Wassenaar arrangement could be the cause of Legacy systems encryption weakness.

Recently, while doing a secure code review in a Delphi Legacy application, I found a function named: InitialiseString() used by the Blowfish symmetric algorithm, then I realized that the Library used for this purpose was the one found here. While reviewing the source code a found below chunk:

{**************************************************************************
************ This section of code implements the 64 bit limit *************
************ imposed by the Wassennar agreement. The key is   *************
************ limited to 64 bits. Should you be in a country   *************
************ where the Wassennar agreement is not in force,   *************
************ undefine the WASSENAAR_LIMITED variable.         *************
**************************************************************************}
1.     {$ifdef WASSENAAR_LIMITED}
2.     // turn the key string into a key array 
3.     for i:= 1 to Length(Key) do
4.     begin
5.     KeyArray[(i-1) mod 8] := Ord(Key[i]);
6.     end {for}
7.     {$else}
8.     // turn the key string into a key array 
9.     for i := 1 to Length(Key) do
10.    begin
11.    KeyArray[(i-1)] := Ord(Key[i]);
12.    end {for}

Did you noticed the "64 bit limit imposed by Wassenaar agreement...", what is that agreement?

After some research I understood that:

1. The name is "Wassenaar Arrangement" and not "Wassenaar agreement".
2. The Wassenaar Arrangement is a multilateral export control regime with 41 participating states including many former COMECON countries.
3. In December 1998, Wassenaar members revised the Dual-Use Control List, implementing a maximum bit length of 64 bits on exports of mass-market encryption software. See Category 5. part 2 - Information Security in the regime. NOTE: This restriction is applicable to symmetric algorithms only like Blowfish in this case.
   

More information about this regime can be found here.

Since the Legacy system I was reviewing was created before 1998, it was limited to 64 bits key length as you can see in lines 1-6 of the source code above.

But then after more research I found and update of this restriction here: "In December 2000, Wassenaar member countries agreed to remove the 64-bit key length restriction from the Cryptography Note", voila!!!! The Legacy system could be upgraded/improved since December 2000!!!

So, anytime you are reviewing a Legacy system which performs symmetric key encryption, make sure to double check the now well known (at least to me :-) Wassenaar Arrangement regime.

See you in the next blog.