1. The National Research Council (NRC) is the operating arm of the academy complex, which includes the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. Under a congressional charter granted in 1883, the Academy complex provides advice upon request to the government on matters of public policy that involve science or technology. The unit within the NRC that oversaw and supported the study report in this article is the Computer Science and Telecommunications Board, which has responsibility within the NRC for public policy matters involving information technology. However, the study itself was performed by the Committee to Study National Cryptography Policy. The committee members are listed in Appendix A. The U.S. Congress made this request of the National Research Council in Public Law 103-160, the Defense Authorization Bill for Fiscal Year 1994.
2. Kenneth W. Dam and Herbert S. Lin, eds., Cryptography’s Role in Securing the Information Society Washington, DC: National Academy Press, 1996; Also available at: http://www2.nas.edu/cstbweb/28e2.html.
3. For purposes of recommendation 4.1, a product that is “easily exportable” would automatically qualify for a general license for export, i.e., one that would require only a one-time review before it could be generally exported (except to a few selected destinations). Automatic qualification refers to the same procedure under which software products using certain specified algorithms for confidentiality with 40-bit key sizes currently qualify for a general export license.
4. These requirements include being a U.S.-controlled firm (i.e., a U.S. firm operating abroad, a U.S.-controlled foreign firm, or a foreign subsidiary of a U.S. firm, a foreign supplier or customer of a U.S.-controlled firm in regular communications with the U.S.-controlled firm, or a foreign firm specifically determined by U.S. authorities to be a major and trustworthy firm); providing an end-user certification that the exported products will be used only for intrafirm business or by foreign parties in regular communications with the United States or approved foreign firm involved; taking specific measures to prevent the transfer of the exported products to other parties; and agreeing to provide the U.S. government with plaintext of encrypted information when presented with a properly authorized law enforcement request and to prove, if necessary, that the provided plaintext does indeed correspond to the encrypted information of interest.
5. “Link encryption” refers to the practice of encrypting information being communicated in such a way that it is encrypted only in between the node from which it is sent and the node where it is received; while the information is at the nodes themselves, it is unencrypted. In the context of link encryption for cellular communications, a cellular call would be encrypted between the mobile handset and the ground station. When carried on the landlines of the telephone network, the call would be unencrypted.