I don't doubt that there restrictions on key sizes are related to a particular government's ability to decrpyt. When DES was first introduced (I'm showing my age here) it used a 64 bit key space but only a 56 bit key. Officially, the extra 8 bits were (and are; DES is still in use) "parity bits"; I use quotes because nobody actually believed this. In fact, it is ridiculous because parity bits make the key easier to crack (by greatly reducing the number of valid key combinations). It was at the time an accepted fact that the real reason was that the NSA was able to break a 56 bit key quickly.
But back to the issue at hand To me the logical solution is to structure the software so that the encryption engine is a "plug in", not in the sense that plug in is used with web content; rather in the sense of defining a generic encrpytion interface and putting the information in a .so file (or in a DLL for Windoze). This would actually be fairly easy to implement; we could probably reuse most of the code that handles the encrypted tunnel connection capability in VNC. I On Wednesday 04 September 2002 21:13, Stephan Edelman wrote: > > It was my impression that there were no restrictions on the use of IDEA > > as > > it > > > is the public domain; has this changed? If the problem is the source > > country > > > for the encryption software, then it can be addressed. I'm not sure, > > though, > > > that I fully understand the restriction. > > I do not believe this is correct, IDEA has been encumbered with patent > restrictions since day one. It's owned by MediaCrypt and they have > indicated that they will seek enforcement under international copyright > laws of their rights under this patent for commercial applications. I'm not > sure what the status is for non-commercial use. > > A much better choice is the symmetric Blowfish cipher, which is completely > unencumbered by any patents. It's reasonably fast (as compared to 3DES or > even standard DES) and is extremely simple to implement. Of course, the > minute you encrypt any data with 128 bits or greater, your application > immediately falls under the US & Canadian (and many other friendly nations) > export regulations which effectively prevents export or re-export of the > software, and yes, even if you're the developer! > > In many countries, this is serious business as encryption technology > appears on the ML (munitions list), causing exporters of software > containing strong encryption (128-bits or greater) to be treated as "arms > dealers" if they do so without the proper clearance from the regulatory > agencies. > > In my opinion, the regulations are setup in such a way to allow the general > public to only make use of encryption technology and strengths for which > the government has computing equipment available that allows them to > decrypt these messages (in the interest of national security, so they say). > It's been suggested that 128-bit encryption technology found in SSL (secure > sockets layer) communications has now officially been compromised since the > cost for building a computer to brute force (try every combination) decrypt > these messages can be built for under US $1 Billion. This is in the range > of many government's budgets, and it's almost certain that the NSA has such > capabilities. > > The problem with this is that it is fairly trivial to set the keysize of > even the blowfish cipher to 256-bit or even 512-bits (symmetric) which > would make it impossible to decrypt with current computing technology. > Export of software containing such strong encryption technology are almost > certain to be denied an export license. Of course, within a country it can > be readily used, and many websites merely ask you if you are a resident of > that country. Now, a terrorist would most certainly answer that question > truthfully and exit the site without downloading the technology, right? > (not to mention that the source is readily available from many sources) > > Stephan. > > > On Wednesday 04 September 2002 18:01, Robert Davis wrote: > > > Come on some of you programming geniuses on this list > > > help him out. I KNOW this would definataly benifit me. > > > And if I had the programing skill in C beyond the > > > basic > > > "hello world" ability I would do it for him. > > > ---ORIGINAL MESSAGE BELOW FROM TIGHT VNC > > > LIST---------- > > > Message: 7 > > > Date: Sun, 01 Sep 2002 17:02:23 +0200 (MET DST) > > > From: "Mas LIARFO" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Subject: > > > > > > Hi all, > > > > > > I've got bad news. > > > > > > As an individual living in France it seems that I'm > > > not allowed to > > > "expor= > > > t" a software that uses encryption. Not without a > > > special Governement > > > auth= > > > orisation that can take weeks (the software has to be > > > evaluated, > > > approved = > > > and son on...). > > > Seems that I'm only allowed to use 128 bits encryption > > > (the limit) for > > > my= > > > personnal and private use only. > > > > > > FYI, GnuPG and OpenSLL or officialy allowed to be > > > used/imported/exported = > > > in France only since mid-August 2002 ! > > > > > > So people planning to implement/use encryption in VNC > > > (or others Free > > > pro= > > > ject) should first be very carefull with the > > > legislation of their > > > countrie= > > > s regarding encryption. > > > > > > As a consequence, I must cancel the release of eSVNC > > > 1.1.2 with > > > built-in = > > > encryption until I've > > > got more informations. > > > > > > Maybe I will let the source code "encryption ready" > > > but without the > > > TwoFi= > > > sh and MD5 algos > > > sources. This way someone allowed could easely release > > > an encrypted > > > versi= > > > on. > > > > > > I'm currently emailing to people in France that could > > > help me on this > > > sub= > > > ject. > > > But there's good chance that the built-in encryption > > > in eSVNC is > > > borndead= > > > . > > > > > > Anyway, I will continue my developpement effort on new > > > features for > > > eSVNC= > > > and > > > a release should occur soon. > > > > > > And who knows, maybe there's specific permissive laws > > > for OpenSource > > > sof= > > > twares with encryption =3F > > > > > > > > > Sam :-/ > > > > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Finance - Get real-time stock quotes > > > http://finance.yahoo.com > > > _______________________________________________ > > > VNC-List mailing list > > > [EMAIL PROTECTED] > > > http://www.realvnc.com/mailman/listinfo/vnc-list > > > > -- > > ----------------------------------- > > Seth Kurtzberg > > M. I. S. Corp. > > 1-480-661-1849 > > _______________________________________________ > > VNC-List mailing list > > [EMAIL PROTECTED] > > http://www.realvnc.com/mailman/listinfo/vnc-list > > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list -- ----------------------------------- Seth Kurtzberg M. I. S. Corp. 1-480-661-1849 _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
