[Noisebridge-discuss] Deep Crack

[Colin Bayer]

Sai Emrys wrote:
> Incidentally - is the crypto-restriction law really still in force?
> ISTR that something of this sort got rescinded not too long ago, but I
> don't know any details.
>   
(Foreword: I am not a lawyer.  A friend's boyfriend is one, my mom used 
to be a paralegal, and I occasionally watch Law & Order.)

As far as I'm aware, ITAR itself hasn't applied to crypto at large in 
something like 12 years, which has made a ton of this talk gloriously 
anachronistic.

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=a6fcf98605a5d907fa3b3c7b3949bfee&rgn=div5&view=text&node=22:1.0.1.13.60&idno=22

It does apply to:

"(b) Electronic systems or equipment specifically designed, modified, or 
configured for intelligence, security, or military purposes for use in 
search, reconnaissance, collection, monitoring, direction-finding, 
display, analysis and production of information from the electromagnetic 
spectrum and electronic systems or equipment designed or modified to 
counteract electronic surveillance or monitoring. A system meeting this 
definition is controlled under this subchapter even in instances where 
any individual pieces of equipment constituting the system may be 
subject to the controls of another U.S. Government agency. Such systems 
or equipment described above include, but are not limited to, those:

*(1) Designed or modified to use cryptographic techniques to generate 
the spreading code for spread spectrum or hopping code for frequency 
agility.* This does not include fixed code techniques for spread spectrum."

"*(b) Military Information Security Assurance Systems and equipment, 
cryptographic devices, software, and components specifically designed, 
developed, modified, adapted, or configured for military applications 
*(including command, control and intelligence applications). This 
includes: (1) Military cryptographic (including key management) systems, 
equipment assemblies, modules, integrated circuits, components or 
software with the capability of maintaining secrecy or confidentiality 
of information or information systems, including equipment and software 
for tracking, telemetry and control (TT&C) encryption and decryption;

(2) Military cryptographic (including key management) systems, 
equipment, assemblies, modules, integrated circuits, components of 
software which have the capability of generating spreading or hopping 
codes for spread spectrum systems or equipment;

(3) Military cryptanalytic systems, equipment, assemblies, modules, 
integrated circuits, components or software;"

"(b) Ground control stations for telemetry, tracking and control of 
spacecraft or satellites, or employing any of the cryptographic items 
controlled under category XIII of this subchapter."

"(1) Designed for encryption or decryption (e.g., Y-Code) of GPS precise 
positioning service (PPS) signals;"


Cryptographic technology is still in the Export Administration Regs, 
which defines two categories of controlled crypto devices: 5A002 
(Information security systems) and 5A992 ("equipment not controlled by 
5A002".  I'm not making this shit up.) as well as a whole bunch of 
categories of "development", "software", and "equipment" that helps you 
make things in those groups.

http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf

5A002 contains: symmetric algorithms with key length > 56b (not DES); 
asymmetric algorithms that are RSA-like with key length > 512b, D-H-like 
with key length > 512b, or ECC-like with key length > 112b; 
*cryptanalytic hardware*; all kinds of additional spread-spectrum stuff 
that the government apparently has a huge boner for, and that I'm not 
going to enumerate; cable systems that detect taps; and quantum crypto.

5A992 is the "shit we want to regulate that's not a pure cryptographic 
device" category: smart cards, cable/sat boxes, cell phones, DRM, 
banking systems, cordless phones.

In addition, 15CFR744.9 says:

"(a) General prohibition. No U.S. person may, without authorization from BIS, provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities and software that, if of United States origin, would be controlled for EI reasons under ECCN 5A002 or 5D002. Technical assistance may be exported immediately to nationals of the countries listed in Supplement 3 to part 740 of the EAR (except for technical assistance to government end-users for cryptanalytic items) provided the exporter has submitted to BIS a completed classification request by the time of export. Note that this prohibition does not apply if the U.S. person providing the assistance has a license or is otherwise entitled to export the encryption commodities and software in question to the foreign person(s) receiving the assistance. Note in addition that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting or in the work of groups or bodies engaged in standards development, by itself would not establish the intent described in this section, even where foreign persons are present."  

So, to recap without all sorts of legal text:

1) Deep Crack as a device is regulated under the EAR, which means that some paperwork would probably be involved to export it to any other country, and you probably wouldn't be able to pull it off with any country that's on an export control list.
1b) If Deep Crack -- through some ridiculous twist of law -- is actually considered "military" cryptanalytic hardware, then it's regulated under the ITAR.
2) US persons also can't teach foreign persons how to build cryptanalytic hardware without a license, which is (in general) a perfectly reasonable way to avoid dudes smuggling export-controlled secrets through a loophole.
2b) But they can teach foreign persons about cryptography, and they can export it to people in certain countries.  The list of "certain countries" is contained somewhere in http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=b5a1a54a4ef90cf5324755c34e36b7b5&rgn=div8&view=text&node=15:2.1.3.4.25.0.1.17&idno=15 I think, but I'm too sleepy to read through this obfuscated pile.
3) DES itself isn't regulated under jack shit, because it ceased being relevant except for backward-compatibility a decade ago.
4) Export controls are a huge pain to read.

Again, this is what my non-professional reading of the applicable statutes tells me.  And for all you know, I'm a member of the FBI. ;)

This is what I get for waking up at 5 in the morning,
Colin