andreas teuchert, arrow central europe gmbh munich, 21st january, 2014 encryption export controls
DESCRIPTION
3 Introduction to Encryption Controls –Encryption items were transferred from the USML to CCL in –Controls are based on registration, classification, reporting, and licensing. –Almost all encryption items can be exported if you comply with these controls.TRANSCRIPT
Andreas Teuchert, Arrow Central Europe GmbH
Munich, 21st January, 2014
Encryption Export Controls
2
Encryption Export ControlsAgenda
– Introduction to Encryption Controls
– Items in Category 5 Part 2
– When you can Export Without a Registration
– License Exception ENC
– Mass Market
– Registration, Classification, and Reporting
– Encryption Licenses
3
Introduction to Encryption Controls
– Encryption items were transferred from the USML to CCL in 1996.
– Controls are based on registration, classification, reporting, and licensing.
– Almost all encryption items can be exported if you comply with these controls.
4
Category 5, Part 2
– Encryption items
– Includes some non-encryption items
– Low electro-magnetic emission (5A002.a.4)
– Cross domain security (5A002.a.7)
– Surreptitious intrusion (5A002.a.8)
5
Items exempt from encryption registration, classification and reporting requirements
– Items limited to low-strength crypto
– Note 3 Mass Market items not exceeding 64 bits symmetric
– Note 1 N.B. items (medical)
– Note 2 exports (TMP and BAG)
• Note 4 items
– Items described in ECCN 5A002 decontrol notes
– Where encryption is limited to authentication only
– Publicly available items not subject to the EAR
– Items exported to certain end-users or for certain end-uses under license exception ENC
6
§ 740.17 License Exception ENC
Company Registration
CCATS Sales Reporting
Paragraph 740.17
End User Authorization (outside E-1)
Item Description or Purpose of Export
No No No (a)(1) Companies HQD in Supp 3
Dev/Production****
No No No (a)(2) U.S. Subs Any internal purpose ****
No No No (b)(4) LE ENC to gov’t and non gov’t end users
Short-range wireless
Yes Yes Yes (b)(2) License required for gov’t end users not in Supp 3**; LE ENC for non-gov’t end users ***
(b)(2) commodity list
Yes Yes Yes for iii items only
(b)(3) LE ENC to gov’t and non-gov’t end users
(b)(3) commodity list
Yes No* No (b)(1) LE ENC to gov’t and non-gov’t end user
Not (b)(2) or (b)(3)
* Self-classification report required** Supp 3 means end-users headquartered in Supp 3*** License also required for cryptanalytic to gov’t end users in Supp 3; for any end user outside Supp 3 for OCI items and for special (OCI, non-std, cryptanalytic) technology and for std (other) technology to D-1 countries.**** All products developed are subject to the EAR.
7
License Exception ENC
– No Registration or Classification by BIS Required
ECCN 5A002/5D002 Section 740.17 (a)(1)
Internal “development” or “production” of new product
Section 740.17 (a)(2)
“U.S. Subsidiaries”
Section 740.17 (b)(4)
Short–range wireless items
8
License Exception ENC
Registration and Classification Required –
Section 740.17(b)(2) ENC “Restricted”
and
Section 740.17(b)(3) ENC “Unrestricted”
9
License Exception ENC
Registration and Self-classification Required
Section 740.17(b)(1) ENC “Unrestricted”
10
Mass Market Encryption
Definition
11
Cryptography Note
– Note 3 to Category 5 – Part 2 has two parts:
– Part a for mass marketed end-products
– Part b for components of mass market products
12
Cryptography NotePart A
a. Items meeting all of the following:
1. Generally available to the public by being sold, without restriction, from stock retail selling points by means of any of the following:
a. Over-the counter transactions;
b. Mail order transactions;
c. Electronic transactions; or
d. Telephone call transactions;
2. The cryptographic functionality cannot be easily changed by the user;
3. Designed for installation by the user without further substantial support by the supplier; and
4. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described above.
