Matthew Winn wrote:
On Mon, 19 Mar 2007 09:22:08 -0600, Josh <[EMAIL PROTECTED]> wrote:
There are no patent issues, but there is export issues, I live in the US
The reason I suggested Rijndael is because there are no US export
issues. Not only was it developed in Flanders so implementations
outside the US abound, but also as Rijndael was the winning AES
candidate the export of Rijndael implementations from the US is
explicitly permitted. See the final paragraph of
<http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html>
To clarify, based on my understanding: if software is exported from the
U.S., which vim arguably is, and it is capable of powerful encryption
(64-bit symmetric keys, other limits for public-key/elliptic
algorithms), then it _is_ subject to export restrictions. As the linked
page says, it is exportable, but subject to a one-time review prior to
export. It doesn't matter if all it does is call a subroutine that was
developed in another country or even if the library itself was subjected
to review and approval (e.g. see Legal Notices at
http://aescrypt.sourceforge.net/). The regulations are at
http://www.bis.doc.gov/encryption/Default.htm
However, starting in June, 2002, the notification for "Publicly
Available" Encryption Source Code (open-source) is very simple, just
submitting the URL. See
http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNofify.html
But, on the other hand, the code is not supposed to be exported to
certain countries. Mozilla says "(currently Cuba, Iran, Libya, North
Korea, Sudan and Syria)"
(http://www.mozilla.org/projects/security/pki/src/download.html). See
also http://www.mozilla.org/crypto-faq.html
Including AES in vim might require that mirror servers in the U.S. set
up IP range blocking for these countries. I don't know, I am not a
lawyer. Note that I am not arguing that the export regulations make
sense or are effective!
Blowfish is only 56 bits, so it is not subject to export regulations.
It is probably unbreakable to anyone except the NSA or the equivalent in
resourceful foreign countries. (That is, if you choose your keys well.)
A determined attacker _might_ be able to break it, but there are usually
simpler ways of getting information (malware, hardware key loggers,
etc.). If you don't think that Blowfish is sufficient, please explain
why and specify what kind of threat you are trying to protect against.
Ken Hirsch
P.S. It's also really easy to use external commands for encryption. See
gnupg.vim at http://www.vim.org/scripts/script.php?script_id=661
Or, if you have OpenSSL installed, you could do something like this:
:augroup aes256
: autocmd!
: autocmd BufReadPre,FileReadPre *.aes set bin
: autocmd BufReadPost,FileReadPost *.aes '[,']!openssl enc -d
-aes-256-cbc
: autocmd BufReadPost,FileReadPost *.aes set nobin
: autocmd BufReadPost,FileReadPost *.aes execute ":doautocmd
BufReadPost " . expand("%:r")
: autocmd BufWritePost,FileWritePost *.aes !mv <afile> <afile>:r
: autocmd BufWritePost,FileWritePost *.aes !openssl enc -e
-aes-256-cbc -in <afile>:r -out <afile>
: autocmd FileAppendPre *.aes !openssl enc -d -aes-256-cbc -in
<afile> -out <afile>:r
: autocmd FileAppendPre *.aes !mv <afile>:r <afile>
: autocmd FileAppendPost *.aes !mv <afile> <afile>:r
: autocmd FileAppendPost *.aes !openssl enc -e -aes-256-cbc -in
<afile>:r -out <afile>
:augroup END
