Encryption and Export Issues
Encryption has long been regulated by the U.S. and other governments as a munition, or weapon of war. Exporting software in violation of export regulations could land you in jail. For a long time, the U.S. would not allow any software that used symmetric encryption keys longer than 40 bits or asymmetric encryption keys longer than 512 bits to be exported without a license.
In January 2000, the U.S. issued new export regulations that permit the export of strong encryption retail products to most destinations worldwide. Most Microsoft products are now eligible for export and worldwide download in their strong encryption versions. This includes the Windows operating systems, Internet Explorer, Microsoft Outlook, and Exchange. See http://www.microsoft.com/exporting for complete information.
Strong Versus Export-Grade Encryption
Despite the relaxation in the regulations, most Microsoft and Netscape software programs in service today are the export, or "weak," encryption versions. This is almost 100% true outside the U.S. and Canada, and probably 70% true within the U.S. and Canada, because downloaded software such as browsers were almost always the "weak" encryption versions.
Windows 2000 and Windows Millennium ship only with "strong" encryption because of the change in regulations, but it will be a while before the installed base is upgraded. This means that you must see that your clients are upgraded, if you use strong encryption, or live with weak encryption (that is, 40-bit RC5 and 512-bit RSA). An interim relaxation in regulations occurred in 1998, which upped the 40-bit restricting to 56-bits. This effectively permitted 56-bit DES to be exported. Therefore, you probably will have no idea what your clients can support.
Enabling Strong Encryption on Your Windows Clients
As you know by now, cryptographic operations on Win32 platforms are implemented using cryptographic service providers, or CSPs. All Win32 operating systems come with the Microsoft Base Cryptographic Provider v1.0. This CSP provides symmetric and asymmetric operations using "weak," or export-grade key lengths.
For strong cryptographic operations to be performed, the Microsoft Enhanced Cryptographic Provider v1.0 must be installed. This CSP can be installed by several methods:
Applying a 128-bit version of any Windows NT Service Pack
Installing a 128-bit version of Internet Explorer
Installing the High Encryption Pack update to Internet Explorer
Installing the 128-bit version of Outlook 98 or 2000
With the Enhanced CSP, you will be able to perform up to 16,384 bit RSA (although there is no need for this—1024- or 2048-bit will do nicely), 1024-bit DSA, 128-bit RC5, and 168-bit triple-DES encryption.
All installations of this CSP require a reboot of the computer. Plan for what you need. Most applications need strong encryption because the weak versions have been broken, and so you must plan to test for and upgrade your clients as needed.
Complying with Export Regulations
If you use Microsoft's cryptographic systems and do not include any cryptographic code in your application, you should not have to seek export clearance for your application. If you export any strong encryption products, such as the upgrades previously described, you may need to seek export clearance. Also, some nations have import restrictions on encryption software. In some jurisdictions, software originating in one country and legally imported into another country may not be re-exported to a third country.
In the U.S., encryption exports are regulated by the Bureau of Export Administration of the U.S. Department of Commerce. See http://www.bxa.doc.gov/encryption for more information.