Encryption Update - Massachusetts Small Business Development ...

downtownbeeΜηχανική

18 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

151 εμφανίσεις

1

Encryption Update

Ken Delaporta, Director of Operations and Export Compliance

2

MathWorks at a Glance


Headquarters:

Natick, Massachusetts US


Other US Locations:

California, Michigan,

Texas, Washington DC


Europe:

France, Germany, Italy,

Spain, the Netherlands,

Sweden, Switzerland, UK


Asia
-
Pacific:

Australia, China, India,

Japan, Korea


Worldwide training

and consulting


Distributors in 25 countries

Earth’s topography on an equidistant cylindrical projection,
created with MATLAB

and Mapping Toolbox.

3

MathWorks Today


Revenues ~$500M in
2009


Privately held


More than 2,000 employees worldwide


Worldwide revenue balance:

45% North America, 55% international


More than 1,000,000 users

in 175+ countries

1985

1990

1995

2000

2005

4

Key Industries


Aerospace and Defense


Automotive


Biotech and Pharmaceutical


Communications


Education


Electronics and Semiconductors


Energy Production


Financial Services


Industrial Automation and

Machinery

5

How do most export professions react
when they hear…




“Oh by the way it has encryption”

6

Ben Flowe, Attorney with Berliner, Corcoran & Rowe
in Washington as quoted in the Export Practitioner
described the changes well…..



“Unfortunately, this Rule does nothing to make
the rules less complicated other than reducing
the number of ancillary products. In fact, they
are more complex than before….and will
remain the most confusing part of the EAR for
most exporters and regulatory officials”

7

Is Understanding Encryption Regulations required filings
and notifications like a escaping a Black Hole?

Let’s try to sort them out !

8

Let’s start with some
background



Encryption for Hardware, Software and Technology
is managed differently by the EAR:




It’s an additional layer or lens that’s added to the
base item




Due to legitimate National Security Concerns




And…Encryption’s growth is exponential due to
mobile devices, wireless communications, use of the
internet to transact business, and global privacy
regulations

9

How has Encryption been managed by
BIS in the past?

You Start with


The Licensing Requirement

In addition to the classification of the base item another licensing
requirement is added for most encryption items


Look for
-

Allowed Exceptions



“ENC”
-

exceptions to the licensing requirements based on
specific criteria
-

Always requires review, notification or reporting




Mass Market
-

Relaxes requirements for higher strength
encryption


File
-

your Encryption Review Requests

With both the BIS and the ENC Encryption Request Coordinator

(NSA)

10

What’s new in Encryption filings and notifications?

Types of Filings & Notifications


1. Encryption Registration (All
new

exporters of encryption items)


2. Encryption Classification Request (CCATS)

2a. Report if key length increases after CCATS for ENC (b)(2) or (b)(3)


3. Annual Self Classification Report (Self classified Mass Market and
ENC)


4. Bi
-
Annual Report (ENC (b)(2) and (b)(3)(iii))


5. Encryption Notification (TSU publically available encryption)


11

Mass Market
Treatment

12



MASS MARKET (742.15)

742.15

Item Description

ECCN

End
Users

Submission Requirements

(b) (1)

Items that meet Note 3 of
Category 5, Part 2 (>64/768/128
bit) and are not items described
in 742.15 (b)(3) or (b)(4).

5A992.c
5D992.c

All
except
E1

1.
Encryption
Registration

2.
Annual
Self
-
Classification
Report

(b) (3)

Meet Note 3, and are:
(i) Encryption components: chips,
electronic assemblies, crypto
libraries, toolkit, development
kits; or
(ii) Non
-
standard crypto items

5A992.c
5D992.c

All
except
E1

1.
Encryption
Registration

2.
Classification
Req. w/ 30 day wait
(Submit Supp.6, Part 742 in
SNAP) CCATS

(b) (4)

Meet Note 3, and are short
-
range
wireless

5A992.c
5D992.c

All
except
E1


None

Notes



Mass Market items are controlled for AT reasons only




This chart applies only to Mass Market items that have key lengths: > 64 bit Symmetric,
>768 bit Asymmetric or >128 bit Elliptical


13

Encryption Registration
-

Mass Market


Mass Market items (b)(1) & (b)(2) Require a Encryption Registration


Use Snap
-
R to register



SNAP
-
R will issue an Encryption Registration Number (ERN), which will start with an “R”
and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that
BIS has received your encryption registration.


