Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Encryption Update - Massachusetts Small Business Development

advertisement 
Encryption Update
Ken Delaporta, Director of Operations and Export Compliance
1
MathWorks at a Glance

Headquarters:
Natick, Massachusetts US

Other US Locations:
California, Michigan,
Texas, Washington DC

Europe:
France, Germany, Italy,
Spain, the Netherlands,
Sweden, Switzerland, UK

Asia-Pacific:
Australia, China, India,
Japan, Korea

Worldwide training
and consulting

Distributors in 25 countries
Earth’s topography on an equidistant cylindrical projection,
created with MATLAB and Mapping Toolbox.
2
MathWorks Today





1985
Revenues ~$500M in 2009
Privately held
More than 2,000 employees worldwide
Worldwide revenue balance:
45% North America, 55% international
More than 1,000,000 users
in 175+ countries
1990
1995
2000
2005
3
Key Industries









Aerospace and Defense
Automotive
Biotech and Pharmaceutical
Communications
Education
Electronics and Semiconductors
Energy Production
Financial Services
Industrial Automation and
Machinery
4
How do most export professions react
“Oh
the
way it has encryption”
whenby
they
hear…
5
Ben Flowe, Attorney with Berliner, Corcoran & Rowe
in Washington as quoted in the Export Practitioner
described the changes well…..
“Unfortunately, this Rule does nothing to make
the rules less complicated other than reducing
the number of ancillary products. In fact, they
are more complex than before….and will
remain the most confusing part of the EAR for
most exporters and regulatory officials”
6
Is Understanding Encryption Regulations required filings
and notifications like a escaping a Black Hole?
Let’s try to sort them out !
7
Let’s start with some
background
• Encryption for Hardware, Software and Technology
is managed differently by the EAR:
• It’s an additional layer or lens that’s added to the
base item
• Due to legitimate National Security Concerns
• And…Encryption’s growth is exponential due to
mobile devices, wireless communications, use of the
internet to transact business, and global privacy
regulations
8
How has Encryption been managed by
BIS in the past?
You Start with – The Licensing Requirement
In addition to the classification of the base item another licensing
requirement is added for most encryption items
Look for - Allowed Exceptions
• “ENC” - exceptions to the licensing requirements based on
specific criteria - Always requires review, notification or reporting
• Mass Market - Relaxes requirements for higher strength
encryption
File - your Encryption Review Requests
With both the BIS and the ENC Encryption Request Coordinator
(NSA)
9
What’s new in Encryption filings and notifications?
Types of Filings & Notifications
1. Encryption Registration (All new exporters of encryption items)
2. Encryption Classification Request (CCATS)
2a. Report if key length increases after CCATS for ENC (b)(2) or (b)(3)
3. Annual Self Classification Report (Self classified Mass Market and
ENC)
4. Bi-Annual Report (ENC (b)(2) and (b)(3)(iii))
5. Encryption Notification (TSU publically available encryption)
10
Mass Market
Treatment
11
MASS MARKET (742.15)
742.15
Item Description
Items that meet Note 3 of
Category 5, Part 2 (>64/768/128
(b) (1)
bit) and are not items described
in 742.15 (b)(3) or (b)(4).
ECCN
End
Users
Submission Requirements
5A992.c
5D992.c
All
1.
except
2.
E1
Encryption Registration
Annual Self-Classification Report
Meet Note 3, and are:
(i) Encryption components: chips,
electronic assemblies, crypto
5A992.c
(b) (3)
libraries, toolkit, development
5D992.c
kits; or
(ii) Non-standard crypto items
1.
All
2.
except
E1
Encryption Registration
Classification Req. w/ 30 day wait
(Submit Supp.6, Part 742 in
SNAP) CCATS
Meet Note 3, and are short-range 5A992.c
(b) (4)
wireless
5D992.c
All
except None
E1
Notes
• Mass Market items are controlled for AT reasons only
• This chart applies only to Mass Market items that have key lengths: > 64 bit Symmetric,
>768 bit Asymmetric or >128 bit Elliptical
12
Encryption Registration - Mass Market
Mass Market items (b)(1) & (b)(2) Require a Encryption Registration
Use Snap-R to register
• SNAP-R will issue an Encryption Registration Number (ERN), which will start with an “R”
and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that
BIS has received your encryption registration.
You only need to re-file if you change information previously filed
• A company that exports under the authorization of the encryption registration does not
need to resubmit its encryption registration unless the answers to the questions in
Supplement No. 5 to Part 742 changed during the previous calendar year.
You can now begin shipping without review for some items
• Once a manufacturer (or producer) of the encryption item submits its Encryption
Registration to BIS, the encryption items become eligible for export and reexport under the
applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the
conditions and restriction of those sections.
13
Annual Self Classification Report - Mass Market
• If you self classify items you need to report them annually - even if
there is no change
An annual self-classification report is a requirement for items exported
under License Exception ENC - 740.17(b)(1) and Mass Market 742.15(b)(1).
• How to submit
The report has very specific format requirements outlined in Supplement
No. 8 to Part 742. The information in the report must be provided in
tabular or spreadsheet form, as an electronic file in comma separated
values format (CSV), only.
• Where to submit
The annual self-classification report must be submitted as an attachment
to an e-mail to BIS and the ENC Encryption Request Coordinator at cryptsupp8@bis.doc.gov and enc@nsa.gov.
14
Encryption Classification - Mass Market
• Mass Market provision - 742.15(b)(3) requires a submission of an
encryption classification request to BIS before export.
