Letter to MFAT of 20 January 1997

Peter Gutmann
24 Durness Pl.
Orewa
Auckland

20 January 1997

International Security and Arms Control Division
Ministry of Foreign Affairs and Trade
Private Bag 18 901
Wellington

Dear Sir/Madam,

I would like to export two sets of encryption software to recipients in various countries in Europe, but before I proceed I would like to find out what your position is in regard to these exports. The two exports are:

An encryption program to be sent to Finland and Germany which provides (in the encryption part) almost identical encryption capabilities to my "cryptlib" encryption library which you have been considering as part of the export application for the Paysafe financial package. In particular the program provides the ability to perform DES, triple DES, IDEA, RC2, and RC4 conventional encryption and RSA public-key encryption, with a standard RSA key size of 1024 bits with longer key sizes being available. The program is distributed in source code form, and would be sent to a student at Helsinki University for distribution in Finland (and the rest of Europe), and the University of Erlangen for distribution in Germany (and the rest of Europe). It provides means for network data and communications encryption, automatic key exchange and key generation, and data authentication. The program was written in Finland by the Helsinki University student [1].
An encryption library which is functionally almost identical to cryptlib (only a few implementation details differ). The library implements the DES, triple DES, Blowfish, IDEA, RC2, RC4, and RC5 encryption algorithms, MD2, MD4, MD5, and SHA hash algorithms, and RSA and Diffie-Hellman public-key encryption. These are all identical to the functionality of cryptlib. The library is distributed in source code form, and would be sent to a student at the Centrum voor Wiskunde en Informatica for distribution in the Netherlands (and the rest of Europe), and to Cambridge University for distribution in the UK (and the rest of Europe). The library is functionally almost identical to cryptlib, and was written in the Netherlands by a CWI student (not the same one as it would be sent to) [2].

In each of these four cases, what would be the requirements for export of the code?

Yours sincerely,

Peter Gutmann

[1] The intent was to determine whether sending the code back to the person who wrote it, and a person in another country, was OK.

[2] The intent was to determine whether sending the code back to someone who occupied the office next to the person who wrote it, and an academic institution in another country, was OK.