Recently, while doing a secure code review in a Delphi Legacy application, I found a function named: InitialiseString() used by the Blowfish symmetric algorithm, then I realized that the Library used for this purpose was the one found here. While reviewing the source code a found below chunk:
{**************************************************************************
************ This section of code implements the 64 bit limit *************
************ imposed by the Wassennar agreement. The key is *************
************ limited to 64 bits. Should you be in a country *************
************ where the Wassennar agreement is not in force, *************
************ undefine the WASSENAAR_LIMITED variable. *************
**************************************************************************}
1. {$ifdef WASSENAAR_LIMITED}
2. // turn the key string into a key array
3. for i:= 1 to Length(Key) do
4. begin
5. KeyArray[(i-1) mod 8] := Ord(Key[i]);
6. end {for}
7. {$else}
8. // turn the key string into a key array
9. for i := 1 to Length(Key) do
10. begin
11. KeyArray[(i-1)] := Ord(Key[i]);
12. end {for}
Did you noticed the "64 bit limit imposed by Wassenaar agreement...", what is that agreement?After some research I understood that:
- The name is "Wassenaar Arrangement" and not "Wassenaar agreement".
- The Wassenaar Arrangement is a multilateral export control regime with 41 participating states including many former COMECON countries.
- In December 1998, Wassenaar members revised the Dual-Use Control List, implementing a maximum bit length of 64 bits on exports of mass-market encryption software. See Category 5. part 2 - Information Security in the regime. NOTE: This restriction is applicable to symmetric algorithms only like Blowfish in this case.
More information about this regime can be found here.
Since the Legacy system I was reviewing was created before 1998, it was limited to 64 bits key length as you can see in lines 1-6 of the source code above.
But then after more research I found and update of this restriction here: "In December 2000, Wassenaar member countries agreed to remove the 64-bit key length restriction from the Cryptography Note", voila!!!! The Legacy system could be upgraded/improved since December 2000!!!
See you in the next blog.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.