You only need to re
-
file if you change information previously filed



A company that exports under the authorization of the encryption registration does not
need to resubmit its encryption registration unless the answers to the questions in
Supplement No. 5 to Part 742

changed during the previous calendar year.


You can now begin shipping without review for
some

items



Once a manufacturer (or producer) of the encryption item submits its Encryption
Registration to BIS, the encryption items become eligible for export and reexport under the
applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the
conditions and restriction of those sections.



14

Annual Self Classification Report
-

Mass Market



If you self classify items you need to report them annually
-

even if
there is no change

An annual self
-
classification report is a requirement for items exported
under License Exception ENC
-

740.17(b)(1) and Mass Market
-

742.15(b)(1).




How to submit

The report has very specific format requirements outlined in
Supplement
No. 8 to Part

742
.


The information in the report must be provided in
tabular or spreadsheet form, as an electronic file in comma separated
values format (CSV), only.




Where to submit

The annual self
-
classification report must be submitted as an attachment
to an e
-
mail to BIS and the ENC Encryption Request Coordinator at
crypt
-
supp8@bis.doc.gov

and
enc@nsa.gov
.

15

Encryption Classification
-

Mass Market



Mass Market provision
-

742.15(b)(3) requires a submission of an
encryption classification request to BIS before export.




How to submit:
Utilize SNAP
-
R





When can I ship after I file?

Once a mass market classification request is accepted in SNAP
-
R, you
may export and reexport the item under Exception

“ENC”
as ECCN 5A002
or 5D002, whichever is applicable, to any end
-
user located or
headquartered in a country listed in
Supplement No. 3 to Part 740

while
the mass market classification request is pending review with BIS.


Thirty
-
days after the submission of a classification request to BIS, item can
be exported using the symbol
“NLR”,
provided the items qualify for mass
market treatment and are classified by BIS under ECCNs 5A992 or 5D992.

16



MASS MARKET (742.15)

742.15

Item Description

ECCN

End
Users

Submission Requirements

(b) (1)

Items that meet Note 3 of
Category 5, Part 2 (>64/768/128
bit) and are not items described
in 742.15 (b)(3) or (b)(4).

5A992.c
5D992.c

All
except
E1

1.
Encryption
Registration

2.
Annual
Self
-
Classification
Report

(b) (3)

Meet Note 3, and are:
(i) Encryption components: chips,
electronic assemblies, crypto
libraries, toolkit, development
kits; or
(ii) Non
-
standard crypto items

5A992.c
5D992.c

All
except
E1

1.
Encryption
Registration

2.
Classification
Req. w/ 30 day wait
(Submit Supp.6, Part 742 in
SNAP) CCATS

(b) (4)

Meet Note 3, and are short
-
range
wireless

5A992.c
5D992.c

All
except
E1


None

Notes



Mass Market items are controlled for AT reasons only




This chart applies only to Mass Market items that have key lengths: > 64 bit Symmetric,
>768 bit Asymmetric or >128 bit Elliptical


17

License
Exception

ENC

18



LICENSE EXCEPTION ENC (740.17)

740.17

Item Description
or
Purpose of Export

ECCN

End User Authorized
(outside E:1)

Submission
Requirements

(a)(1)


Development/Production
only


5A002.a.1
, a.2,
.a.5, a.6, a.9,
5B002
, 5D002,
5E002


Private
end user in or HQ’ed in

Supplement
No. 3 countries


None
*

(a)(2)


