[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Crypt issues (was Re: Glibc Packaging Issues)



david@elo.sw.ods.com (David Engel) writes:
> Warwick HARVEY writes:
> > I'll have a rummage 'round the archives and see if I can dig up the relevant
> > message(s).
> 
> Please do.

Perhaps the most interesting message I found is
	http://www.debian.org/Lists-Archives/debian-devel-9606/msg00426.html
from Mark Eichin, quoting Brian White:

] >> "crypt" is not a form of encryption!  It is a one-way hash function,
] 
] However, the *source code* to crypt includes a complete, slow
] implementation of DES (with one modifiable internal permutation.)
] Welcome to the looking glass...

I leave the interpretation of this to those with a better grip on the
subject than I, who have a copy of the source code in front of them.....

Actually, I just went and had a browse through the ITAR regulations, and
found the following...  *DISCLAIMER*  I haven't read the whole thing, and
don't purport to understand what I have read fully.

121.1 General. The United States Munitions List.

[...]

Category XIII-Auxiliary Military Equipment

[...]

(b) Information Security Systems and equipment, cryptographic devices,
software, and components specifically designed or modified therefor,
including:

(1) Cryptographic (including key management) systems, equipment, assemblies,
modules, integrated circuits, components or software with the capability of
maintaining secrecy or confidentiality of information or information
systems, except cryptographic equipment and software as follows:

   [...]

   (vi) Limited to data authentication which calculates a Message
   Authentication Code (MAC) or similar result to ensure no alteration of
   text has taken place, or to authenticate users, but does not allow for
   encryption of data, text or other media other than that needed for the
   authentication.


*MY* interpretation of this is that in libc we have some software which
calculates some result to authenticate users, and does not allow for
encryption of data *other than that needed for authentication*.

One could argue that the libc source contains code that could be used
(perhaps with modification) to do more encryption than that, but I would
argue that that is not something the software provides for (you have to
*modify* the software to get it - unless there's direct access to functions
which do "real" DES, in which case I might suggest altering the software so
there isn't).

If the regulations are deemed to cover even software that can be modified to
produce a cryptographic system, well hell...  You could do this to *ANY*
software.  How far away must you go?

				Warwick

----------------------------------------------------------------------------
Warwick Harvey                                    email: warwick@cs.mu.OZ.AU
Department of Computer Science                        phone: +61-3-9344-9171
University of Melbourne                                 fax: +61-3-9348-1184
Parkville, Victoria, AUSTRALIA 3052     web: http://www.cs.mu.OZ.AU/~warwick
----------------------------------------------------------------------------
 Some people say I like to argue for the sake of arguing - but I disagree.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com


Reply to: