[Python-Dev] Needed: contractor to answer crypto questions

Guido van Rossum guido at python.org
Wed Oct 29 22:39:33 EST 2003 

I was approached by a legal firm with the questions below about
Python's crypto capabilities, from the POV of a legal review of
exporting software that embeds Python.  I don't have time to research
the answers myself (I'm no crypto expert).  If you think you can
answer the questions, please send me a price quote and I'll forward it
to them.  They'd like the answers ASAP.

--Guido van Rossum (home page: http://www.python.org/~guido/)

------- Forwarded Message

> 
> Hello Guido,
[...]
> 
> I understand Python is open source, but when open source code is
> integrated in a commercial product, the owner of the commercial product
> must include the open source code in their product analysis for U.S.
> export classification purposes.  Although as open source, Python falls
> under an export control exception, this exception is lost once the code is
> offered in a commercial product.  
> 
> I would appreciate your help in obtaining some additional technical
> information in order to complete my export classification analysis.
[...]
> 
> 1.	We have been advised the following encryption content is in Python.
> We are looking for additional information regarding the encryption
> content:
> 		a.	The Rotor module, which implements a very ancient
> encryption algorithm based on the German Enigma.  Please tell us the
> symmetric key length of the encryption contained within this module.
> Please also advise the asymmetric key exchange algorithm length.
> 		b.	The wrapper module for Open SSL.  Again, please tell
> us the symmetric key length of the encryption content contained within
> this module.  Please also advise the asymmetric key exchange algorithm
> length
> 		c.	The following questions apply to both the Rotor
> module and the wrapper module:
> 			i.	can the encryption function be directly
> accessed, or modified, by the end user?
> 			ii.	Do either of these encryption components
> contain an "Open Cryptographic Interface" (an interface that is not fixed
> and permits a third party to insert encryption functionality)
> 
> 
> The following chart is an example of the type of information I need to
> submit to the U.S. government.  Would you be able to provide similar
> information regarding the encryption component(s) included within Pyton?
> 
> EXAMPLE:
> 
> Algorithm	Source	Key-min	Key-max	Modes	
> RC2	OpenSSL	40	128	CBC, ECB, CFB, OFB	
> ARC4	OpenSSL	40	128	N/A (stream encryption)	
> DES	OpenSSL	40	56	CBC, ECB, CFB, OFB	
> DESX	OpenSSL	168	168	CBC	
> 3DES-2Key	OpenSSL	112	112	CBC, ECB, CFB, OFB	
> 3DES	OpenSSL	168	168	CBC, ECB, CFB, OFB	
> Blowfish 	OpenSSL		128	CBC, ECB, CFB, OFB	
> Diffie-Hellman	OpenSSL	192*	16384*	Key-exchange, authentication
> 
> DSA	OpenSSL			Digital Signature	
> MD5	OpenSSL			Integrity	
> SHA-1	OpenSSL			Integrity	
> * No explicit limit, these appear to be the practical range of values.
[...]

------- End of Forwarded Message

More information about the Python-Dev mailing list