HOME

TheInfoList



OR:

The export of cryptography from the United States to other countries has experienced various levels of restrictions over time.
World War II World War II or the Second World War, often abbreviated as WWII or WW2, was a world war that lasted from 1939 to 1945. It involved the vast majority of the world's countries—including all of the great powers—forming two opposin ...
illustrated that
code-breaking Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic sec ...
and
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
can play an integral part in
national security National security, or national defence, is the security and defence of a sovereign state, including its citizens, economy, and institutions, which is regarded as a duty of government. Originally conceived as protection against military atta ...
and the ability to prosecute war. Changes in technology and the preservation of free speech have been competing factors in the regulation and constraint of cryptographic technologies for export.


History


Cold War era

In the early days of the
Cold War The Cold War is a term commonly used to refer to a period of geopolitical tension between the United States and the Soviet Union and their respective allies, the Western Bloc and the Eastern Bloc. The term '' cold war'' is used because the ...
, the U.S. and its allies developed an elaborate series of
export control Export control is legislation that regulates the export of goods, software and technology. Some items could potentially be useful for purposes that are contrary to the interest of the exporting country. These items are considered to be ''controlled ...
regulations designed to prevent a wide range of Western technology from falling into the hands of others, particularly the
Eastern bloc The Eastern Bloc, also known as the Communist Bloc and the Soviet Bloc, was the group of socialist states of Central and Eastern Europe, East Asia, Southeast Asia, Africa, and Latin America under the influence of the Soviet Union that existed du ...
. All export of technology classed as 'critical' required a license.
CoCom The Cocom or Cocomes were a Maya family or dynasty who controlled the Yucatán Peninsula in the late Postclassic period. Their capital was at Mayapan. The dynasty was founded by Hunac Ceel, and was overthrown sometime between 1440 and 1441 by Ah ...
was organized to coordinate Western export controls. Two types of technology were protected: technology associated only with weapons of war ("munitions") and dual use technology, which also had commercial applications. In the U.S., dual use technology export was controlled by the
Department of Commerce The United States Department of Commerce is an executive department of the U.S. federal government concerned with creating the conditions for economic growth and opportunity. Among its tasks are gathering economic and demographic data for bu ...
, while munitions were controlled by the
State Department The United States Department of State (DOS), or State Department, is an United States federal executive departments, executive department of the Federal government of the United States, U.S. federal government responsible for the country's fore ...
. Since in the immediate post WWII period the market for cryptography was almost entirely military, the encryption technology (techniques as well as equipment and, after computers became important, crypto software) was included as "Category XI - Miscellaneous Articles" and later "Category XIII - Auxiliary Military Equipment" item into the
United States Munitions List The United States Munitions List (USML) is a list of articles, services, and related technology designated as Military, defense and space-related by the Federal government of the United States, United States federal government. This designation ...
on November 17, 1954. The multinational control of the export of cryptography on the Western side of the cold war divide was done via the mechanisms of CoCom. By the 1960s, however, financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer. The U.S. Government's introduction of the
Data Encryption Standard The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...
in 1975 meant that commercial uses of high quality encryption would become common, and serious problems of export control began to arise. Generally these were dealt with through case-by-case export license request proceedings brought by computer manufacturers, such as IBM, and by their large corporate customers.


PC era

Encryption export controls became a matter of public concern with the introduction of the
personal computer A personal computer (PC) is a multi-purpose microcomputer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or tec ...
.
Phil Zimmermann Philip R. Zimmermann (born 1954) is an American computer scientist and Cryptography, cryptographer. He is the creator of Pretty Good Privacy (PGP), the most widely used email encryption software in the world. He is also known for his work in VoI ...
's
PGP PGP or Pgp may refer to: Science and technology * P-glycoprotein, a type of protein * Pelvic girdle pain, a pregnancy discomfort * Personal Genome Project, to sequence genomes and medical records * Pretty Good Privacy, a computer program for the ...
encryption software Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over t ...
and its distribution on the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
in 1991 was the first major 'individual level' challenge to controls on export of cryptography. The growth of
electronic commerce E-commerce (electronic commerce) is the activity of electronically buying or selling of products on online services or over the Internet. E-commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain manageme ...
in the 1990s created additional pressure for reduced restrictions. VideoCipher II also used DES to scramble satellite TV audio. In 1989, non-encryption use of cryptography (such as access control and message authentication) was removed from export control with a Commodity Jurisdiction