• How to submit: Utilize SNAP-R
• When can I ship after I file?
Once a mass market classification request is accepted in SNAP-R, you
may export and reexport the item under Exception “ENC” as ECCN 5A002
or 5D002, whichever is applicable, to any end-user located or
headquartered in a country listed in Supplement No. 3 to Part 740 while
the mass market classification request is pending review with BIS.
Thirty-days after the submission of a classification request to BIS, item can
be exported using the symbol “NLR”, provided the items qualify for mass
market treatment and are classified by BIS under ECCNs 5A992 or 5D992.
15
MASS MARKET (742.15)
742.15
Item Description
Items that meet Note 3 of
Category 5, Part 2 (>64/768/128
(b) (1)
bit) and are not items described
in 742.15 (b)(3) or (b)(4).
ECCN
End
Users
Submission Requirements
5A992.c
5D992.c
All
1.
except
2.
E1
Encryption Registration
Annual Self-Classification Report
Meet Note 3, and are:
(i) Encryption components: chips,
electronic assemblies, crypto
5A992.c
(b) (3)
libraries, toolkit, development
5D992.c
kits; or
(ii) Non-standard crypto items
1.
All
2.
except
E1
Encryption Registration
Classification Req. w/ 30 day wait
(Submit Supp.6, Part 742 in
SNAP) CCATS
Meet Note 3, and are short-range 5A992.c
(b) (4)
wireless
5D992.c
All
except
E1
None
Notes
• Mass Market items are controlled for AT reasons only
• This chart applies only to Mass Market items that have key lengths: > 64 bit Symmetric,
>768 bit Asymmetric or >128 bit Elliptical
16
License
Exception
ENC
17
LICENSE EXCEPTION ENC (740.17)
740.17
Item Description or
Purpose of Export
(a)(1)
Development/Production only
(a)(2)
Any internal purpose
ECCN
5A002.a.1, a.2,
.a.5, a.6, a.9,
5B002, 5D002,
5E002
5A002.a.1, a.2,
.a.5, a.6, a.9,
5B002, 5D002,
5E002
End User Authorized
(outside E:1)
Submission
Requirements
Private end user in or HQ’ed in
Supplement No. 3 countries
None*
U.S. Subs (employees, interns,
contractors)
None*
All encryption items except items
described in (b)(2) and (b)(3)
5A002.a.1, a.2,
a.5, a.6, a.9, All except E:1 countries
5B002, 5D002
1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN
2. Annual Self-Classification
Report (Submit Supp. 8, Part 742
in email)
(b)(2)
Network infrastructure, source code,
designed for gov’t, custom crypto,
modifiable crypto, quantum crypto,
public safety radio, penetration testing,
cryptanalytic, non-standard tech, OCI,
encryption technology
- Immediate export to Supp. 3
- 30 day wait outside Supp. 3
- No Gov’t outside Supp. 3
5A002.a.1, a.2,
- Cryptanalytic: No Gov’t;
.a.5, a.6, a.9,
- non-stand/cryptanalytic tech and
5D002, 5E002
OCI: Supp. 3 only;
- 5E002: no D:1 countries
(unless HQ’ed in Supp. 3)
1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN
2. Classification Req. w/ 30 day
wait
3. Semi-Annual Report by email
(see 740.17 (e))
(b)(3)
(i) Encryption components: chips,
electronic assemblies, crypto libraries,
toolkit, dev kits
(ii) Non-standard crypto items,
(iii) Digital forensics
1. Encryption Registration (Submit
- Immediate export to Supplement Supp. 5, Part 742 in SNAP) ERN
5A002.a.1, a.2,
No. 3 countries. - 30 day wait
2. Classification Req. w/ 30 day
.a.5, a.6, a.9,
outside Supplement No. 3
wait
5D002
countries
3. Semi-Annual Report by email
b.3.iii only, (see 740.17 (e))
(b)(4)
(i) Short-range Wireless
(ii) Foreign dev with US enc parts
5A002.a.1, a.2,
.a.5, a.6, a.9, All except E:1 countries
5D002
(b)(1)
None
18
Encryption Registration - ENC
ENC Items (b)(1), (b)(2) & (b)(3) Require a Encryption Registration
Use Snap-R to register
• SNAP-R will issue an Encryption Registration Number (ERN), which will start with an “R”
and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that
BIS has received your encryption registration.
You only need to re-file if you change information previously filed
• A company that exports under the authorization of the encryption registration does not
need to resubmit its encryption registration unless the answers to the questions in
Supplement No. 5 to Part 742 changed during the previous calendar year.
You can now begin shipping without review for some items
•Once a manufacturer (or producer) of the encryption item submits its Encryption
Registration to BIS, the encryption items become eligible for export and reexport under the
applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the
conditions and restriction of those sections.
19
Annual Self Classification Report - ENC
• If you self classify items you need to report them annually - even if
there is no change
An annual self-classification report is a requirement for items exported
under License Exception ENC - 740.17(b)(1) and Mass Market 742.15(b)(1).
• How to submit
The report has very specific format requirements outlined in Supplement
No. 8 to Part 742. The information in the report must be provided in
tabular or spreadsheet form, as an electronic file in comma separated
values format (CSV), only.
• Where to submit
The annual self-classification report must be submitted as an attachment
to an e-mail to BIS and the ENC Encryption Request Coordinator at cryptsupp8@bis.doc.gov and enc@nsa.gov.
20
Encryption Classification - ENC
License Exception ENC - 740.17(b)(2) and (b)(3), requires a submission of an
encryption classification request to BIS before export.
• When can I ship after I file?
After an encryption classification submission has been made via SNAP-R all items under
740.17(b)(2), except cryptanalytic (code breaking) items, may be immediately exported to
countries listed in Supplement No. 3 to Part 740. There is a 30-day wait while the
encryption classification is pending before exports of (b)(2) items may be made outside of
the countries listed
• When is a license still required?
A license will be required for exports to “government end user(s)” outside the countries
listed. Cryptanalytic items require a license for export to any “government end user”
