Do Export Restrictions Still Apply To The Key Length of RC4?

Question

I've just read a paper from 2004 which stated that the RC4 encryption algorithm was restricted to a 40 bit key size when exported from the USA; however the reference for this information (Applied Cryptography - Schneieir) was published in 1996.

Here's the link to the paper "The effectiveness of brute force attacks on RC4".

I'm relatively new to cryptography but as far as I'm aware, a lot of the old export laws have been relaxed. Was the key length of RC4 still restricted in 2004? If so, is that still the case?

Thanks for any help.

Beware of import restrictions of other countries though. Especially when importing your ePassport into such countries ;) — Maarten Bodewes, Oct 09 '14 at 12:29
There is still some export regulation, but it boils down to "fill out a certain form" to register your strong crypto export. — CodesInChaos, Oct 09 '14 at 13:21
@CodesInChaos: unless you're exporting to North Korea, Syria, or an handful of other countries. If you want to export to those countries, it's a lot more than "fill out some paperwork" — poncho, Oct 09 '14 at 14:37
Given that RC4 is a horrible cipher, with worrisome public cryptanalysis and plausible rumors that NSA can break it, they would likely be quite happy for you to use it, regardless of key size. — Matt Nordhoff, Oct 09 '14 at 14:39

score 5 · Answer 1 · answered Oct 09 '14 at 10:52

5

Afaik, the general export restrictions on keylengths of common ciphers were lifted during the Clinton administration. Here's the relevant wiki article.

answered Oct 09 '14 at 10:52

wallenborn

304
2
7

Fine print in the wiki article says key size still matters; quoting: encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits". $;$ Same in Europe, see e.g. REGULATION (EU) No 388/2012 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 April 2012 amending Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items – fgrieu Oct 09 '14 at 13:55

Yuhong Bao · Answer 2 · 2019-07-02T18:59:17.953

1

The regulation lifting the restrictions was published in Jan 2000. You can see this in the Federal Register, and I think the exact date was January 14, 2000. You can see this in for example http://web.archive.org/web/20000815053812/http://www.bxa.doc.gov/Encryption/pdfs/Crypto.pdf

edited Jul 02 '19 at 18:59

answered Jul 01 '19 at 02:45

Yuhong Bao

131
4

Thank you for your contribution. However, without any source reference this answer is incomplete at the very minimum. Answers should generally not consist of a single unverifiable statement without any reasoning to back it up. Could you update it? Otherwise the answer may be deleted for the stated reasons. – Maarten Bodewes Jul 01 '19 at 12:38

Do Export Restrictions Still Apply To The Key Length of RC4?

2 Answers2