Revision of US Crypto Export Controls
John Young
jya at pipeline.com
Thu Dec 11 08:08:38 EST 2003
On December 10, 2003, the Bureau of Industry and Security issued
a final rule to revise the Commerce Control List which regulates
export of US technologhy. Below are excerpts involving encryption.
The full rule:
http://cryptome.org/bis121003.txt
[Excerpts]
[Federal Register: December 10, 2003 (Volume 68, Number 237)]
[Rules and Regulations]
[Page 68975-68996]
>From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr10de03-13]
[[Page 68975]]
-----------------------------------------------------------------------
Part II
Department of Commerce
-----------------------------------------------------------------------
Bureau of Industry and Security
-----------------------------------------------------------------------
15 CFR Parts 740, 743, 772, and 774
December 2002 Wassenaar Arrangement Plenary Agreement Implementation:
Categories 1, 2, 3, 4, 5, 6, and 7 of the Commerce Control List, and
Reporting Requirements; Final Rule
[[Page 68976]]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 740, 743, 772, and 774
[Docket No. 031017263-3263-01]
RIN 0694-AC85
December 2002 Wassenaar Arrangement Plenary Agreement
Implementation: Categories 1, 2, 3, 4, 5, 6, and 7 of the Commerce
Control List, and Reporting Requirements
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Bureau of Industry and Security (BIS) maintains the
Commerce Control List (CCL), which identifies items subject to
Department of Commerce export controls. This final rule revises certain
entries controlled for national security reasons in Categories 1, 2, 3,
4, 5 Part I (telecommunications), 5 Part II (information security), 6,
and 7 to conform with changes in the List of Dual-Use Goods and
Technologies maintained and agreed to by governments participating in
the Wassenaar Arrangement on Export Controls for Conventional Arms and
Dual-Use Goods and Technologies (Wassenaar Arrangement). The Wassenaar
Arrangement controls strategic items with the objective of improving
regional and international security and stability.
The purpose of this final rule is to make the necessary changes to
the Commerce Control List to implement revisions to the Wassenaar List
that were agreed upon in the December 2002 meeting, to make necessary
revisions to reporting requirements and License Exception GOV
restrictions, and to add a statement of understanding for medical
equipment.
EFFECTIVE DATE: This rule is effective: December 10, 2003.
FOR FURTHER INFORMATION CONTACT: Patricia Muldonian, Office of
Strategic Trade and Foreign Policy Controls, Bureau of Industry and
Security, U.S. Department of Commerce at (202) 482-5400.
SUPPLEMENTARY INFORMATION:
Background
In July 1996, the United States and thirty-two other countries gave
final approval to the establishment of a new multilateral export
control arrangement, called the Wassenaar Arrangement on Export
Controls for Conventional Arms and Dual-Use Goods and Technologies
(Wassenaar Arrangement). The Wassenaar Arrangement contributes to
regional and international security and stability by promoting
transparency and greater responsibility in transfers of conventional
arms and dual-use goods and technologies, thus preventing destabilizing
accumulations of such items. Participating states have committed to
exchange information on exports of dual-use goods and technologies to
non-participating states for the purposes of enhancing transparency and
assisting in developing common understandings of the risks associated
with the transfers of these items.
This rule revises a number of national security controlled entries
on the Commerce Control List (CCL) to conform with December 2002
revisions to the Wassenaar List of Dual-Use Goods and Technologies.
This rule also revises language to provide a complete or more accurate
description of controls. A detailed description of the revisions to the
CCL is provided below.
Specifically, this rule makes the following amendments to the
Commerce Control List:
*****
Category 5--Part II--Information Security
[sbull] ECCN 5A002 is amended by:
(a) Moving and rearranging the text that describes what is not
controlled in this entry from the Related Controls paragraph of the
List of Items Controlled section to a Note in the beginning of the Item
paragraph of the List of Items Controlled section;
(b) Dividing the existing text in paragraph (a) of the note
(regarding ``personalized smart cards'') into sub-paragraph 1 and a
N.B.; and
(c) Moving the related control note in paragraph 2 of the Related
Definitions paragraph of the List of Items Controlled section to a N.B.
following 5A002.a.
*****
List of Items Controlled
Unit: * * *
Related Controls: 5A002 does not control the items listed in
paragraphs (a) through (f) in the Note in the items paragraph of
this entry. These items are instead controlled under ECCN 5A992.
Related Definitions: N/A
Items:
Note: 5A002 does not control the following. However, these items
are instead controlled under 5A992:
(a) ``Personalized smart cards'':
(1) Where the cryptographic capability is restricted for use in
equipment or systems excluded from control paragraphs (b) through
(f) of this Note; or
(2) For general public-use applications where the cryptographic
capability is not user-accessible and it is specially designed and
limited to allow protection of personal data stored within.
N.B.: If a ``personalized smart card'' has multiple functions,
the control status of each function is assessed individually.
