[1914] in Kerberos
Re: AS/TGS question and DES question
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed May 20 21:14:02 1992
Date: Wed, 20 May 92 20:39:30 -0400
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
To: erussell@wang.com
Cc: kerberos@MIT.EDU
In-Reply-To: Edward A. Russell's message of 19 May 92 15:55:32 GMT,
Reply-To: tytso@athena.mit.edu
Date: 19 May 92 15:55:32 GMT
From: erussell@wang.com (Edward A. Russell)
The following is an excerpt from the Export Policy GUIDELINES of DES
algorithms implemented in Hardware or Software.
"The DES alogrithm can be used in systems/products for authentication,
message INTEGRITY, access control (PIN and password), proprietary
software protection (decryption only) and automatic teller devices.
These DES-based applications are currently under Department of
Commerce jurisdicaiton"
In other words, it APPEARS, (read: unofficial, no liability to me, may
not stand up in court) that Kerberos CAN be exported (perhaps
requiring some permission from DOC) because it uses DES only to
encrypt/decrypt authentication messages. You could NOT export
something that used DES to encrypt/decrypt actual message
text.
Yes, but the Kerberos protocol also has a way to send private messages
encrypted by the session key. If you are exporting a binary which does
not use these features, or you are exporting a library where the DES
interface are hidden and routines such as krb_mk_priv and krb_rd_priv
are not availalble, then it should not be very difficult to get an
export license under those conditions. A number of companies have in
fact done so already. You do need to get a license, though.
- Ted
