[NTLUG:Discuss] OT: Cryptography Key Length

[John Thomas]

John K. Taber wrote:
> On Sat, 2007-05-26 at 16:28 -0500, Dennis Rice wrote:
> 
>>Just wanting to start a general topic discussion regarding encrypting of 
>>a message.  I am assuming that all have some familiarity with GPG (alias 
>>PGP) in the open source world.
>>
>>The old legal limits to encryption using a symmetric key was 56 bits, 
>>and is now 128 if I understand correctly.  Today, I am under the 
>>impression that an asymmetric key is equivalent to a shorter symmetric key.
>>
>> snip...

> snip...
> 
> There is no legal basis for proscribing or prescribing key lengths. That
> is a common misunderstanding in the technical world. However, EXPORTING
> strong encryption, which may be nothing more than a huge keylength, may
> be another matter, and may fall under ITAR. 
> 
> The commercial need for encryption is so great and so obvious that
> eventually the government relaxed some of its earlier restrictions on
> "export" of cryptographic systems and keylengths. For certain uses, and
> certain keylengths no licensing is now required. For example, PINs on
> banking transactions. There was a lot of negotiating back and forth on
> this, and I am admittedly not up to date.
> 
> For more information you should ask on the Usenet newsgroup sci.crypt. I
> think you will get better advice there, at least on the technical
> issues. For the legal issues, though, please see your lawyer.
> 
I have also studied this issue from a legal standpoint.
Mr. Taber is correct.  There is no legal bar in the US to creating key
lengths of any size.  The only issue is the regulation of exports of
software or systems for cryptography.

-- 
_______________________
John Thomas
972-660-1823 H
972-419-8378 W