T 3.32 Violation of basic legal conditions for the use of cryptographic procedures

Diverse basic legal conditions must be taken into consideration when using cryptographic products. In some countries, cryptographic procedures may not be used without consent, for example. This may result in the recipients not being able to read the data when encrypted sets of data are transmitted to such countries, because they are not allowed to use the required decryption modules, or even being liable to prosecution.

Furthermore, exporting products with strong encryption is extremely restricted in many countries. The U.S. must be mentioned in particular in this regard. With export restrictions, the strength of inherently strong encryption products is often reduced artificially (by reducing the key manifoldness). Such artificially weakened procedures sometimes do not even provide sufficient protection for medium protection requirements. For example, this is applicable to standard PC software coming from the U.S., for example internet browsers (SSL), where only a reduced key length of 40 bits is used. However, the export regulations in some cases also require depositing parts of the keys so that the encryption modules can be used without any restriction in principle, but the foreign intelligence services are provided with an access option as and when required.

On the other hand, such restrictions applicable for the use in some countries and/or during export could make it tempting to leave data worthy of protection unencrypted or to protect such data using substandard encryption products. On the one hand, this may open the floodgates for attackers and, on the other hand, may cause national law to be violated. For example, the use of adequate cryptographic procedures may be required by data protection laws to protect personal data.