Simon Says – Musings of a Technology CTO

This week, Jaikumar Vijayan at Computerworld posted an interesting article about new Chinese rules designed to control the import of non-domestic encryption products.

Many people have infered that these new rules will mean products imported into China will be somehow compromised, or unsafe, because their details will have been released to the Chinese Government.

Nothing could be further from the truth..

For a start, pretty much every encryption vendor is already in this position with their local governments. Part of the Wassenar Agreement, and the European dual-use export control agreements specifically insist that on request, details of the security and cryptographic functions of a product be released to them.

For example the Wassenaar Cryptographic Note states:

a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primary function or set of functions; and
c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.

So, you have to disclose on demand the details of the product to agencies as appropriate.

Secondly, the Chinese regulation apparently insists on the sharing of “Encryption Key Codes” – while I can’t find the actual document that references this, it’s easy to see that it might be a mistranslation of “Share the encryption code” – ie the source code. It may indeed mean that fixed encryption keys need to be shared, but again, I can’t find anything to indicate that products must give up keys created at runtime to the Chinese authorities.

So, for a product, say like a full disk encryption solution, that creates its keys on demand – where is the problem? The problem only seems to appear when a product uses a fixed key stored in the code which is a sign of a bad product to start with.

Thirdly, one of the signs of bad encryption products, are those which rely on the secrecy of the source code to protect the data – keeping the code secret to make your product secure is snake oil.

So, if you’re already distributing crypto products, you already had to give up, or agree to give up your code to the government, and importing into China, though you have to jump though some hoops to get the “ticket”, is no more onerous and won’t involve changes to your product which will compromise it.