13
– Origins in the General Software Note – GSN
– Items so widely distributed that export control is not realistic
– Cryptography Note is GSN for encryption
– Low strength mass marketed products may be self-classified as 5x992
– Key lengths not exceeding 64 symmetric; 768 asymmetric; or 112 elliptic curve
– No registration or Supplement 8 reporting required
– Higher strength mass market products require registration
– Before self-classification or classification – classified 5A002 or 5D002
– After self-classification or classification as mass market – 5A992 or 5D002
– Mass Market products in 742.15(b)(3) require BIS classification
– Other (not B3) self-classified under 742.15(b)(1) with Supplement 8
What is Mass Market?
14
What is Mass Market?Note to the Cryptography Note:
1. To meet paragraph a. of Note 3, all of the following must apply:
a. The item is of potential interest to a wide range of individuals and businesses; and
b. The price and information about the main functionality of item are available before purchase without the need to consult the vendor or supplier.
2. In determining eligibility of paragraph a. of Note 3, BIS may take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier.
What is Mass Market? (continued)
Cryptography NotePart B
b. Hardware components of existing items described in paragraph a. of this Note, that have designed for these existing items, meeting all of the following:
1. “Information security” is not the primary function or set of functions of the component;
2. The component does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items;
3. The feature set of the component is fixed and is not designed or modified to customer specification; and
4. When necessary, as determined by the appropriate authority in the exporter’s country, details of the component and relevant end-items are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above.
16
Cryptography NotePart B Requirements
End-product must first be established as Mass Market (MM)
Primary function(s) NOT “information security”
Cannot introduce new or enhance existing cryptographic functionality
of MM products
Cannot transform to a non-consumer type item
Cannot provide custom/substitute cryptography (even if same algorithm)
17
Cryptography NotePart B Grandfathering
– If a Paragraph b. component has been previously classified under ECCN 5A002 pursuant to section 740.17(b)(3) or section 740.17(b)(1):
– a new classification by BIS is NOT required
– may be self-classified as 742.15(b)(3) or 742.15(b)(1) but must be included as such in a self-classification report submitted to BIS in January 2014
Note: Previous 740.17(b)(1) products that are also Paragraph b. components would be self-classified under §742.15(b)(1), not (b)(3).
18
Mass Market ClassificationsTwo types of support documentation are needed
Marketing information—Demonstrate generally available to the public
Who buys it, why and how is it marketed
What each product does
Ballpark pricing and number of sales to different user
Why the general public would use it
Be sure to include brochures or web advertisement
Discuss how product is installed and used without support
Technical information—Show that the B2 criteria do not apply
Items described in 740.17(b)(2) are not mass market
Provide brochures/tech specs
Citation to previous or similar reviews
Required Supp 6 encryption technical information
State no source code (source code is easily user modifiable)
19
Encryption RegistrationEncryption Registration Number (ERNs)
Attach pdf of Supplement 5 to Part 742 information to the new Encryption Registration work item in SNAP-R
System automatically responds with an ERN in about an hour
ERN is required before export of items self-classified under
– 740.17(b)(1) or
– 742.15(b)(1)
– Encryption registration number (ERN) must be placed in Additional Information block when submitting classification requests under
– 740.17(b)(2) and 740.17(b)(3)
– 742.15(b)(3)
20
Classification Required
– Classification by BIS/NSA Required
– “Restricted” items under ENC 740.17(b)(2)
– “Unrestricted” items under ENC 740.17(b)(3)
– Listed mass market items 742.15(b)(3)
– Must have an ERN before processing the application.
21
Classification Required - Process
– Upon registration of a classification request, products may be exported and reexported immediately to Supplement 3 countries & Canada except for cryptanalytic items which require a license to all government end users.
– After 30 days, eligible “(b)(2)” and “(b)(3)” products may be exported and reexported as stated in the regulations except Country Group E:1
22
CCATS Application– Required:
– ERN in the additional information block in SNAP-R, if applicable.
– Supplement 6, to part 742 information
– Product data sheet
– Not required, but helpful:
– Cover letter/summary explaining what outcome you expect for each product
– Brief overview of the product and what it’s designed to do with particular regard to its security functions.
– Best guess at the ECCN (for each product) and how item will be authorized.
– For hardware, and especially for components, a picture of the item.