Any
internal purpose

5A002.a.1, a.2,
.a.5, a.6, a.9,
5B002, 5D002,
5E002


U.S
. Subs (employees, interns,
contractors)


None
*

(b)(1)


All
encryption items except items

described
in (b)(2) and (b)(3)

5A002.a.1, a.2,
a.5
, a.6, a.9,
5B002, 5D002


All
except E:1 countries

1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN
2. Annual Self
-
Classification
Report (Submit Supp. 8, Part 742
in email)

(b)(2)


Network
infrastructure, source code,

designed
for gov’t, custom crypto,
modifiable crypto, quantum crypto,
public safety radio
, penetration
testing,
cryptanalytic, non
-
standard tech, OCI,
encryption technology

5A002.a.1, a.2,
.a.5, a.6, a.9,
5D002, 5E002

-

Immediate export to Supp. 3
-

30 day wait outside Supp. 3
-

No Gov’t outside Supp. 3

-


Cryptanalytic
: No Gov’t;

-

non
-
stand/cryptanalytic tech and

OCI
: Supp. 3 only;

-

5E002: no D:1
countries
(
unless HQ’ed in Supp. 3)

ㄮNb湣特灴楯渠
o敧i獴r慴楯渠Ep畢mit
p異瀮p㔬Rm慲a 㜴㈠i渠华Am) bok


㈮OCl慳獩fi捡瑩c渠剥q. wL ㌰ 摡y

wait
3.
Semi
-
Annual Report by email
(see 740.17 (e))

(b)(3)


(i
) Encryption components: chips,
electronic assemblies, crypto libraries,
toolkit, dev kits


(
ii) Non
-
standard crypto items
,


(iii) Digital forensics

5A002.a.1, a.2,
.a.5, a.6, a.9,
5D002

-

Immediate export to Supplement
No. 3 countries.
-

30 day wait
outside Supplement No. 3
countries

1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN


2. Classification Req. w/ 30 day
wait
3. Semi
-
Annual Report by email


b.3.iii only,

(see 740.17 (e))

(b)(4)


(i
) Short
-
range Wireless

(
ii) Foreign dev with US enc parts

5A002.a.1, a.2,
.a.5, a.6, a.9,
5D002


All
except E:1 countries


None

19

Encryption Registration
-

ENC

ENC Items (b)(1), (b)(2) & (b)(3) Require a Encryption Registration


Use Snap
-
R to register



SNAP
-
R will issue an Encryption Registration Number (ERN), which will start with an “R”
and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that
BIS has received your encryption registration.


You only need to re
-
file if you change information previously filed



A company that exports under the authorization of the encryption registration does not
need to resubmit its encryption registration unless the answers to the questions in
Supplement No. 5 to Part 742

changed during the previous calendar year.


You can now begin shipping without review for
some

items


Once a manufacturer (or producer) of the encryption item submits its Encryption
Registration to BIS, the encryption items become eligible for export and reexport under the
applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the
conditions and restriction of those sections.



20

Annual Self Classification Report
-

ENC



If you self classify items you need to report them annually
-

even if
there is no change

An annual self
-
classification report is a requirement for items exported
under License Exception ENC
-

740.17(b)(1) and Mass Market
-

742.15(b)(1).




How to submit

The report has very specific format requirements outlined in
Supplement
No. 8 to Part

742
.


The information in the report must be provided in
tabular or spreadsheet form, as an electronic file in comma separated
values format (CSV), only.




Where to submit

The annual self
-
classification report must be submitted as an attachment
to an e
-
mail to BIS and the ENC Encryption Request Coordinator at
crypt
-
supp8@bis.doc.gov

and
enc@nsa.gov
.

21

Encryption Classification
-

ENC

License Exception ENC
-

740.17(b)(2) and (b)(3), requires a submission of an
encryption classification request to BIS before export.




When can I ship after I file?

After an encryption classification submission has been made via SNAP
-
R all items under
740.17(b)(2), except cryptanalytic (code breaking) items, may be immediately exported to
countries listed in
Supplement No. 3 to Part 740
. There is a 30
-
day wait while the
encryption classification is pending before exports of (b)(2) items may be made outside of
the countries listed




When is a license still required?


