Ask the Expert

What are the export limitations for AES data encryption?

Are there exportation limitations for AES data encryption? Lots of laptop vendors now offer this kind of disk encryption as a feature. And does it matter if it's 256 or lower levels?

    Requires Free Membership to View

    Login

The Advanced Encryption Standard (AES) is used by the U.S. government to protect classified information, replacing its predecessor, the Data Encryption Standard. It's the first publicly accessible and open cipher approved by the United States National Security Agency (NSA) for top secret information and is one of the most popular algorithms used in symmetric key cryptography. AES has key sizes of 128, 192 and 256 bits, with 256 being the hardest to crack. All three key lengths are sufficient to protect classified information up to the SECRET level. (TOP SECRET information requires the use of either 192 or 256 key lengths.)

The only successful attacks against AES data encryption have been side-channel attacks, which don't attack the actual AES cipher, rather its implementation. For example, in 2005, without brute force, a hacker captured inadvertently leaked time-caching data and broke a custom server that used OpenSSL's AES encryption. Encryption algorithms themselves are usually not the weak point in an encryption product or service. Usually, there are implementation flaws or key management errors, which is why the implementation of AES in products intended to protect national security systems and information has to be reviewed and certified by the NSA prior to their use.

Although AES is free for any use public or private, commercial or non-commercial programs that provide encryption capabilities are subject to U.S. export controls and sanctions administered by the Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR) and the Commerce Control List (CCL). Most commercial encryption products have a license exception assigned to them by the BIS. The exception allows them to be exported to specified destinations without having to obtain a separate license each time from the Commerce Department. None of these license exceptions, however, allow encryption products to be exported to the following embargoed countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

The control of the export of encryption tools is taken seriously by the U.S. government and by vendors. In data encryption provider PGP Corp.'s license agreements, for example, customers must represent that they will not export to a prohibited country or to a restricted type of user. Even the release of technology or source code to a foreign national in the United States is subject to the EAR and is deemed to be an export to the home country of the foreign national. Although export regulations have been relaxed, they are still quite complex, so I suggest you contact a lawyer for further advice.

This was first published in August 2009

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top