anywhere except Canada
• Non Standard Technology has restrictions
“Non-standard” technology (5E002), cryptanalytic technology (5E002), and open
cryptographic interface items may be exported only to end users located or headquartered
in Supplement 3 countries using License Exception ENC. Other 5E002 technology may be
exported after review to any non-“government end-user” located in a country listed in
Country Group D:1.
21
SUPPLEMENT NO. 3 TO PART 740 License Exception ENC Favorable Treatment Countries
Australia
Greece
Norway
Austria
Hungary
Poland
Belgium
Iceland
Portugal
Bulgaria
Ireland
Romania
Canada
Italy
Slovakia
Cyprus
Japan
Slovenia
Czech Republic
Latvia
Spain
Denmark
Lithuania
Sweden
Estonia
Luxembourg
Switzerland
Finland
Malta
Turkey
France
Netherlands
United Kingdom
Germany
New Zealand
22
Semi Annual Report - ENC (b)(2) and (b)(3)(iii)
If you have a CCATS with a 5A002.a.1,a.2, a.5, a.6, a.9,5D002, or 5E002 and
ship using License Exception ENC (b)(2) and (b)(3)(iii)
• You are required to file semi annual reports all exports to all destinations
other than Canada
Information Required:
Distributors or resellers: name, address, item, quantity
and, if collected by the exporter as part of the distribution process, the end user's name
and address;
Direct Sales : name, address, item, quantity
Foreign Manufacturers and Products that use encryption items: See 740.17(e)(c)
•Submission requirements
January 1 to June 30, by August 1 of that year.
July 1 to December 31, by February 1 the following year. Reports may be sent electronically
to BIS at crypt@bis.doc.gov and to
the ENC Encryption Request Coordinator at enc@nsa.gov
23
Key length increases - classified for License
Exception ENC (b)(2) or (b)(3) – Report Required
• If you increase the key length of a previously classified item
You may continue to export under the previously authorized provision of License
Exception ENC without a classification resubmission. But, you must send a
report
• Information required.
(A )certification that no change to the encryption functionality has been made other than to
upgrade the key length for confidentiality or key exchange algorithms.
(B) The original(CCATS) authorization number issued by BIS and the date of issuance.
(C) The new key length.
• Submission requirements.
The report must be received by BIS and the ENC Encryption Request Coordinator before
the export or reexport of the upgraded product; and
(B) The report must be e-mailed to
crypt@bis.doc.gov and enc@nsa.gov.
24
LICENSE EXCEPTION ENC (740.17)
740.17
Item Description or
Purpose of Export
(a)(1)
Development/Production only
(a)(2)
Any internal purpose
ECCN
5A002.a.1, a.2,
.a.5, a.6, a.9,
5B002, 5D002,
5E002
5A002.a.1, a.2,
.a.5, a.6, a.9,
5B002, 5D002,
5E002
End User Authorized
(outside E:1)
Submission
Requirements
Private end user in or HQ’ed in
Supplement No. 3 countries
None*
U.S. Subs (employees, interns,
contractors)
None*
All encryption items except items
described in (b)(2) and (b)(3)
5A002.a.1, a.2,
a.5, a.6, a.9, All except E:1 countries
5B002, 5D002
1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN
2. Annual Self-Classification
Report (Submit Supp. 8, Part 742
in email)
(b)(2)
Network infrastructure, source code,
designed for gov’t, custom crypto,
modifiable crypto, quantum crypto,
public safety radio, penetration testing,
cryptanalytic, non-standard tech, OCI,
encryption technology
- Immediate export to Supp. 3
- 30 day wait outside Supp. 3
- No Gov’t outside Supp. 3
5A002.a.1, a.2,
- Cryptanalytic: No Gov’t;
.a.5, a.6, a.9,
- non-stand/cryptanalytic tech and
5D002, 5E002
OCI: Supp. 3 only;
- 5E002: no D:1 countries
(unless HQ’ed in Supp. 3)
1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN
2. Classification Req. w/ 30 day
wait
3. Semi-Annual Report by email
(see 740.17 (e))
(b)(3)
(i) Encryption components: chips,
electronic assemblies, crypto libraries,
toolkit, dev kits
(ii) Non-standard crypto items,
(iii) Digital forensics
1. Encryption Registration (Submit
- Immediate export to Supplement Supp. 5, Part 742 in SNAP) ERN
5A002.a.1, a.2,
No. 3 countries. - 30 day wait
2. Classification Req. w/ 30 day
.a.5, a.6, a.9,
outside Supplement No. 3
wait
5D002
countries
3. Semi-Annual Report by email
b.3.iii only, (see 740.17 (e))
(b)(4)
(i) Short-range Wireless
(ii) Foreign dev with US enc parts
5A002.a.1, a.2,
.a.5, a.6, a.9, All except E:1 countries
5D002
(b)(1)
None
25
TSU Notification – If you are going to make
Encryption software publically available
740.13(e) Encryption source code (and corresponding object code)
(1) Scope and eligibility. This paragraph (e)
authorizes exports and reexports, without review, if encryption source code
controlled by ECCN 5D002 that, if not controlled by ECCN 5D002, would be
considered publicly available under §734.3(b)(3) of the EAR.
(3) Notification requirement.
You must notify BIS and the ENC Encryption Request Coordinator via e-mail of
the Internet location (e.g., URL or Internet address) of the source code or
provide each of them a copy of the source code at or before the time you take
action to make the software publicly available as that term is described in
§734.3(b)(3) of the EAR
26
Grandfathering Old Classifications
• General rule:
No need to provide an encryption registration or file a new classification for
old classifications under the new regulations
•Semi Annual Reporting
Must continue to provide semi-annual reporting for items under (new) B2 or
B3iii
• Exceptions: When do you need to register and file under the new
regulations?
When the encryption functionality changes
Any items now classified under B2 that were not previously classified as B2,
e.g. penetration testing software.
27
Grandfathering and Encryption
Registrations
• CCATS issued before June 24th and Pending
on June 24th
• June 25th – Aug. 24th Grace Period
• After August 25 must file in new process
28
Best Practices