A license will be required for exports to “government end user(s)” outside the countries
listed. Cryptanalytic items require a license for export to any “government end user”
anywhere except Canada





Non Standard Technology has restrictions

“Non
-
standard” technology (5E002), cryptanalytic technology (5E002), and open
cryptographic interface items may be exported only to end users located or headquartered
in
Supplement 3

countries using License Exception ENC. Other 5E002 technology may be
exported after review to any non
-
“government end
-
user” located in a country listed in
Country Group D:1
.

22

SUPPLEMENT NO. 3 TO PART 740
-




License Exception ENC Favorable Treatment Countries

Australia

Greece

Norway

Austria

Hungary

Poland

Belgium

Iceland

Portugal

Bulgaria

Ireland

Romania

Canada

Italy

Slovakia

Cyprus

Japan

Slovenia

Czech Republic

Latvia

Spain

Denmark

Lithuania

Sweden

Estonia

Luxembourg

Switzerland

Finland

Malta

Turkey

France

Netherlands

United Kingdom

Germany

New Zealand



23

Semi Annual Report
-

ENC (b)(2) and (b)(3)(iii)

If you have a CCATS with a
5A002.a.1,a.2, a.5, a.6, a.9,5D002, or 5E002 and
ship using License Exception
ENC (b)(2) and (b)(3)(iii)





You are required to file semi annual reports all exports to all destinations
other than Canada

Information Required:

Distributors or resellers
:
name, address, item, quantity

and, if collected by the exporter as part of the distribution process, the end user's name
and address;

Direct Sales
:

name, address, item, quantity

Foreign Manufacturers and Products that use encryption items
:
See 740.17(e)(c)


Submission requirements

January 1 to June 30, by August 1 of that year.

July 1 to December 31, by February 1 the following year. Reports may be sent electronically
to BIS at crypt@bis.doc.gov and to

the ENC Encryption Request Coordinator at enc@nsa.gov

24

Key length increases
-

classified for License
Exception ENC (b)(2) or (b)(3)


Report Required



If you increase the key length of a previously classified item

You may continue to export under the previously authorized provision of License
Exception ENC without a classification resubmission. But, you must send a
report




Information required.

(A )certification that no change to the encryption functionality has been made other than to
upgrade the key length for confidentiality or key exchange algorithms.

(B) The original(CCATS) authorization number issued by BIS and the date of issuance.

(C) The new key length.




Submission requirements.

The report must be received by BIS and the ENC Encryption Request Coordinator before
the export or reexport of the upgraded product; and

(B) The report must be e
-
mailed to

crypt@bis.doc.gov and
enc@nsa.gov
.

25



LICENSE EXCEPTION ENC (740.17)

740.17

Item Description
or
Purpose of Export

ECCN

End User Authorized
(outside E:1)

Submission
Requirements

(a)(1)


Development/Production
only


5A002.a.1
, a.2,
.a.5, a.6, a.9,
5B002
, 5D002,
5E002


Private
end user in or HQ’ed in

Supplement
No. 3 countries


None
*

(a)(2)


Any
internal purpose

5A002.a.1, a.2,
.a.5, a.6, a.9,
5B002, 5D002,
5E002


U.S
. Subs (employees, interns,
contractors)


None
*

(b)(1)


All
encryption items except items

described
in (b)(2) and (b)(3)

5A002.a.1, a.2,
a.5
, a.6, a.9,
5B002, 5D002


All
except E:1 countries

1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN
2. Annual Self
-
Classification
Report (Submit Supp. 8, Part 742
in email)

(b)(2)


Network
infrastructure, source code,

designed
for gov’t, custom crypto,
modifiable crypto, quantum crypto,
public safety radio
, penetration
testing,
cryptanalytic, non
-
standard tech, OCI,
encryption technology

