CommonCrypto and export laws

I thought it's not that strong as AES, but what am I going to answer to

"Is your product designed to use cryptography or does it contain or incorporate cryptography?"? Go ahead and lie and say no, hoping DES isnt strong enough for them to care? But then again, if I'm honest and answer yes, what am I going to answer to

"You can answer "YES" to question #2, if the encryption in your app is:

(a) is specially designed for medical end-use;

(b) is limited to intellectual property or copyright protection;

(c) is limited to authentication, digital signature or the decryption of data or files;

(d) is specially designed and limited for banking use or 'money transactions';

(e) is limited to “fixed” data compression or coding techniques; or

(f) if your app meets the descriptions provided in Note 4 to Category 5 Part 2."? Answer yes here?

The guys at eurodev(at)apple.com answered me about CommonCrypto usage, but honestly I dont know what to understand from it. If I go ahead and use DES, will it be "limited use or strenght of cryptography" and I will be eligible for self-classification?

From that link, I tried to find something I can understand and be usefull to me(given the fact I'm TOTALLY new to encryption stuff) and what I stopped at was

<N.B. to Note 3 (Cryptography Note): You must submit a classification request or encryption registration to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of §742.15(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.>

So, given all this info(and that link, if it's not too much to ask to have a look at it), could you please give me a final advice on what to do? Is your last post a short version of the above paragraph I quoted from BIS, meaning I can answer no to "Is your product designed to use cryptography or does it contain or incorporate cryptography?"?

Thanks alot.

I did, but I don't know how DES works 😟 don't even know what a symmetric key differentiates itself from an asymmetric one. I don't want to say what I believe or not since I don't want to sound more dumb that I already look 🙂 And even if it's true what I believe, I should ask anyway, since I'm not sure

Ok, so this is the final one 😝

I can just replace the AES256 prefixes to DES in that category I posted on last page, like you already did tell me and be ok, because what you highlighted in the screenshot 2 posts before, is actualy what

"(f) if your app meets the descriptions provided in Note 4 to Category 5 Part 2."

is talking about, right?

Awesome, thanks for bearing me 🙂 I know I've been quite a pain

Now offtopic if you'd be willing to give me a hand with general encryption stuff ..., some things I stumbled upon while tweaking to DES, I know that a letter = 1byte = 8bits, does that mean I can only use a key 7 letters long? Or can I type anything and the algorithm will only use the first 7 anyway?

I played with my encrypt key/decrypt key and if the encrypt key is abcdefghijklmn, the decrypt key can be abcdedfgh and the result is the same. If i make it 7 letters long though, it gives me an error ... 😟

That is one of the few things i understand about encryption :p longer keys = better. But if DES works with 56bit keys and one letter = 1byte = 8bits, doesnt it mean 56bits = 7 letter(characters) keys?

As an example, as i said in last post, if i use abcdefghijklm as encrypt key but only use abcdefghi as decrypt key, instill get proper data back :s

Yea, as I said, I definately dont understand how encryption works. All I understand from that quote, that I read myself on the wiki page, is that the key is 56bits long(64, but each 8th bit is removed to be used for checking parity) :S

xnav wrote:

With DES 7 bytes won't work because the algorithm needs 8 bytes so it can use (throw away) 8 bits for parity, and you are correct anything over 8 bytes is ignored.

Thought so 🙂 thats why when my encryption key is 10 chars long but my decryption key is the same, but 2 chars shorter I still get proper data back. Thank you for the small encryption lesson here 😝

KT wrote:

>all i can do is see how it works out

As I said, good luck and if you have the time, pls. feel free to return and update the thread.

Well, for now I'm using DES and hope noone gonna take the time to crack it, hehe 😝 not that it would be worth it anyway

But as an idea, if you wanna talk about it, I had one and implemented it while talking here, just in case DES wasnt an option either:

When someone plays and presses "end game" and is taken to highscore screen, the score is saved in the keychain and in my scoresArray that is saved to file(obviously, if it's greater than all the values in scoresArray and greater than the previous value stored in the keychain), to show top10 scores.

When going to the highscore view without playing, it updates scores obtained during offline mode with GameCenter, this was my concern about someone tampering with the highscore file.

So now I added an extra check, if any of the entries in scoresArray is higher than what I saved in the keychain, it gets removed from the array since it was obviously manually added; after all the removing I check if the array is now empty, and if it is it means the guy modified all the highscores, so the value from the keychain gets added at index 0 in the scoresArray as the new highest score. The name of the player that will be next to the score added this way will be "cheater" 🙂

better explained in code xD

This is the best idea I could come up with so far :/

Was wondering if to actually use this ontop of the encryption, as an "extra layer", but I personally don't think anyone gonna take the time and crack the DES key just to tamper with Game Center scores :S

edit: zzzz, is there no way to code-format text here? xD

http://pastie.org/private/rjqgfbuuqd9kq2upxbkna

edit2: this is the MD5 route I told you about earlier, where I add a custom string at the end of the to-be-hashed-data

http://pastie.org/private/lrakvv1mdp2r5ju63blqcg