(b) Receiving equipment for radio broadcast, pay television or
similar restricted audience broadcast of the consumer type, without
digital encryption except that exclusively used for sending the
billing or program-related information back to the broadcast
providers.
(c) Equipment where the cryptographic capability is not user-
accessible and which is specially designed and limited to allow any
of the following:
(1) Execution of copy-protected ``software';
(2) Access to any of the following:
(a) Copy-protected contents stored on read-only media; or
(b) Information stored in encrypted form on media (e.g., in
connection with the protection of intellectual property rights)
where the media is offered for sale in identical sets to the public;
or
(3) Copying control of copyright protected audio/video data.
(d) Cryptographic equipment specially designed and limited for
banking use or money transactions;
(e) Portable or mobile radiotelephones for civil use (e.g., for
use with commercial civil cellular radio communications systems)
that are not capable of end-to-end encryption.
N.B.: The term ``money transactions'' includes the collection
and settlement of fares or credit functions.
(f) Cordless telephone equipment not capable of end-to-end
encryption where the maximum effective range of unboosted cordless
operation (e.g., a single, unrelayed hop between terminal and home
basestation) is less than 400 meters according to the manufacturer's
specifications.
Technical Note: Parity bits are not included in the key length.
a. Systems, equipment, application specific ``electronic
assemblies'', modules and integrated circuits for ``information
security'', as follows, and other specially designed components
therefor:
N.B.: For the control of global navigation satellite systems
receiving equipment containing or employing decryption (e.g., GPS or
GLONASS) see 7A005.
a.1. Designed or modified to use ``cryptography'' employing
digital techniques performing any cryptographic function other than
authentication or digital signature having any of the following:
Technical Notes:
1. Authentication and digital signature functions include their
associated key management function.
2. Authentication includes all aspects of access control where
there is no encryption of files or text except as directly related
to the protection of passwords, Personal Identification Numbers
(PINs) or similar data to prevent unauthorized access.
3. ``Cryptography'' does not include ``fixed'' data compression
or coding techniques.
Note: 5A002.a.1 includes equipment designed or modified to use
``cryptography'' employing analog principles when implemented with
digital techniques.
a.1.a. A ``symmetric algorithm'' employing a key length in
excess of 56-bits; or
a.1.b. An ``asymmetric algorithm'' where the security of the
algorithm is based on any of the following:
a.1.b.1. Factorization of integers in excess of 512 bits (e.g.,
RSA);
a.1.b.2. Computation of discrete logarithms in a multiplicative
group of a finite field of size greater than 512 bits (e.g., Diffie-
Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group other than mentioned in
5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an
elliptic curve);
a.2. Designed or modified to perform cryptanalytic functions;
a.3. [RESERVED]
a.4. Specially designed or modified to reduce the compromising
emanations of information-bearing signals beyond what is necessary
for health, safety or electromagnetic interference standards;
a.5. Designed or modified to use cryptographic techniques to
generate the spreading code for ``spread spectrum'' systems,
including the hopping code for ``frequency hopping'' systems;
a.6. Designed or modified to use cryptographic techniques to
generate channelizing or scrambling codes for ``time-modulated
ultra-wideband'' systems;
a.7. Designed or modified to provide certified or certifiable
``multilevel security'' or user isolation at a level exceeding Class
B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or
equivalent;
a.8. Communications cable systems designed or modified using
mechanical, electrical or electronic means to detect surreptitious
intrusion.
*****
Supplement No. 3 to Part 774--Statements of Understanding
Statement of Understanding--medical equipment: Commodities that
are ``specially designed for medical end-use'' that ``incorporate''
commodities or software on the Commerce Control List (Supplement No.
1 to part 774 of the EAR) that do not have a reason for control of
Nuclear Nonproliferation (NP), Missile Technology (MT), or Chemical
& Biological Weapons (CB) are designated by the number EAR99 (i.e.,
are not elsewhere specified on the Commerce Control List).
Notes applicable to State of Understanding related to Medical
Equipment:
(1) ``Specially designed for medical end-use'' means designed
for medical treatment or the practice of medicine (does not include
medical research).
(2) ``Incorporate'' into medical equipment means to integrate
with, or work indistinguishably into such equipment.
(3) Except for such software that is made publicly available
consistent with Sec. 734.3(b)(3) of the EAR, commodities and
software ``specially designed for medical end-use'' remain subject
to the EAR.
(4) See also Sec. 770.2(b) interpretation 2, for other types of
equipment that incorporate items on the Commerce Control List that
are subject to the EAR.
(5) For computers used with medical equipment, see also ECCN
4A003 note 2 regarding the ``principal element'' rule.
(6) For commodities and software specially designed for medical
end-use that incorporate an encryption or other ``information
security'' item subject to the EAR, see also Note 1 to Category 5,
Part II of the Commerce Control List.
*****
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list