James (all),
I have exactly the same concerns as you about the 2nd para in
Laszlo's document, where it says that access control is required by
authorities. Even just considering one country, the US, I don't
think it is as simple as that, here are some references:
The up to date US Export Administration Regulations (EAR) database
can be found here: http://www.access.gpo.gov/bis/ear/ear_data.html
Of the many documents listed, I think these are the most relevant:
Part 736 - General Prohibitions http://www.access.gpo.gov/bis/ear/
pdf/736.pdf dated 11-09-05
Part 740 - License Exceptions http://www.access.gpo.gov/bis/ear/pdf/
740.pdf dated 04-28-06
Part 742 - Control Policy -- CCL Based Controls http://
www.access.gpo.gov/bis/ear/pdf/742.pdf dated 5-16-06
(Part 774) Category 5 (Part 2) - Information Security http://
www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf dated 11-18-05
What follows is my interpretation of the above docs - I have not
read through all of them word for word (life's too short) but I
think I get the basic gist.
Everything that is controlled is listed under an ECCN (Export
Classification Control Number). ECCNs 5A002, 5D002, 5E002 and
5A992, 5D992 and 5E992 cover encryption items. Section 742.15 gives
a broad outline of the licensing policy covering these ECCNs. For
5A/D/E002 an export license is required to all countries, except
Canada. Further exceptions apply, given under 740.17.
In particular, there is this exception:
--------------------------------------------
(2) Encryption commodities and software
restricted to non-“government end-users.”
This paragraph (b)(2) authorizes the export and
reexport of items described in §740.17(b)(2)(iii)
of the EAR that do not provide an “open
cryptographic interface” and that are controlled
by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002
to individuals, commercial firms, and other
entities that are not “government end-users” and
that are not located in a country listed in
Supplement No. 3 to this part. In addition, the
transaction must meet the provisions of either
§740.17(b)(2)(i) or (ii) of the EAR.
--------------------------------------------
The relevant ECCN paras mentioned are:
----------------------------------------------
a.1. Designed or modified to use
“cryptography” employing digital techniques
performing any cryptographic function other than
authentication or digital signature having any of
the following:
a.1.a. A “symmetric algorithm”
employing a key length in excess of 56-bits; or
a.1.b. An “asymmetric algorithm” where
the security of the algorithm is based on any of the
following:
a.1.b.1. Factorization of integers in
excess of 512 bits (e.g., RSA);
a.1.b.2. Computation of discrete
logarithms in a multiplicative group of a finite
field of size greater than 512 bits (e.g., Diffie-
Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a
group other than mentioned in 5A002.a.1.b.2 in
excess of 112 bits (e.g., Diffie-Hellman over an
elliptic curve);
a.2. Designed or modified to perform
cryptanalytic functions;
...
a.5. Designed or modified to use
cryptographic techniques to generate the
spreading code for “spread spectrum” systems,
including the hopping code for “frequency
hopping” systems;
a.6. Designed or modified to use
cryptographic techniques to generate channelizing
or scrambling codes for “time-modulated ultrawideband”
systems;
-----------------------------------------
I think this is where the term 'required' has been misconstrued.
Essentially this is saying if you have a product covered by these
ECCNs, but aimed at end (non governmental) users not located in
certain countries, where there is no 'open cryptographic
interface', then export is authorized.
But if you don't have a product that falls under the license
exemptions, you can still apply for a license.742.15 (i)(ii) says
that applications are treated on a case by case basis - I would
take that to mean that even if (say) you had a product that had an
'open cryptographic interface' you might still get a license
authorized, depending on the individual application.
Now it may be that others on this list have some practical
experience of actually applying for a license - I might be prepared
to accept that in practice, any product with an 'open cryptographic
interface' operating at the kinds of data rates that hard disks
operate would stand a remote chance of getting a license.
My only other experience is with the UK regulations. There is a
control list which lists a combination of military items classified
by the UK, plus a European Commission (EC) list of so-called 'dual-
use' items. These are items which are civilian in nature but can
have a dual military application.
The list is available here: http://www.dti.gov.uk/files/
file27539.pdf current copy dated 12th April 2006
In this, category 5 covers "Telecommunications and Information
Security".In this, you will find similar words as the US EAR regs.
Even the use of the same numbers 5A002 and 5D002. Why is that? In
fact, its because the US and Eu countries are all signatories of
the Wassenaar agreement, mentioned in the 1998 survey you quoted.
It covers the export of military and 'dual-use' items. This is
where you can see where the common text of the US/UK/EU lists came
about. Everything is documented here: http://www.wassenaar.org/
controllists/index.html (Category 5 part 2).
This list does not have the corresponding License Exceptions or
mention of 'open cryptographic interfaces' so I have no idea if a
similar exception applies to the UK (or EU). I would expect this to
be country by country dependent.
Of course, many of the *export* regulations are perhaps moot if, as
with my company, manufacturing and export of the actual product is
done in the Far East (Taiwan. Korea etc). In that case *import*
regulations are relevant. AFAIK, these are much more relaxed. For
example, this is the UK position (http://www.dti.gov.uk/
europeandtrade/importing-into-uk/page9728.html):
---------------------------------------------------------------------
-
-------------------------------------------
The majority of goods can be imported into the United Kingdom
without the need to apply for an import licence.
Currently ILB issues import licences for certain goods mainly to
implement:
DTI’s trade policy measures
* certain textiles from Belarus, China, Montenegro, North Korea and
Uzbekistan
* iron & steel
For safety reasons
*
firearms and ammunition
*
nuclear materials
As a result of international obligations
*
anti-personnel mines
*
rough diamonds and wood products from Liberia
Other Government departments may have their own import
restrictions. For example the Rural Payments Agency (RPA) issues
import licences for agricultural, horticultural products and
certain items of food and drink. Traders importing these products
will need to contact them for advice not ILB (for link to RPA
website see related links). It is the responsibility of the
importers to ensure that he/she is aware of any restrictions on
goods they wish to import.
---------------------------------------------------------------------
-
----------------------------------------------------
So while the US and UK/EU and other Wasenaar signatories seem to be
reasonably aligned in the export policy vis-a-vis encryption
products, things are still obviously very country dependent for
granting of export licenses and also imports.
I hope at least this gives the insomniacs amongst you some useful
bedtime reading.
Regards,
Gary Calder
Oxford Semiconductor
www.oxsemi.com
james hughes wrote:
I would like some references to the claims in the introduction. My
reason for asking about such is that it is important that we
(IEEE) standardize what is right, not what is politically in vogue
at a moment in history. The I in IEEE is for International.
Additionally, I am interested in which market? Anyway, references
to the claims of this paragraph should be provided.
Access control not just can be provided, but it is required by
the export control authorities,
Reference?
and also by many local authorities,
Reference?
where storage devices are sold. If the encrypted data is freely
accessible, the encryption module can be used as a stand alone,
high-speed encryption processor, which is prohibited in many
markets.
Reference of the regulation and any example of a storage
encryption device where the "encryption module can be used as a
stand alone, high-speed encryption processor" in such a way that
it violates a law?
I have looked for information on the web about this kind of
information. There is a summary done in 1998, but I have found
nothing online more recent.
http://www.gilc.org/crypto/crypto-survey.html
On May 19, 2006, at 6:16 PM, [EMAIL PROTECTED] wrote:
Here is an update of the non-removable secure storage discussion
document. It does not contain new information, only editorial and
formatting changes, in an attempt to make it easier to understand.
-Laszlo
<Nonremovable Discussions-D07.pdf>
