2

I am preparing an app version of one of my websites.

The app requires you to log in in order to access your user account. This login process is done over HTTP not HTTPS, but the password is stored using MD5 and a few other hashes on my server.

Does this count as "encryption" within the app, and therefore require me to submit one of those Export Compliance forms?

Thanks for your help.

Harry Elliott
  • 21
  • 2
  • 3
    @Neelesh: MD5 is a cryptographic hashing function, not a method of encryption. – mdm Aug 27 '11 at 10:30
  • 2
    I wouldn't use MD5 anymore. It's considered broken. NOwadays you should use the SHA-2 hashes (SHA-256 and SHA-512). Also, I don't think that having multiple hashes helps. – Georg Schölly Aug 27 '11 at 10:40

1 Answers1

6

I'm assuming you're referring to the US Cryptography Export restrictions. Those practically don't exist anymore. Even if they would exist, MD5 is a hash function, and does not encrypt (otherwise, there'd be an un_md5 function).

Also, if the ban still existed and would be applicable, your scheme is needlessly weak, so it would probably still be allowed, just as easily crackable 40 bit symmetric encryption algorithms were.

Community
  • 1
  • 1
phihag
  • 278,196
  • 72
  • 453
  • 469
  • OK, so I'll be OK to submit it without encryption? If I were to use SHA-2, would I require approval? – Harry Elliott Aug 27 '11 at 12:23
  • @Harry Elliott For 99.9% applications, **there is no submission process anymore**. The only restrictions that still apply cover explicitly selling to terrorist organizations or the Iranian/North Korean government. – phihag Aug 27 '11 at 13:45
  • OK - I get the idea! Thanks for your help. – Harry Elliott Aug 27 '11 at 16:48