Question about license and using strong encryption outside of USA.

[bogdanRada]

I am working on a Android application that i want to release to be available for customers from both USA and Romania. Does this library require a special license for using strong encryption? The reason why i ask this is because some other libraries like SQLCIpher for Android require special license for this ( according to this blog http://www.informit.com/articles/article.aspx?p=2268753&seqNum=3 )

I was wondering if this is the case for this too. Please let me know. Thank you very much.

[helios175]

Hello! Short answer: you can use it as is.

Long answer:

This software is open source. That means you can use as is with no special needs. LICENSE file (BSD license) explain the requirements. But they only imply documentation in case you distribute source code. And including the notice in case of binaries.

I'm aware of certain products making a distinction between US distributed binaries, and international ones. My understanding is that they treat keys differently, by forcing them to be a subset of the real domain of keys (fixing some bytes) and making encryption less strong. More vulnerable to attacks from an agent with the resources to try to break the encryption. I can make an educated guess why a government would like to enforce breakable encryption for entities outside national borders.

Luckily this doesn't apply to open source code as it's freely shared and you can change it as needed. In fact, you could theoretically take the idea and use it to build your own implementation. Copy/paste is just a glorification of copying an algorithm. As it's open source code there's no intellectual property implications (but don't implement encryption yourself! it's very tricky!).

Conceal is a wrapper around OpenSSL. It's the one really using the keys you provide. You can check the code and confirm that it makes usage of basic OpenSSL encryption techniques easier. Also you have the code for OpenSSL (in native/third-party/openssl) which is compiled with the Makefile in that directory. It's precompiled but you can recompile it as needed. And you can verify that the OpenSSL doesn't do any distinction. You could even upgrade the OpenSSL version stored there with the latest from their github so you know it's updated and it's stock version (no cheated keys).

Hope it helps and thanks for considering Conceal. Go ahead and make the Internet more secure!

[helios175]

PS: OpenSSL does all the encryption implementation by itself. In C. It doesn't resort to platform available (or not available) tools.

[bogdanRada]

Thank You very much for such a detailed answer. It's really awesome. You have put a lot of effort în this and i really apreciate it.

This answers all my questions. Conceal is a great library. I like it very much.

Thanks a lot. Really great work :)

[mandrachek]

Sorry, but I believe @helios175 's answer is incorrect, and potentially dangerous. Please use caution. I am not a lawyer, and this does not constitute legal advice. For legal advice, please contact an attorney!

My understanding is that, regardless of the source, even if it's developed internationally, such as OpenSSL, once the technology is imported into the US, it is then subject to US export controls.

There is nothing that absolves you of the requirement to follow US law if you're in the US!!! If you're not in the US, and are in, say, Romania, I would advise you to find out if Romania is a signatory to the Wassenaar Agreement, and it wouldn't hurt to talk to a Romanian attorney!

Please see:

• https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
• http://crypto.stackexchange.com/questions/6721/export-from-us-of-crypto-software-with-key-size-56-bits-still-needs-permission
• https://www.openssl.org/~levitte/US-export-laws/export-regs.38CFECBC.A5275491@algroup.co.uk.txt

For example, from the Realm license: https://github.com/realm/realm-java/blob/master/LICENSE

3. ---

EXPORT COMPLIANCE

You understand that the Software may contain cryptographic functions that may be subject to export restrictions, and you represent and warrant that you are not located in a country that is subject to United States export restriction or embargo, including Cuba, Iran, North Korea, Sudan, Syria or the Crimea region, and that you are not on the Department of Commerce list of Denied Persons, Unverified Parties, or affiliated with a Restricted Entity.

You agree to comply with all export, re-export and import restrictions and regulations of the Department of Commerce or other agency or authority of the United States or other applicable countries. You also agree not to transfer, or authorize the transfer of, directly or indirectly, the Software to any prohibited country, including Cuba, Iran, North Korea, Sudan, Syria or the Crimea region, or to any person or organization on or affiliated with the Department of Commerce lists of Denied Persons, Unverified Parties or Restricted Entities, or otherwise in violation of any such restrictions or regulations.

[bogdanRada]

Thank you very much for the details. Will definitely do some research on this . Thank you very much. This is really helpful

[bogdanRada]

I found an update from September 20, 2016

I have read this https://www.bis.doc.gov/index.php/policy-guidance/encryption/encryption-faqs/15-policy-guidance/encryption From the Bureau of Industry and Security, and according to this, open-source projects don't need this export compliance anymore ( not sure if i am reading this correct though )

However according to this paragraph https://www.federalregister.gov/d/2016-21544/p-806 ( this document is the original one, the previous link had only a small summary)

: You must submit a classification request or self-classification report to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of § 740.17(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.

I am a bit unsure though if this applies to applications that use cryptographic algorithms that were developed by someone else, or only to applications that develop this algorithms (like OpenSSL or AndroidOpenSSL).

I am also using AndroidKeyStore in my application, and that has some keys larger ( by default ) than specified in the document

I am definitely a bit confuse. Will try and seek some professional advice. Thank you very much for the help.

[helios175]

My apologies for my answer before. I was focused on "can you take this library and use it". And yes, you can. A different thing is if you are allowed to develop and distribute software with strong encryption, etc, etc. That of course will be related to the countries you're operating on and will be applied to your software regardless where the code came: just you typing it all yourself, or copying the open source. Of course: this is my common-sense talking, so it's not authoritative at all.