NSA Denies Triple DES Export Licenses Even For "Friendly" Users

Last month, Qualcomm filed with the State Department an application to export my IP Security (ESP) code for KA9Q NOS to Singapore.

Our stated purpose was to encrypt an Internet "tunnel" between Qualcomm's US facilities and our office in Singapore, which is staffed by two US citizens. We stated that the software would be used solely for this purpose and would not be transferred to anyone else.

Our application indicated that the software in question supported both single and triple DES.

On March 11, the Office of Defense Trade Controls returned our application stamped "RETURNED WITHOUT ACTION". The following form was attached:

					United States Department of State
					Bureau of Political-Military Affairs
					Office of Defense Trade Controls

					Washington, DC 20520-0602
					MAR 11 1996 [stamped]

DTC CASE - 664149
The enclosed application has been voided and is being RETURNED WITHOUT ACTION for the reasons indicated below:

_X_1. Submit a new application including all required background and documentation. Do not return the enclosed application.

[25 other unchecked items omitted. These referred mainly to administrative problems like "you used the wrong form", "you didn't file enough copies of the supporting technical data", etc.]

_X_27. Please submit another license [sic] once your software has been modified so that it no longer contains triple DES. Please specify object code only on your license application.

					Darlene Staniszewski
					Licensing Officer
					(703) 875-5677

[end of form]

So there you have it. NSA makes good on its threat to ANSI X9 that triple DES would not be exportable.

This was a case where keeping strong crypto out of the hands of terrorists and unfriendly governments was clearly not at issue. It dealt strictly with the ability of a US corporation to defend its international operations against against industrial espionage. Or, perhaps more to the point, espionage by the NSA.

Certainly seems like a good argument in favor of the Leahy bill to me.

One mildly interesting thing about this form letter response is that item 27 appeared to be part of the standard form -- it wasn't typed into an "other" field of an existing form. Perhaps they added it to the word processing file for this one occasion. Or perhaps they deny triple DES exports so regularly that they now have a standard form item to deal with it.

Phil Karn