What are the export limitations for AES data encryption?

Although AES is free for any use public or private, commercial or non-commercial programs that provide encryption capabilities are subject to U.S. export controls. Expert Michael Cobb reviews the limitations.

Are there exportation limitations for AES data encryption? Lots of laptop vendors now offer this kind of disk encryption as a feature. And does it matter if it's 256 or lower levels?

The Advanced Encryption Standard (AES) is used by the U.S. government to protect classified information, replacing its predecessor, the Data Encryption Standard. It's the first publicly accessible and open cipher approved by the United States National Security Agency (NSA) for top secret information and is one of the most popular algorithms used in symmetric key cryptography. AES has key sizes of 128, 192 and 256 bits, with 256 being the hardest to crack. All three key lengths are sufficient to protect classified information up to the SECRET level. (TOP SECRET information requires the use of either 192 or 256 key lengths.)

The only successful attacks against AES data encryption have been side-channel attacks, which don't attack the actual AES cipher, rather its implementation. For example, in 2005, without brute force, a hacker captured inadvertently leaked time-caching data and broke a custom server that used OpenSSL's AES encryption. Encryption algorithms themselves are usually not the weak point in an encryption product or service. Usually, there are implementation flaws or key management errors, which is why the implementation of AES in products intended to protect national security systems and information has to be reviewed and certified by the NSA prior to their use.

Although AES is free for any use public or private, commercial or non-commercial programs that provide encryption capabilities are subject to U.S. export controls and sanctions administered by the Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR) and the Commerce Control List (CCL). Most commercial encryption products have a license exception assigned to them by the BIS. The exception allows them to be exported to specified destinations without having to obtain a separate license each time from the Commerce Department. None of these license exceptions, however, allow encryption products to be exported to the following embargoed countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

The control of the export of encryption tools is taken seriously by the U.S. government and by vendors. In data encryption provider PGP Corp.'s license agreements, for example, customers must represent that they will not export to a prohibited country or to a restricted type of user. Even the release of technology or source code to a foreign national in the United States is subject to the EAR and is deemed to be an export to the home country of the foreign national. Although export regulations have been relaxed, they are still quite complex, so I suggest you contact a lawyer for further advice.

Dig Deeper on Data security and privacy

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing