Rijndael encryption

One easy way is to use the AES code provided by Dr Brian Gladman at http://fp.gladman.plus.com/AES/
It is open source and needs only an acknowledgment in the app.
I have used this in early Mac apps prior to Apple providing AES support.

Encoding a file with a block cypher presents the problem of padding the file to a multiple of the block size and this can be done many different ways, there does not seem to be a standard.

Finally, getting crypto right is not as easy as one might expect, best to get some expert help or at least a review by a crypto expert.

Yes, I did exactly the same thing. Sent an email to BIS and then uploaded this email in pdf format to iTunesconnect. Now the status has not changed since two days and I do not know whether there is anything to do from my side.

Sent an mail to Apple but got nothing back. I use Blowfish 128, which is public domain and should only require a TSU notification to BIS.

Chased the BIS as well as Apple but they aren't responding. This is frustrating.

Will post here if I have some more insight into the process.

Cheers

It is interesting how Blowfish keeps surfacing, I wonder if the users are aware that there are known vulnerabilities? Also why Blowfish when it has essentially been superseded by TwoFish? I also wonder why one would chose Blowfish over AES? I wonder a lot.:-)

Well, this was not exactly the answer I was hoping to get 🙂

The reason I chose Blowfish was that I had a descent implementation at hand, which was tested. I am not an crypto expert. Can you give me some resources so I can decide if it is a show stopper for my use case?

Thanks.

I realize that BlowFish is easy to implement, easy code to integrate. The next easiest is AES via OpenSS. The "Gladman" code is rather easy as well, I used it several years ago.

Currently there are two cyphers currently that are in mainstream usage for new apps yes there are others with lesser use). DES, usually now Triple DES, is used for electronic banking for historic reason and AES for new usage. One should have a compelling reason to use anything else. One other interesting choice is TEA (Tiny Encryption Algorithm) http://en.wikipedia.org/wiki/XXTEA but should be relegated to "Toy Usage" but is probably fine where the user is allowed to choose poor passwords.

If you are going to do crypto and don't have lot's of time to spend studying get "Secure Programming Cookbook" from O'Reilly ad use the samples. Here are some issues, if you don't understand them then you need to do some studying: Do not use a password for the encryption key, use a HMAC to generate the key. Why rand() should not be used. How to chose an IV. ECB vs CBC mode. How to pad a file's size to cypher block size. A file will become larger (by a few bytes) due to padding. Using a stream cypher maintains the file size but is a bad idea.

On any serious project I always pay a security expert to review the design and implementation.

For those keeping score, my export compliance was finally processed. It took 16 days. eWallet took about 15 days as well.

Yeah, me too, you're just in review mode now, though, right?

Who knows how long that will take..

Yep, in review now. "Looking forward" towards another two weeks worth of pulling my hair out not being to control my own destiny.


Did you file for real review with BIS or just sent a notification email?

And my application finally went through on Monday, three weeks after being submitted.

I'm now needing to do this. Did using the "TSU Notification" email work for you?
Thanks,
GB

Sorry for the late reply.

The TSU Notification will not suffice. The TSU is only for public domain software. As you will distribute your app through the App Store I guess it will not be in the public domain.

You need to use the multi form BIS-748P for a mass market product. This form is not available for download. You want to apply for a PIN for the SNAP-R service. This will take approx 10 days. To get the PIN you need to send a Company Certification to their fax @ 202-219-9182. Use this number. The other number given on their web site is not working.

After that you will be able to send in your documents to their SNAP-R portal. Then they will have a look at the documents (this will take another 30 days). The whole process is ridiculous and frustrating.

http://www.bis.doc.gov/encryption/massmarket_keys64bitsnup.html is a good starting point to get things going.

Good luck - you will need it 🙂

sunaj,

Did you successfully acquire a CCATS document? Did you apply using the SNAP-R service? If so, how did you get a duplicate print out of the form to send to the ENC Encryption Request Coordinator? From what I can see online, you must still send a duplicate hard copy to the ENC.

@DenNukem - i have a similar issue. We link our software with openssl libraries on the iphone to implement tls/ssl.

Did you finally get around with a notification email or did you do the full review with BIS?