[Cryptography] FIPS, NIST and ITAR questions

james hughes hughejp at mac.com
Tue Sep 3 16:06:20 EDT 2013

"Hashes aren't ITAR covered" is a fact….  from "Revised U.S. Encryption Export Control Regulations, January 2000" at

> 3. It was not the intent of the new Wassenaar language for ECCN 5A002 to be more restrictive concerning Message Authentication Codes (MAC). "Data authentication equipment that calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication" continues to be excluded from control under 5A002. These commodities are controlled under ECCN 5A992.

further, ECCN 5A992 is separated from the "high-functioning encryption" as follows. From 

> Under the EAR, encryption items, which includes software, technology, and hardware incorporating encryption technology, generally fall into two categories:
> Ø      Export Commodity Classification Number ("ECCN") 5A002/5D002, for certain enumerated, high-functioning encryption products and software; and
> Ø      ECCN 5A992/5D992, for all other encryption items. 
> Generally speaking, 5A992/5D992 products can be shipped without delay anywhere in the world (except for Cuba, Iran, North Korea, Sudan, and Syria) as No License Required ("NLR"). 

Clear (as mud)?

On Sep 3, 2013, at 12:21 PM, radix42 at gmail.com wrote:

> Ok, I dug around my email archives to see what the heck to google, and answered my own question regarding ITAR and NIST defined Suite B implementing software. 
> Here it goes....
> From http://www.nsa.gov/ia/programs/suiteb_cryptography/
> ...Says, effectively, that products that 'are configure to USE Suite B or technical documentation concerning the configuration of such products' are not subject to ITAR. The bis.doc.gov site listing requirements under ITAR for US Persons is, inconveniently, down for maintenance.
> However, digging around in my document backup archives (insomnia provided the time for it...hours) and email un-earth the notification addresses required for ALL US based open-source Suite B implementations.
> Yes, this is silly. No, they don't NORMALLY go after anyone for breaking the law for a NIST defined hash/digest/crypto algorithm.
> But if the USG decides they don't like you (political views, activism, etc), that silly regulation can cost you years in prison. The legal term if art is 'selective prosecution'.
> The relevant email addresses are:
> crypt at nsa.gov enc at nsa.gov and web_site at bis.doc.gov
> Required format and fields are:
> Subject: TSU NOTIFICATION - Encryption
> Message body:
> SUBMITTED BY: <author or corporate contacts full legal name>
> SUBMITTED FOR: <full legal names of all authors and corporate name if applicable>
> POINT OF CONTACT: <full legal name of POC for compliance purposes>
> PHONE and/or FAX: <10 digit number for either>
> PRODUCT NAME/MODEL #: <product/program name and model/version>
> ECCN: <5D002 for FIPS-180 hash functions, google cache for others, BIS site currently down, lovely>
> <blank line>
> NOTIFICATION: <download URL(s) for source file(s)>
> There ya go. "Hashes aren't ITAR covered" is unfortunately 'Net Mythology. Silly as hell I admit. If the above helps any other US Persons put a fig leaf on themselves, that'd be great.
> Cheers,
> David Mercer
> David Mercer
> Portland, OR
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list