FreeBSD US export compliance (ECCN)

HI,
I am have a product that uses FreeBSD as the OS on a server and software on it. FreeBSD has encyrption so I was wondering is I need to get an ECCN or am I exempt from it. My program does not introduce any new encryption, only uses what FreeBSD has.

thanks,
A
 
There was USA_RESIDENT make knob, which was removed.

From FreeBSD Handbook

14.4 DES, Blowfish, MD5, and Crypt
Parts rewritten and updated by Bill Swingle.

Every user on a UNIX system has a password associated with their account. It seems obvious that these passwords need to be known only to the user and the actual operating system. In order to keep these passwords secret, they are encrypted with what is known as a “one-way hash”, that is, they can only be easily encrypted but not decrypted. In other words, what we told you a moment ago was obvious is not even true: the operating system itself does not really know the password. It only knows the encrypted form of the password. The only way to get the “plain-text” password is by a brute force search of the space of possible passwords.

Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. This was not such a problem for users resident in the US, but since the source code for DES could not be exported outside the US, FreeBSD had to find a way to both comply with US law and retain compatibility with all the other UNIX variants that still used DES.

The solution was to divide up the encryption libraries so that US users could install the DES libraries and use DES but international users still had an encryption method that could be exported abroad. This is how FreeBSD came to use MD5 as its default encryption method. MD5 is believed to be more secure than DES, so installing DES is offered primarily for compatibility reasons.

OpenSSL implements IDEA amongs others patented technologies, which can be disabled with WITH_IDEA make knob.

From /usr/src/openssl/README

PATENTS
-------

Various companies hold various patents for various algorithms in various
locations around the world. _YOU_ are responsible for ensuring that your use
of any algorithms is legal by checking if there are any patents in your
country. The file contains some of the patents that we know about or are
rumored to exist. This is not a definitive list.

RSA Security holds software patents on the RC5 algorithm. If you
intend to use this cipher, you must contact RSA Security for
licensing conditions. Their web page is http://www.rsasecurity.com/.

RC4 is a trademark of RSA Security, so use of this label should perhaps
only be used with RSA Security's permission.

The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
should be contacted if that algorithm is to be used; their web page is
http://www.ascom.ch/.

The MDC2 algorithm is patented by IBM.

NTT and Mitsubishi have patents and pending patents on the Camellia
algorithm, but allow use at no charge without requiring an explicit
licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
 
If you're actually planning on exporting computers to restricted countries (Syria, Iran, NorK, etc etc) either feign ignorance and cry a lot when They come to lock you up, or hire a (really) good lawyer. I don't think the export restrictions apply in most countries, and even if they do, shipping the media separately might buy you enough time to flee to the woods of Alabama* and take up a life as a moonshiner.

If you can contract it out to have it shipped from magical Canadia-land you will probably never have to think about it again.

*Personally, I'm heading for Mississippi, so don't you even think about hornin' in on my territory, buddy.
 
Back
Top