# US Encryption Laws

## securiteaze

I am in the process of setting up a vpn for a business.  The freeswan package allows for 2048 bit RSA keys,

is it legal in the US to use this level of encryption?  Anyone know if there are laws in the US governing the

level of encryption used over the internet?

----------

## ashkar

i'm not a lawyer, and any advice taken here should be taken with a grain of salt. esp. for a business, a lawyer should be consulted on such matters. unfortunately, not getting sued costs money these days so pay for the protection.

unsavory advice out of the way, afaik, it is not illegal.

exportation, which involves transmitting the algorithm or code itself out of the country is all that is considered illegal. setting up a vpn would not count because all transmitted data is encrypted or simply a hashed key, the algorithm itself is not transmitted.

hope that helps,

nick

----------

## djrogers

The US has no limits on the levels or types of encryption we (it's citizens) can use inside it's borders.  We can also send any encrypted material anywhere we want, BUT there are laws about what encryption/decryption PROGRAMS can be exported...

----------

## OdinsDream

This is true to an extent. However, the laws specifically restrict the electronic distribution of encryption programs and algorithms.

For example, there was a large open-source effort to use OCR scanning to convert entire books of source-code mailed to european countries from the United States, in order to dissemenate the source code legally. Since the book is printed media, its exportation was not restricted. Had the source-code been placed on a CDROM, however, it would have been illegal to export it from the U.S.

----------

## bkjoegold

I am not sure there are limits on key lengths when using encryption, I only use 64 bit keys on my VPN equipment (not critical data) but I do know that you can not use 3DES encryption, only DES when leaving the US.  :Crying or Very sad: 

----------

## klieber

 *bkjoegold wrote:*   

> you can not use 3DES encryption, only DES when leaving the US. 

 

No longer true, I believe. The US relaxed export laws a few years ago, and now it's legal to export 3DES products/programs outside the US.  The only remaining restriction surrounding 3DES, AFAIK, is that you cannot distribute it to "terrorist countries".

--kurt

----------

## bkjoegold

I stand corrected   :Embarassed:  .  There is a restriction of 12 countries that are definite no no's and several that require you to get permission from the government.  

All of this information can be found here at the web site for the Bureau of Industry and Security.  

http://www.bxa.doc.gov/Default.htm

----------

