"Alan" writes:
-+------------
 | What are the rules these days on crypto exports.  Is a review
 | still required?  If so, what gets rejected?
 | 

The following is a recent interaction with specialty
export counsel, though somewhat modified as I detoxed
it from base64 to ASCII plaintext and from infinite
line length to fixed line length.

When you file, you have immediate permission to export
to, essentially, the anglophone democracies and western
Europe.  If you have heard nothing in 30 days elapsed
time, you are then free to export generally but you will
never be permitted to export to the embargoed country
list (Cuba, Iran, Sudan, Syria, North Korea, and Libya).

YMMV.

--dan



-----------------8<------------cut-here------------8<-----------------

A. BIS Checklist of Questions:

1. Does your product perform "cryptography", or otherwise
contain any parts or components that are capable of performing
any of the following "information security" functions?
 
(Mark with an "X" all that apply)
 
a.  _____  encryption
b.  _____  decryption only (no encryption)
c.  _____  key management / public key infrastructure (PKI)
d.  _____  authentication (e.g., password protection, digital signatures)
e.  _____  copy protection
f.  _____  anti-virus protection
g.  _____  other  (please explain) : ___________________________________
h.  _____  NONE / NOT APPLICABLE
 
2. For items with encryption, decryption and/or key management
functions (1.a, 1.b, 1.c above):

a. What symmetric algorithms and key lengths (e.g., 56-bit
DES, 112 / 168-bit Triple-DES, 128 / 256-bit AES / Rijndael) are
implemented or supported?

b. What asymmetric algorithms and key lengths (e.g., 512-bit
RSA / Diffie-Hellman, 1024 / 2048-bit RSA / Diffie-Hellman) are
implemented or supported?

c. What encryption protocols (e.g., SSL, SSH, IPSEC or PKCS
standards) are implemented or supported?
 
d. What type of data is encrypted?

B. BIS Review Requirements for Form 748-P.  If any inquiry
is not applicable, please state "N/A."
 
(a) State the name of the encryption item being submitted for review.
 
 i. Enter the name of the manufacturer of the software.
 ii. Provide a brief technical description of the basic purpose
 to be served by the encryption;
 iii. Provide a brief description of the type of encryption used
 in the software; e.g., 168-bit Triple DES for xyz purpose, and
 1024-bit RSA for abc purpose.
 
(b) You would also need to provide brochures or other
documentation as well as specifications related to the software,
relevant product descriptions, architecture specifications and,
if required by BIS, source code.  You must also indicate whether
there have been any prior reviews of the product, if such
reviews are applicable to the current submission.  In addition,
you must provide the following information in a cover letter
accompanying your review request:

 (1) Description of all the symmetric and asymmetric encryption
 algorithms and key lengths and how the algorithms are used.
 Specify which encryption modes are supported (e.g., cipher
 feedback mode or cipher block chaining mode).

 (2) State the key management algorithms, including modulus
 sizes, that are supported.

 (3) For products with proprietary algorithms, include a textual
 description and the source code of the algorithm.

 (4) Describe the pre-processing methods (e.g., data compression
 or data interleaving) that are applied to the plaintext data
 prior to encryption.

 (5) Describe the post-processing methods (e.g., packetization,
 encapsulation) that are applied to the cipher text data after
 encryption.

 (6) State the communication protocols (e.g., X.25, Telnet or
 TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS
 standards) that are supported.

 (7) Describe the encryption-related Application Programming
 Interfaces (APIs) that are implemented and/or supported.
 Explain which interfaces are for internal (private) and/or
 external (public) use.
  
 (8) Describe the cryptographic functionality that is provided
 by third-party hardware or software encryption components (if
 any).  Identify the manufacturers of the hardware or software
 components, including specific part numbers and version
 information as needed to describe the product.  Describe whether
 the encryption software components (if any) are statically or
 dynamically linked.

 (9) For commodities or software using Java byte code, describe
 the techniques (including obfuscation, private access modifiers
 or final classes) that are used to protect against decompilation
 and misuse.

 (10) State how the product is written to preclude user
 modification of the encryption algorithms, key management and
 key space.

 (11) For products which incorporate an open cryptographic
 interface as defined in part 772 of the EAR, describe the Open
 Cryptographic Interface.
  
 (12) We must provide sufficient information for BIS to
 determine whether the software qualifies for "mass market"
 consideration.  The regulations offer examples of items that
 qualify.  Please comment on the applicability of any of these
 examples to your software product and how you plan to market it,
 and approximately how many units will be sold per month:
 "general purpose" operating systems and desktop applications
 (e.g., e-mail, browsers, games, word processing, database,
 financial applications or utilities) designed for, bundled with,
 or pre-loaded on single CPU computers, laptops, or hand-held
 devices; commodities and software for client Internet appliances
 and client wireless LAN devices; home use networking commodities
 and software (e.g., personal firewalls, cable modems for
 personal computers, and consumer set top boxes); portable or
 mobile civil telecommunications commodities and software (e.g.,
 personal data assistants (PDAs), radios, or cellular products);
 and commodities and software exported via free or anonymous
 downloads."

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to