Encryption Update

furiouserectAI and Robotics

Nov 21, 2013 (3 years and 11 months ago)

270 views

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



1

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



1

Misty Rutter

Global Trade Business Engagement

October 6, 2010

ENCRYPTION UPDATE

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



2

HP AT A GLANCE


Stanford University classmates Bill Hewlett and Dave Packard
founded HP in 1939. The company's first product, built in a Palo Alto
garage, was an audio oscillator.


Fortune 9 U.S.


Fortune 32 Global


304,000 employees


$114.6 billion USD in revenue for FY09


Operates in approximately 170 countries worldwide headquartered in
Palo Alto, CA


HP is the largest IT company on the planet!


Our new CEO Leo
Apotheker

joined HP on September 30, 2010

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



3

HP


No other company offers as complete a technology product portfolio
as HP. We provide infrastructure and business offerings that span from
handheld devices to some of the world's most powerful supercomputer
installations.


HP's three business groups drive industry leadership in core

technology areas:


The Personal Systems Group: business and consumer PCs, mobile computing devices
and workstations


The Imaging and Printing Group: inkjet, LaserJet and commercial printing, printing
supplies


Enterprise Business: business products including storage and servers, enterprise
services and software






LET’S DO AMAZING


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



4

ENCRYPTION RULE REFORM


Interim final rule published in the Federal Register June 25, 2010


Made the most confusing part of the EAR even more confusing even if
it did “simplify” some of the requirements!

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



5

WHAT CHANGED?


Removed

encryption review (CCATS) requirements for less sensitive
encryption items


Also removed post
-
export semi
-
annual reporting for these items


Established new registration

process for companies who export
encryption without prior review, for cryptography items transferred under
License Exception ENC and for mass market items


Established an annual self
-
classification reporting requirement for items
self
-
classified under the new company registration



Authorized transfers of most encryption technology to non
-
government
end
-
users under License Exception ENC, except to D:1 and E:1 countries


Decontrols so
-
called "ancillary cryptography" items (Note 4)


removed
from Cat5 Part2 altogether. Now EAR99 unless another category
applies


(includes encryption for copyright protection)


Expanded ability export 5E002 technology


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



6

REGISTRATION/REVIEW/REPORTING

Requirements Matrix

Encryption
Registration

Annual Self
-
Classification
Report

30 Day
Review

Semi
-
Annual
Reporting

ENC A

ENC B1

X

X

ENC B2

X

X

X

ENC B3

X

X

b3iii

ENC B4

MMR B1

X

X

MMR

B3

X

X

MMR B4

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



7

IF YOU’RE NOT SURE YOUR ITEM
MEETS B1:


You can still submit a formal CCATs request.


B1 items do not get forwarded to NSA


Quicker turnaround


If you are just doing proper “Bundling” without changing
the manufacturer’s product, you do not have to register


Self Classification also applies to Mass Market items
except items listed in 742.15 B3 (Note items in 740.17 B2
and 740.17 B3 are not eligible for MM)

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



8

B2 AND B3 ITEMS


STILL REQUIRE
REVIEW


B2 Items include:


Network infrastructure products described in 740.17(b)(2)(
i
)(A);


Encryption source code;


No longer required to submit copy of source code with request


Products designed, modified, adapted or customized for “government
end
-
user(s)”;


Commodities and software that provide penetration capabilities;


Public safety / first responder radio (e.g., P25 or TETRA);


5E002 encryption technology


Remember Dormant and Disabled encryption is still covered under Cat 5
Part 2


Added penetration testing software to B2




© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



9

B2 AND B3 ITEMS


STILL REQUIRE
REVIEW

B3 Items include:


Chips, chipsets, electronic assemblies;


Cryptographic libraries and modules;


Development kits;


Products with “non
-
standard cryptography”;


Items that perform vulnerability analysis, network forensics, or
computer forensics as described in 740.17(b)(3)(iii).


Products that activate or enable encryption

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



10

HOW TO FILE A
CCATS

REQUEST


Register for SNAP
-
R


Go to the main SNAP
-
R screen and select Classification Request, then check the encryption
checkbox


Block 9
-

pull
-
down list in the special purpose box, select License Exception ENC


Block 14
-
15

Be sure the information in these blocks is complete and correct, because this is where
the official response from BIS will be sent. If both blocks are filled in, the official response will be sent
to the individual or entity identified in Block 15.


Block 22(a)

Enter 5A002 for hardware, 5D002 for software, or 5E002 for technology.


Block 22(c)
Enter the product name with model number, if available.


Block 22(
i
)

Enter the name of the manufacturer. If you will sell the product under your company's
label, then enter the name of your company in the manufacturer block.


Block 22(j)

Provide a brief technical description including the basic purpose of the encryption item
(e.g., XYZ is a PDA used for ...) and the type of encryption used in the software (e.g., 168
-
bit Triple
DES for secure e
-
mail, 1024
-
bit RSA for key exchange). Comments such as ''see letter of
explanation" or ''see brochure" are not sufficient. The information identified in this block is entered
directly into the BIS license application database, and will be printed on the official response issued
by BIS. A brief technical description is essential. All other blocks or block portions appropriate for
review requests should be completed in accordance with Part 748 of the EAR.