23
Supplement 6 to part 742
– Describe specific use of encryption
– Authentication communication (wired/wireless), data confidentiality, “Operations, Administration, Maintenance and Provisioning” (OAM&P), copy/license protection, etc.
– Describe type(s) of encryption used
– Algorithms, protocols, key lengths
– Describe third-party provided cryptography
– Describe how product does or does not meet requirements of 740.17(b)(2)
24
Semi-annual Reporting (§740.17)(e))– Now applies only to B2 and B3iii
– Product name, quantity and recipient(s)
– Distributors or other resellers
– Direct sales
– Information on foreign products developed from U.S.-origin encryption components, toolkits, source code and technology
– Reports to both BIS and the ENC Encryption Request Coordinator
– Key length increases
– Exemptions from reporting
– See §740.17(e)(1)(iii) for a complete list
25
Annual Report of Exported Products(“Supplement 8 Report”)
– All B1 items (items self-classified under 740.17(b)(1) and 742.15(b)(1)
– Submitted by email to NSA and BIS
– CSV (comma separated values) format
– Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)
– Items classified under B2 or B3 should not be listed (740.17(b)(2/3) and 742.15(b)(3)
26
Encryption Licensing
– “Restricted” items to government end users in non-Supplement No. 3 countries
– Encryption technology for development/manufacture abroad
– Other situations including export to E-1 countries
– Denials are very rare
27
Encryption Licenses(§742.15(a) of the EAR)
Most products in 740.17(b)(2) require a license to government end-users outside the Supplement 3 countries, except as follows:
– Cryptanalytic commodities and software require a license to any government end-user anywhere except Canada;
– “Open cryptographic interface” items require a license to any end-user not located or headquartered in a Supplement 3 country; and
– Encryption technology as follows:
– Technology for “non-standard cryptography” requires a license to any end-user not located or headquartered in a Supplement 3 country;
– Other technology – requires a license to:
– Any government end-user outside the Supplement 3 countries; and
– Any end-user in country group D:1
In addition, a license is required for:
– Any export to Country Group E:1 destinations
– A transaction that requires a registration or classification but those have not been done.
28
License Exception ENC (740.17)
740.17 Sub
Item Description or Purpose of Export
ECCN End User Authorized (outside E:1)
Submission Requirements
(a)(1) Development/Production only 5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002
Private end user HQ’d in Supp. 3 countries None*
(a)(2) Any internal purpose 5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002
U.S. Subs (employees, interns, contractors) None*
(b)(1)All encryption items except items
described in (b)(2) and (b)(3)5A002.a1, .a2, .a5, .a6, .a9, 5B002,
5D002All except E:1 countries
1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN
2. Annual Self-Classification Report (Submit Supp. 8, Part 742 in email)
(b)(2) Network infrastructure, source code, designed for gov’t, custom crypto, modifiable crypto, quantum crypto,
penetration testing, public safety radio, cryptanalytic, non-standard tech, OCI,
encryption technology
5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002
Immediate export to Supp. 3 30 day wait outside Supp. 3 No Gov’t outside Supp. 3 Cryptanalytic/source code-no gov’t Non-standard/cryptanalytic tech and OCI: Supp. 3 only 5E002: no D:1 countries (unless HQ’d in Supp. 3)
1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN
2. Classification Req. w/30 day wait (submit Supp. 6, part 742 in SNAP)
3. Semi-Annual Report by email (see 740.17(e))
(b)(3) (i) Encryption components: chips, electronic assemblies, crypto libraries, toolkit, dev kits
(ii) Non-standard crypto items
(iii) Digital forensics
5A002.a1, .a5, .a6, 5A002.b, 5D002
Immediate export to Supp. 3 countries
30 day wait outside Supp. 3 countries
1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN
2. Classification Req. w/30 day wait (submit Supp. 6, part 742 in SNAP)
3. Semi-Annual Report for (b)(3)(iii) only, by email (see 740.17(e))
(b)(4) (i) Short-range Wireless
(ii) Foreign dev with US enc parts
5A002.a1, .a5, .a6, 5B002, 5D002 All except E:1 countries None
* Developed products are subject to the EAR
Questions?