6

I understand that under the Wassenaar Arrangement, encryption algorithms like AES were considered to be some sort of weapon. The legally allowed effective key sizes in export software were limited to something a resourceful attacker could break, presumably to prevent criminals from hiding their communications from some government.

Did authentication/signature primitives fall under such legal arrangements? I see no harm in allowing a full-strength MAC or asymmetric signature provided the encryption is weak or absent.

DiscobarMolokai
  • 163
  • 1
  • 1
  • 8

1 Answers1

1

I don't know about MACs (keyed Hashes e.g. HMAC might fall under the definition of symmetric but that's not clear to me) but there are restrictions on asymmetric crypto as well, RSA and Diffie-Hellman are restricted to 512 bits and ECDH is restricted to 112 bits (which effectively is a security level of 56 bits, the same as the limit on symmetric crypto):

b. An "asymmetric algorithm" where the security of the algorithm is based on any of the following:

  1. Factorisation of integers in excess of 512 bits (e.g., RSA);
  2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., DiffieHellman over Z/pZ); or
  3. Discrete logarithms in a group other than mentioned in 5.A.2.a.1.b.2. in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve);

Source: Wassenar Arrangement Section 5. A. 2. a. 1. b (Page 87)

Edit: As dave_thompson_085 points out, these restrictions do not apply to authentication / digital signature, and only to things like key exchange.

puzzlepalace
  • 4,042
  • 1
  • 19
  • 44
  • 2
    Look one para higher, on page 86, emphasis added: Designed or modified to use "cryptography" employing digital techniques performing any cryptographic function other than authentication, digital signature or the execution of copy-protected "software". ITAR, the predecessor to Wassenaar, had effectively the same exclusion; that's why SSL (and TLS 1.0) 'export' ciphersuites limit key exchange to RSA 512 or DH 512, but allow unlimited strength certificates for authentication. – dave_thompson_085 Jun 04 '16 at 01:54
  • 1
    @dave_thompson_085 Ah, that makes sense. If you post this as answer, I can accept it. – DiscobarMolokai Jun 04 '16 at 09:20
  • 1
    An ignorant's question: What are the practical impacts of Wassenaar arrangements? If an encryption code, presumably in violation of the limitations there, is published as a conference paper or simply on the Internet, or sent as attachment in private emails, what practical consequenes would there be? – Mok-Kong Shen Jun 04 '16 at 10:14
  • @Mok-KongShen Perhaps you should post this as a separate question. It will probably attract more attention if you do :). – DiscobarMolokai Jun 04 '16 at 16:21