[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Yes, you can export SHA and MD5



   Date: 17 May 96 15:19:05 -0700
   From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>

   SHA and MD5 are both export controled, both are "easy" to export.  Export  
   should not be a consideration in the comparison of SHA to MD5.  

Well, to be precise, the NSA has made the claim that SHA and MD5 are
export controlled, and the NIST's FIPS documenting SHA claims that SHA
is export controlled.  

There seems to be at least some controversy as to what their statutory
and regulatory authorities they are using to make either a statement, at
least where SHA and MD5 is being used in a system which does not use any
encryption methods or which attempts to engage in data hiding.

As far as I know, no one on the IPSEC list is a lawyer, and is actively
giving legal advise (myself included).  You should see your favorite
high-priced export control lawyer for an official legal opinion.

My own personal belief is that any algorithm suite which is using as a
weak an encryption as single DES might as well use HMAC-MD5.  If we were
going to use triple-DES for encryption it would perhaps make sense to
use HMAC-SHA, or some such.

						- Ted


References: