encryption got controlled more when the bit length got longer and longer. I recall that it used to be that 40 bit RC4 was OK and I *think* that the bit length is now longer (128bit?) as it has been shown that 40 bit RC4 is as much use as a chocolate fireguard. It also depends on where you are exporting to. The US has a list of countries that are forbidden to trade with (with various exceptions), e.g. North Korea, Sudan can?t even get ROT13 legally. I know that RC4 used to have US and export versions which had different key lengths. I *think* that has now changed. This link talks about the relaxation of export regulations on encryption but as a normal piece of govt literature its rather opaque (to say the least). Give it to the laywers through to keep them busy. http://www.gpo.gov/fdsys/pkg/FR-2010-06-25/pdf/2010-15072.pdf <http://www.gpo.gov/fdsys/pkg/FR-2010-06-25/pdf/2010-15072.pdf> This is also a good site http://www.cryptolaw.org <http://www.cryptolaw.org/> One paragraph sticks out "On 7 January 2011 <>, a minor amendment was made to the EAR (Federal Register? <http://www.gpo.gov/fdsys/pkg/FR-2011-01-07/pdf/2010-32803.pdf>Vol. 76, No. 5, p. 1059). Publicly available mass-market encryption object code software (with symmetric key length exceeding 64 bits), and publicly available encryption object code of which the corresponding source code falls under License Exception TSU (i.e., when the source code ies publicly available), are no longer subject to the EAR. The amendment includes some minor specific revisions.? I read this as if your use of RC4 is 64 bit (or less) and its publicly available than you may have a license Exception anyway. My view is that you need to work with the lawyers on this and ?educate? them as to what encryption is and what generating random numbers is. You can also demonstrate that most browsers have RC4 with what appears to be 128 bit encryption by going to https://cc.dcsec.uni-hannover.de <https://cc.dcsec.uni-hannover.de/> It tells you the encryption supported by your browser. Here?s mine, I have 128bit RC4 encryption (its near the bottom). Cipher Suites Supported by Your Browser (ordered by preference): SpecCipher Suite NameKey SizeDescription (00,ff)EMPTY-RENEGOTIATION-INFO-SCSV0 BitUsed for secure renegotation. (c0,24)ECDHE-ECDSA-AES256-SHA384256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA384 <https://en.wikipedia.org/wiki/SHA-384>. (c0,23)ECDHE-ECDSA-AES128-SHA256128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA256 <https://en.wikipedia.org/wiki/SHA-256>. (c0,0a)ECDHE-ECDSA-AES256-SHA256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,09)ECDHE-ECDSA-AES128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,08)ECDHE-ECDSA-3DES-EDE-SHA168 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: 3DES <https://en.wikipedia.org/wiki/Triple_DES>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,28)ECDHE-RSA-AES256-SHA384256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA384 <https://en.wikipedia.org/wiki/SHA-384>. (c0,27)ECDHE-RSA-AES128-SHA256128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA256 <https://en.wikipedia.org/wiki/SHA-256>. (c0,14)ECDHE-RSA-AES256-SHA256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,13)ECDHE-RSA-AES128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,12)ECDHE-RSA-3DES-EDE-SHA168 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: 3DES <https://en.wikipedia.org/wiki/Triple_DES>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,26)ECDH-ECDSA-AES256-SHA384256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA384 <https://en.wikipedia.org/wiki/SHA-384>. (c0,25)ECDH-ECDSA-AES128-SHA256128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA256 <https://en.wikipedia.org/wiki/SHA-256>. (c0,05)ECDH-ECDSA-AES256-SHA256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,04)ECDH-ECDSA-AES128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,03)ECDH-ECDSA-3DES-EDE-SHA168 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: 3DES <https://en.wikipedia.org/wiki/Triple_DES>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,2a)ECDH-RSA-AES256-SHA384256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA384 <https://en.wikipedia.org/wiki/SHA-384>. (c0,29)ECDH-RSA-AES128-SHA256128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA256 <https://en.wikipedia.org/wiki/SHA-256>. (c0,0f)ECDH-RSA-AES256-SHA256 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,0e)ECDH-RSA-AES128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,0d)ECDH-RSA-3DES-EDE-SHA168 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: 3DES <https://en.wikipedia.org/wiki/Triple_DES>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,6b)DHE-RSA-AES256-SHA256256 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA256 <https://en.wikipedia.org/wiki/SHA-256>. (00,67)DHE-RSA-AES128-SHA256128 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA256 <https://en.wikipedia.org/wiki/SHA-256>. (00,39)DHE-RSA-AES256-SHA256 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,33)DHE-RSA-AES128-SHA128 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,16)DHE-RSA-3DES-EDE-SHA168 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: 3DES <https://en.wikipedia.org/wiki/Triple_DES>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,3d)DH-RSA-MISTY1-SHA128 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: MISTY1 <https://en.wikipedia.org/wiki/MISTY1>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,3c)DH-DSS-MISTY1-SHA128 BitKey exchange: DH <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>, encryption: MISTY1 <https://en.wikipedia.org/wiki/MISTY1>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,35)RSA-AES256-SHA256 BitKey exchange: RSA <https://en.wikipedia.org/wiki/RSA_(algorithm)>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,2f)RSA-AES128-SHA128 BitKey exchange: RSA <https://en.wikipedia.org/wiki/RSA_(algorithm)>, encryption: AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,0a)RSA-3DES-EDE-SHA168 BitKey exchange: RSA <https://en.wikipedia.org/wiki/RSA_(algorithm)>, encryption: 3DES <https://en.wikipedia.org/wiki/Triple_DES>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,07)ECDHE-ECDSA-RC4128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: RC4 <https://en.wikipedia.org/wiki/RC4>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,11)ECDHE-RSA-RC4128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: RC4 <https://en.wikipedia.org/wiki/RC4>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,02)ECDH-ECDSA-RC4128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: RC4 <https://en.wikipedia.org/wiki/RC4>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (c0,0c)ECDH-RSA-RC4128-SHA128 BitKey exchange: ECDH <https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>, encryption: RC4 <https://en.wikipedia.org/wiki/RC4>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,05)RSA-RC4128-SHA128 BitKey exchange: RSA <https://en.wikipedia.org/wiki/RSA_(algorithm)>, encryption: RC4 <https://en.wikipedia.org/wiki/RC4>, MAC: SHA1 <https://en.wikipedia.org/wiki/SHA-1>. (00,04)RSA-RC4128-MD5128 BitKey exchange: RSA <https://en.wikipedia.org/wiki/RSA_(algorithm)>, encryption: RC4 <https://en.wikipedia.org/wiki/RC4>, MAC: MD5 <https://en.wikipedia.org/wiki/SHA-256>. Further information: User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12 Preferred SSL/TLS version: TLSv1 SNI <https://en.wikipedia.org/wiki/Server_Name_Indication> information: cc.dcsec.uni-hannover.de SSL stack current time: Tue, 11 Aug 2015 15:57:46 This connection uses TLSv1.2 with ECDHE-RSA-AES256-SHA384 and a 256 Bit key for encryption. > On 11 Aug 2015, at 14:30, Eric Hill <Eric.Hill at jmp.com> wrote: > > Sorry to bother folks with this. > > We're getting some pushback from our lawyers suggesting that SQLite's use of > RC4 even just to generate random numbers is, in their minds, encryption for > export purposes. Now, this makes absolutely no sense to me, I can assure > you, and I am not finding anything online that would suggest that is a valid > position, but I'm wondering if this has come up before and if you have any > good ammunition for dealing with such an argument. > > Thanks, > > Eric > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
