Are Export-Grade Encryption Options Needed Anymore?

November 15th, 2008

The short answer is “no” … unless you need to support web browsers 8+ years old on computers that cannot be patched or upgraded and which are not in the USA or Canada.  Export Grade encryption went out of style in 1996 when the US modified its laws that prohibited companies from exporting strong encryption algorithms that the US government could not easily break.  After 2000, software and hardware vendors were freely distributing the same versions of their products to everyone in the world, even if strong encryption algorithms were included.  This means that anyone with recent software, i.e. 2001 or later, will be able to employ strong encryption and will not need “Export Grade” encryption, even if they are not located in the USA or Canada.

In particular:

  • Internet Explorer versions starting with 3.02 and before 5.5 came in two flavors — one for the US/Canada and one for everyone else
  • In 2001 Microsoft released its “High Encryption Pack” that allowed anyone in the world to upgrade their systems (i.e. Internet Explorer and Outlook / Outlook Express) to use strong encryption.
  • Netscape’s web browser supported strong encryption in all versions starting with 4.73
  • Mozilla FireFox has always had support for strong encryption
  • Internet Explorer versions prior to 3.02 and Netscape versions prior to 4.02 do not support strong encryption at all.

What are “Export Grade” and “Strong” Encryption?

When using SSL or TLS to communicate securely over the Internet, various “ciphers” are made available by the servers.  These ciphers are different algorithms that can be used to perform the encryption.  They vary based on how secure they are and how much work they require of the computers to perform the math for the encryption and decryption.  In a significant sense, the security of each cipher is related directly to the number of “bits” in its “key“.  The number of bits used in the most common ciphers used are 40, 56, and 128.

Ciphers with 40- or 56-bit keys are only marginally secure, as they can be cracked by a desktop computer in a relatively short period of time.  Certainly much faster now than 8 years ago.  These weak ciphers are classified as “Export Grade”.  Ciphers with 128-bit or longer keys are not export grade and generally speaking constitute “strong encryption”.

With the modification of the US export laws, vendors were able to include 128-bit ciphers in their products and were able to distribute these all over the world (except of course to certain “enemy” countries).

If this happened so log ago, why bring it up now?

Server software that supports SSL or TLS security for encrypting Internet traffic often has support for “Export Grade” ciphers enabled by default.  However, some client side software programs, when presented with weak options, will not necessarily utilize the strong ciphers available and will instead use the weak ones by default, thus practically eliminating the benefit of encryption altogether.  Additionally, the  PCI Security Standards Council (the folks to tell you what you have to do if you want to accept credit cards on your web site) prohibit the use of Export Grade security ciphers.

As a result, IT staff in charge of server management are faced with the requirement for eliminating support for Export Grade security, but are afraid of alienating international users.

IT staff need not worry about it unless they need to support very old legacy systems in foreign countries. In these cases, they should consider use of SGC SSL Certificates that can auto-upgrade such users from weak encryption to strong 128-bit encryption.