5A002.a.1, a.2,
.a.5, a.6, a.9,
5D002, 5E002

-

Immediate export to Supp. 3
-

30 day wait outside Supp. 3
-

No Gov’t outside Supp. 3

-


Cryptanalytic
: No Gov’t;

-

non
-
stand/cryptanalytic tech and

OCI
: Supp. 3 only;

-

5E002: no D:1
countries
(
unless HQ’ed in Supp. 3)

ㄮNb湣特灴楯渠
o敧i獴r慴楯渠Ep畢mit
p異瀮p㔬Rm慲a 㜴㈠i渠华Am) bok


㈮OCl慳獩fi捡瑩c渠剥q. wL ㌰ 摡y

wait
3.
Semi
-
Annual Report by email
(see 740.17 (e))

(b)(3)


(i
) Encryption components: chips,
electronic assemblies, crypto libraries,
toolkit, dev kits


(
ii) Non
-
standard crypto items
,


(iii) Digital forensics

5A002.a.1, a.2,
.a.5, a.6, a.9,
5D002

-

Immediate export to Supplement
No. 3 countries.
-

30 day wait
outside Supplement No. 3
countries

1. Encryption Registration (Submit
Supp. 5, Part 742 in SNAP) ERN


2. Classification Req. w/ 30 day
wait
3. Semi
-
Annual Report by email


b.3.iii only,

(see 740.17 (e))

(b)(4)


(i
) Short
-
range Wireless

(
ii) Foreign dev with US enc parts

5A002.a.1, a.2,
.a.5, a.6, a.9,
5D002


All
except E:1 countries


None

26

TSU Notification


If you are going to make
Encryption software publically available

740.13
(e) Encryption source code (and
corresponding object code)


(1) Scope and eligibility. This paragraph (e)

authorizes exports and reexports, without review, if encryption source code
controlled by ECCN 5D002 that, if not controlled by ECCN 5D002, would be
considered publicly available under
§
734.3(b)(3) of the EAR.



(3) Notification requirement.

You must notify BIS and the ENC Encryption Request Coordinator via e
-
mail of
the Internet location (e.g., URL or Internet address) of the source code or
provide each of them a copy of the source code at or before the time you take
action to make the software publicly available as that term is described in
§
734.3(b)(3) of the EAR

27

Grandfathering Old Classifications

• General rule:

No need to provide an encryption registration or file a new classification for
old classifications under the new regulations



Semi Annual Reporting

Must continue to provide semi
-
annual reporting for items under (new) B2 or
B3iii


• Exceptions: When do you need to register and file under the new
regulations?

When the encryption functionality changes

Any items now classified under B2 that were not previously classified as B2,
e.g. penetration testing software.

28

Grandfathering and Encryption
Registrations




CCATS issued before June 24th and Pending
on June 24th




June 25th


Aug. 24th Grace Period


• After August 25 must file in new process

29

Best Practices


Educate Developers/Engineers about
Encryption



Utilize the Mass Market Designation



Use “Standard” off the shelf encryption


30

Non Standard Cryptography EAR
definition

Non
-
standard Cryptography


Means any implementation of “cryptography” involving the
incorporation or use of proprietary or unpublished cryptographic
functionality, including encryption algorithms or protocols that have
not been adopted or approved by a duly recognized international
standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and
GSMA) and have not otherwise been published.

31

Mass Market Exception
-

Note 3

Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items
that meet all of the following:

a. Generally available to the public by being sold, without restriction, from stock
at retail selling points by means of any of the following:

1. Over
-
the
-
counter transactions;

2. Mail order transactions;

3. Electronic transactions; or

4. Telephone call transactions;


b. The cryptographic functionality cannot be easily changed by the user


c. Designed for installation by the user without further substantial support by the
supplier; and


d. When necessary, details of the items are accessible and will be provided,
upon request, to the appropriate authority in the exporter's country

in order to ascertain compliance with conditions described in paragraphs (a)
through (c) of this note.


32

Don’t Be Scared!!!!!

You can successfully deal with these changes!!