Educate Developers/Engineers about
Encryption

Utilize the Mass Market Designation

Use “Standard” off the shelf encryption
29
Non Standard Cryptography EAR
definition
Non-standard Cryptography
Means any implementation of “cryptography” involving the
incorporation or use of proprietary or unpublished cryptographic
functionality, including encryption algorithms or protocols that have
not been adopted or approved by a duly recognized international
standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and
GSMA) and have not otherwise been published.
30
Mass Market Exception- Note 3
Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items
that meet all of the following:
a. Generally available to the public by being sold, without restriction, from stock
at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be easily changed by the user
c. Designed for installation by the user without further substantial support by the
supplier; and
d. When necessary, details of the items are accessible and will be provided,
upon request, to the appropriate authority in the exporter's country
in order to ascertain compliance with conditions described in paragraphs (a)
through (c) of this note.
31
Don’t Be Scared!!!!!
You can successfully deal with these changes!!
32
Related documents
NSM Position Statement: Full Disk Encryption
NSM Position Statement: Full Disk Encryption
AES Encryption
AES Encryption
Encryption
Encryption
Mathew Gilliat-Smith, Fortium Technologies
Mathew Gilliat-Smith, Fortium Technologies
Now - ISSA-NE
Now - ISSA-NE
File
File
Secret Codes
Secret Codes
Wireless Networking & Security
Wireless Networking & Security
Layer 6 Presentation Layer - SI-35-02
Layer 6 Presentation Layer - SI-35-02
Download
advertisement