My latest game uses Blowfish encryption for save files (easiest for my to use).

Does anyone know the USA laws for this in relation to selling the software online? Heard that there may be an exportation law concerning the use of Blowfish...

Thanks guys,

From the top of my head... you're allowed to use "weak" encryption. Guess it was something like 64bit.

On a side note... blowfish for save games is imo overkill. Some binary format with some kind of checksum is usally more than enough.

Blowfish is 64-bit...I thought US laws were not more than 54-bit?

Yes it is definately overkill...but it was convenient at the time as its going to be a huge pain in the ass to go back and replace everything with binary, so just want to see my options.

Any other opinions?

Thanks,

Due to import control restrictions of some countries, the JCE jurisdiction policy files shipped with the Java 2 SDK, v 1.4 allow "strong" but limited cryptography to be used. An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). You can download this version and replace the strong cryptography versions supplied with the Java 2 SDK, v 1.4 with the unlimited ones.

Hmm... well, just use 54 or 48bit then ;)

The US has loosened the restrictions on strong encryption, but 40 bits is still the longest key you can use without having to do any paperwork. 48 bits -64 bits, you can do, so long as you file the appropriate paperwork. You'd need to go digging around on the gov't's sites to get the precise information and specifications.

-David

From what I read of it (& Im no lawyer), the main gist of the law is that your program is ok if there is no way a user can enter plaintext and have it encrypted, and then have another user be able to decrypt the plaintext (so it can be used as an encrypted messaging system). However - allowing them to enter a username and having it encrypted is enough to fall under this definition. You must also not expose any interfaces able to encypt/decrypt strings (I presume this means DLLs or debug builds that let you easily find the offending code).

However, our recent games use no encryption whatsoever. Partly for export reasons, but mainly as theres no point. if users crack the data format and start making save gam eeditors etc. then it usualy just adds value to your game in peoples eyes. if they get stuck/bored they can always cheat :)

I now have this mental image of FBI agents running game code through a debugger and raising alarms because the key is 41 and not 40 bits! Or under-cover agents leaving messages on hi-score tables :)

Seriously, how on earth is anyone going to enforce these US cryptography laws? Should this really be an issue in the first place?

Its more a case of if they arrested a bunch of terrorists who were using your game to pass around encrypted info, then they would start asking serious questions.

I've been trying to look into this more. And from my non-lawyer quick lookover here:

http://www.bxa.doc.gov/Encryption/Default.htm

It seems that if you're going to sell any software that contains encryption you have to "ask for permission", which seems to be a confusing process of knowing which form to submit, under which this something or other, with that information, blah blah blah.

Kind of a bummer as I was wanting to sell some RSA source code soon. With all that legal mumbo jumbo, I have a lot of research to do.



Another question arises though.

How do they expect us to filter our customers between US and non-US ones? Over the internet there's no way to do this besides asking the user.

- Jeremiah

"Its more a case of if they arrested a bunch of terrorists who were using your game to pass around encrypted info, then they would start asking serious questions"

yes be carefull. this happens all the time.

I can understand why it was be easy/convenient to use encryption for your save files assuming it is just a function call you already have in your library. But to avoid all the legal issues you may want to replace it. I use ZLib (Zip compression) for my save game files. It's not that I need them to be smaller. I just want them to be hard to edit. I already had ZLib in my project so it took just a couple lines of code to make my save games compressed. They are not actually saved in .ZIP format. There is no central directory or other .ZIP file header information. It is just compressed using the same compression algorithm as ZIP files but there is no way for a player to get WinZip to decompress them.

Well, a little fiddling with gzip/WinRAR/7zip will probably get a result ;)

Cas :)