We help IT Professionals succeed at work.

Encryption legal restrictions

This question is about legal restrictions on encryption systems available to the general (American) public.

I seem to remember years ago, like during the Clinton administration, a big bru-ha-ha about encryption.  There was big talk about limiting the legal key length, if I recall.  Is it now just assumed that intelligence agencies and police can crack any encryption (other than a one-time pad system)?  What ever happened to that issue?

Also, regarding one-time pad systems, they're generally regarded as unbreakable, as far as I know, assuming they're implemented properly.  So, if there's any system that should be of concern to law enforcement, Etc., it should be one-time pad systems.  Are there legal restrictions on their use?  From a technical standpoint, as I understand it, the major problem with creating a one-time pad system is generating random numbers.  The "random numbers" generated by computer program functions that purport to do so are generally just quasi-random, not truly random, again, as I understand it.  Are there programs, functions, or whatever that really do generate true random numbers?  Are any of these free or cheap and available to the general public?

By the way, I don't mean to imply that those are the entities I'm interested in protecting my data against.  It's thieves that concern me, but some of these guys may be ex-KGB, Etc., so I want solid protection.  Also, it's partially just an academic question.  I want to know what the rules are.  Also, I have an interesting idea for a product based on the one-time pad concept, and I want to know if developing it is even legal.

Thanks.
Comment
Watch Question

Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT
Commented:
There are restrictions on the levels of encryption you're allowed to export - especially to certain countries.  More info below:

http://www.bis.doc.gov/encryption/

http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States
So, it's just an exporting issue?  Anything goes within the borders of the USA?
I'm bumping up the point value to see if I can get some more responses.  (I don't care about speed.  I just want a consensus answer.)  Any attorneys actually know the answer to this question?
Top Expert 2011
Commented:
I don't have references to cite, other than my memory of what you are talking about.
As I recall, paulmacd is absolutely correct - inside the US, you can do whatever you want. (e.g., encrypting your connection strings or hashing user passwords, etc.)  Just don't export the technology or algorithms (or make them available via web-service) to the places he linked.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Inside the U.S., whatever encryption is publicly available is legal by definition.  Marijuana and cocaine were legal too, until they were outlawed.  So yes, it's essentially an exporting issue.  Note that this is true whether you're shipping a product or making it available for download - YOU are responsible for the product's dissemination.


paulmacd:

Um, in case you haven't noticed, marijuana and cocaine are "publicly available."  That doesn't make them legal.

And I'm not looking to create an encryption package.  I'm inquiring from the standpoint of a user.


Everybody:

I still didn't get most of my questions answered, so I'm going to bump up the point value one more time, to see if I can get a response.  Oh, and, "You're imagining this; there never was such an internal issue; t was all about export" would be an acceptable response, if it's true.

paulmacd:

Um, in case you haven't noticed, marijuana and cocaine are "publicly available."  That doesn't make them legal.  :-)

And I'm not looking to create an encryption package.  I'm inquiring from the standpoint of a user.


Everybody:

I still didn't get most of my questions answered, so I'm going to bump up the point value one more time, to see if I can get a response.  Oh, and, "You're imagining this; there never was such an internal issue; t was all about export" would be an acceptable response, if it's true.

Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT
Commented:
There is no limit on key length for symmetric or asymmetric keys for domestic use.  

There are no restrictions on domestic use of one-time pad cyphers.  Truly random numbers are difficult for computers to generate, so we settle for what we call pseudo-random numbers which are generally good enough, or use some natural phenomenon to create random numbers.  See here:  http://www.random.org/

The legality of your software would have nothing to do with the level of encryption you attempted to implement in it.  http://en.wikipedia.org/wiki/Cryptography#Legal_issues
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2015
Commented:
I know this isn't going to be something you want to hear, but you really need to consult a lawyer on this issue; I don't think you're going to get that kind of advice "for free" in a forum like this. Even if someone comes in and gives you a proper answer, you are still the one who is going to be implementing the software, and you will be the one who is liable if something is not completely legal. It sucks--I hate not being able to get a simple answer to something that is relatively legal in nature without paying some stupid "consultation" fee--but if you want a somewhat definitive answer, then you need to consult an attorney. In your case, I would say the cost of consulting a somewhat knowledgeable attorney would be far cheaper than the ensuing legal battle with the Fed if you did do something wrong.
Commented:
I have walked a few algorithms through this process and it can be painful and time consuming.

The first step is to contact http://www.bis.doc.gov/encryption/ for guidences.
Be prepared to answer technical questions and have your documentation available.
Once you have a handle on what you are getting in to, then engage an attorney to help you walk through the process.
Personally, I would avoid all the headache and use a product where the crypto is already approved for export.
Home rolled crypto and trand systems are fraught with problems and if is for a product can actually hurt your chances of being acceptable to a number of verticals. Look up FIPS, Suite-B

I will award points in the next 2 days.  I'm currently printing all the threads I have going, even as I write this.  I'll award 500 points total.

Thank you all for your patience and advice.
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.