AES256 encryption and The Wassenaar Arrangement

[Razorback55]

Hello,

I wonder about the Wassenaar Arrangement of which the U.S. is a party, as well as Europe, Australia, India and even Russia.

ChatGPT tells me that walkie-talkies are indeed subject to the Wassenaar Arrangement if they use strong cryptography.
Part 5b of the Arrangement requires an export permit to be obtained for any foreign buyer if the encryption keys are longer than 56 bits.

See page 7:

https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-By-Design-Backdooring-Of-Encryption-System-Can-We-Trust-Foreign-Encryption-Algorithms.pdf

It can be seen that this Arrangement is well in force, in particular with the European TETRA standard.

I won't go into detail here but the researchers have demonstrated that the TEA1 for commercial applications with an 80-bit key actually has a key of only 32 bits and the TEA7 which is a commercial encryption also given with 192-bit keys, actually has 56-bit keys (the maximum allowed by the Wassenaar Arrangement)

https://www.etsi.org/deliver/etsi_ts/104000_104099/10405302/01.01.01_60/ts_10405302v010101p.pdf

https://tcca.info/documents/Research-Disclosures.pdf/

The new algorithms TEA5 and TEA6 use 192 bit keys without any reduction but are also restricted in where they can be deployed. The new algorithm TEA7 has an effective key length reduction to 56 bits and will be available in many countries as per the Wassenaar Arrangement.

So we know that the Wassenaar Arrangement is still active.

All the Motorola, Hytera or even Chinese radios that offer AES256 bits (and are therefore banned from export) are nevertheless exported without problem throughout the planet.

Since no buyer has to get an import license (not on Aliexpress, Amazon or anything else), what can make you believe that AES256-bit is reliable?

Wouldn't there be a backdoor like in Tetra? maybe not on the AES256 algorithm but elsewhere in the protocol (bits of the key transmitted on air, master code transmitted on air to get the key...)

 

[mmckenna]

I imported two HF radios from Codan out of Australia. They had AES256.
I had to fill out paperwork and receive approval from the Australian DOD.

If you are looking for an easy backdoor into AES256, a lot of people have tried, and it's still secure.

 

[Razorback55]

Ok, so your CODAN radios are reliable.

No, it's the other way around, I'm not trying to decrypt anything, I'm trying to encrypt and therefore to know if the hardware you buy without import papers with AES256 is reliable, which seems unlikely to me because any drug dealer can buy and import this kind of material into the U.S. and have it delivered to a PO Box.

I can't understand how it could be possible to authorize such reliable hardware without knowing who is buying it.

And if you tell me that this is still the case, then why in some cases you have to fill out import papers like to buy your CODAN radios and in other cases you can buy anonymously without any problem.






For Hytera AES256, you can buy a license online and pay with PayPal!!


You can buy Motorola AES256 in ukraine online :

 

[mmckenna]

Ok, so your CODAN radios are reliable.

No, it's the other way around, I'm not trying to decrypt anything, I'm trying to encrypt and therefore to know if the hardware you buy without a license with AES256 is reliable, which seems unlikely to me because any drug dealer can buy and import this kind of material into the U.S. and have it delivered to a PO Box.

I can't understand how it could be possible to authorize such reliable hardware without knowing who is buying it.

And if you tell me that this is still the case, then why in some cases you have to get a license like to buy your CODAN radios and in other cases you can buy anonymously without any problem.

If you need reliable/verifiable AES256, you look for the FIPS 140-2 compliant hardware.

If you don't, you buy Cheap Chinese Radios and figure "it's good enough".

 

[Razorback55]

If you need reliable/verifiable AES256, you look for the FIPS 140-2 compliant hardware.

If you don't, you buy Cheap Chinese Radios and figure "it's good enough".

ok so that means that the hardware you buy without identity verification probably has a backdoor somewhere?

 

[mmckenna]

ok so that means that the hardware you buy without identity verification probably has a backdoor somewhere?

I wouldn't say it "probably" does. Only that if something truly meets the FIPS standard that is has been properly vetted for use by feds.

These Cheap Chinese Radios with encryption are aimed at two obvious markets:
1.Businesses that think they've got something that needs to be protected, but not smart enough to know the difference.
2. Preppers, whackers, milsim or hobbyists

No reputable public safety radio guy would load encryption keys into an unknown radio. I have no idea how these Chinese radios handle keyloading or how they protect the key once in the radio.


Truth is, you either need encryption or you don't. If you actually -require- encryption, then you'd need to do it correctly, and not rely on some low buck Chinese radio.