Cryptographic ciphers are often measured and described in terms of their strength. Different ciphers offer different strength depending on how hard they are to break. "Strong" ciphers are more difficult to break than "weak" ciphers. Different types of data lend themselves to different strengths of cryptography. For instance, if the cost required to break a cipher is greater than the value of the protected data, that particular cipher is most likely appropriate for the data even though the cipher may be relatively weak compared to other ciphers. If the time required to break a cipher is longer than the time needed to keep the protected data secret, the cipher is properly suited for the data.
In public key cryptography, the cipher typically derives its strength from the length of the key used to encode the data. A "key" is a string of bits and its "length" is expressed in the number of bits in the string. The same cipher can be weak or strong depending upon the key length. A cipher with a comparatively short key length (e.g., 40 or 56 bits) may be considered weak, whereas the same cipher with a comparatively long key length (e.g., 128 bits) may be deemed strong. It is common today for various software products to employ ciphers with 40-bit or 56-bit keys, which are generally characterized as weak, as well as ciphers that employ 128-bit keys, which are generally considered to be strong.
Because of their potential for illegal or improper use, cryptographic ciphers cannot be exported from the United States without approval from the U.S. government. Generally, products with "weak" ciphers having short key length may be exported. Such products are said to have "exportable strength" cryptographic functionality. Products with "strong" ciphers having long key lengths are usually not permitted to leave the country. To export a cryptographic product from the U.S., the product manufacturer or exporter must first obtain an export license from the U.S. government.
As a result of this government policy, the makers of cryptographically enhanced products face a dilemma. They would like to make a single product that can be sold in the U.S. and exported abroad without the hassle of securing special export licenses for each and every foreign market.
FIG. 1 illustrates this point. A cryptographic product provider 10 makes a single product 12 that utilizes cryptographic services, such as encryption, decryption, digital signing, and authentication. To enable global exportation to Europe and Asia without having to secure special export licenses, the provider 10 typically configures the product with a weak "exportable-strength" cipher. As a result, the U.S. version of the product is likewise pared down to the lowest exportable-strength cipher. However, some U.S. customers might request and be entitled to use higher strength ciphers. Such customers must submit special requests to the provider, along with proof of residence and proposed use, before the provider 10 can release a stronger version of the product.
Accordingly, there is a need to provide an improved technique for supplying cryptographically enhanced products throughout the world.