Block 24

Insert your most recent encryption registration number (ERN).



© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



11

SUPPORTING DOCUMENTATION


Prepare a PDF document containing the information and
documentation described in
Supplement No. 6 to Part 742



Create a Supp. 6 template for use on all CCATs


get engineering support to complete
the template for new products (or changes in existing products)


Letter of explanation


provide detailed description of items for
classification and supporting argument for classification you believe
applies


Technical specifications, datasheets, brochures


Submit in electronic (
pdf
) format


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



12

FOR HARDWARE OR SOFTWARE “ENCRYPTION
COMPONENTS” OTHER THAN SOURCE CODE


(1) Reference the application for which the components are used in, if known;


(2) State if there is a general programming interface to the component;


(3) State whether the component is constrained by function;
and


(4) Identify the encryption component and include the name of the
manufacturer, component model number or other identifier.

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



13

FOR ENCRYPTION SOURCE CODE


(1) If applicable, reference the executable (object code) product that
was previously classified by BIS or included in an encryption
registration to BIS;


(2) Include whether the source code has been modified, and the
technical details on how the source code was modified; and


(3) Upon request, include a copy of the sections of the source code
that contain the encryption algorithm, key management routines and
their related calls.

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



14

MASS MARKET REQUESTS


Determine that the products are mass marketed encryption
components (chips, electronic assemblies, crypto libraries), toolkits,
development kits, and non
-
standard crypto items described in

742.15
(b)(3) of the EAR.



Additional Supporting Documents:


Demonstrate that the commodities and software meet the criteria of the Cryptography
Note [Note 3 of
Category 5, Part 2
, of the Commerce Control List (Supplement No. 1 to
Part 774 of the EAR)]. Compare your product with the Cryptography Note criteria and
state specifically where and how it is mass marketed.


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



15

CCATS


Once you submit in SNAP
-
R you will receive a Case number
beginning with “Z”. Refer to this number in any communications with
BIS on your CCATs request.


No longer have to mail copy of CCATs package to NSA Encryption
Review Coordinator. NSA now has access to SNAP
-
R!

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



16

REPORTING


WHAT’S CHANGED?

Semi
-
annual sales reporting (740.17(e)


No longer need to report 740.17 b3 items (Unrestricted) other than
B3iii


Sales of items eligible for self classification under B1 are not required
to be reported (see Annual Self
-
classification reporting requirements
742.17(c))


Submit electronically to both BIS and NSA at
crypt@bis.doc.gov

and
enc@nsa.gov
.




© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



17

SELF CLASSIFICATION REPORTING


Submit Supplement 8 to Part 742


Remember: this report is just a list of products, not sales data


CSV file format


Can submit by email to BIS and NSA


Zip file acceptable


If not changes in the calendar year, can email statement “No changes”
but recommend calling BIS to confirm receipt. Alternatively you can
resubmit the prior year’s Supp. 8. You must file something every year
if you exported. If no exports in the calendar year, no reporting
required.


Reference your “R” in the Subject Line of the email


First report will cover 6/25/10 through 12/31/10.



© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



18

LICENSING


ELA (Export License Arrangements) conditions are now standardized


Least sensitive government end users


Biannual reporting


More sensitive government end users


Include military, police, prisons and intelligence services


Require Pre
-
shipment notification and/or inspection


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



19

BIGGEST IMPACT FOR HP


Dramatic reduction in number of transactions requiring semi
-
annual
sales reporting (B3)


Ability to self classify many items upon registration


impact to bottom
line no more 30 day wait


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



20

STILL TO COME


The June 25 rule was published as an Interim Rule. Final Rule will
incorporate some of the 6 comments received (see FOIA website)
http://efoia.bis.doc.gov/pubcomm/records
-
of comments/record_of_comments_encryption.pdf



BIS advised at Update 2010 they hope to remove publicly available software
from the EAR


Consistent with the administration export reform program, hope to turn
Category 5 Part 2 into a “Positive” list


Work ongoing with HK TID on items “self
-
classified” when HK requesting copy
of CCATs.


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



21

BIS ENCRYPTION TEAM CONTACTS

Randy Pratt

Director

Ph: 202
-
482
-

5303

E
-
mail: cpratt@bis.doc.gov

Michael Pender

Senior Engineer

Ph: 202
-
482
-
2458

E
-
mail: mpender@bis.doc.gov

Anita
Zinzuvadia

Electrical Engineer

Ph: 202
-
482
-
3772

E
-
mail: azinzuva@bis.doc.gov


Sylvia
Jimmison

Export Policy Analyst

Ph: 202
-
482
-
2342

E
-
mail: sjimmiso@bis.doc.gov


Aaron
Amundson

Export Policy Analyst

Ph: 202
-
482
-
5299

E
-
mail: aamundso@bis.doc.gov


Joe Young

Senior Engineer

Ph: 202
-
482
-
4197

E
-
mail: jyoung@bis.doc.gov


Judith Currie

Senior Export Policy Analyst

Ph: 202
-
482
-
5085

E
-
mail: jcurrie@bis.doc.gov


© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



22

© Copyright 2010 Hewlett
-
Packard Development Company, L.P.



22

Q&A