In 1992, an exception was formally added in the USML for non-encryption use of cryptography (and satellite TV descramblers) and a deal between NSA and the
Software Publishers Association The Software and Information Industry Association (SIIA) is a trade association dedicated to the entertainment, consumer and business software industries. Established in 1984 as the Software Publishers Association (SPA), the SIIA took its new na ...
made
40-bit 4 (four) is a number, numeral and digit. It is the natural number following 3 and preceding 5. It is the smallest semiprime and composite number, and is considered unlucky in many East Asian cultures. In mathematics Four is the smallest c ...
RC2 In cryptography, RC2 (also known as ARC2) is a symmetric-key block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5, and RC6. The development of RC2 wa ...
and
RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
encryption easily exportable using a Commodity Jurisdiction with special "7-day" and "15-day" review processes (which transferred control from the State Department to the Commerce Department). At this stage Western governments had, in practice, a split personality when it came to encryption; policy was made by the military cryptanalysts, who were solely concerned with preventing their 'enemies' acquiring secrets, but that policy was then communicated to commerce by officials whose job was to support industry. Shortly afterward,
Netscape Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California and then Dulles, Virginia. Its Netscape web browser was onc ...
's SSL technology was widely adopted as a method for protecting credit card transactions using
public key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
. Netscape developed two versions of its
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
. The "U.S. edition" supported full size (typically 1024-bit or larger) RSA public keys in combination with full size symmetric keys (secret keys) (128-bit RC4 or 3DES in SSL 3.0 and TLS 1.0). The "International Edition" had its effective key lengths reduced to 512 bits and 40 bits respectively (''RSA_EXPORT'' with 40-bit RC2 or RC4 in SSL 3.0 and TLS 1.0). Acquiring the 'U.S. domestic' version turned out to be sufficient hassle that most computer users, even in the U.S., ended up with the 'International' version, whose weak 40-bit encryption can currently be broken in a matter of days using a single computer. A similar situation occurred with
Lotus Notes HCL Notes (formerly IBM Notes and Lotus Notes; see Branding below) and HCL Domino (formerly IBM Domino and Lotus Domino) are the client and server Server may refer to: Computing *Server (computing), a computer program or a device that provide ...
for the same reasons. Legal challenges by
Peter Junger Peter D. Junger (1933 – November 2006) was a computer law professor and Internet activist, most famous for having fought against the U.S. government's regulations of and export controls on encryption software. The case, '' Junger v. Daley'' (6 ...
and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President
Bill Clinton William Jefferson Clinton ( né Blythe III; born August 19, 1946) is an American politician who served as the 42nd president of the United States from 1993 to 2001. He previously served as governor of Arkansas from 1979 to 1981 and agai ...
signing th
Executive Order 13026
transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of
Export Administration Regulations The Export Administration Regulations (EAR) are a set of regulations found a15 C.F.R. § 730 ''et seq'' They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department. The EAR regulates export and expor ...
. The Commodity Jurisdiction process was replaced with a Commodity Classification process, and a provision was added to allow export of 56-bit encryption if the exporter promised to add "key recovery" backdoors by the end of 1998. In 1999, the EAR was changed to allow 56-bit encryption (based on RC2, RC4, RC5, DES or CAST) and 1024-bit RSA to be exported without any backdoors, and new SSL cipher suites were introduced to support this (''RSA_EXPORT1024'' with 56-bit RC4 or DES). In 2000, the
Department of Commerce The United States Department of Commerce is an executive department of the U.S. federal government concerned with creating the conditions for economic growth and opportunity. Among its tasks are gathering economic and demographic data for bu ...
implemented rules that greatly simplified the export of commercial and
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
software containing cryptography, including allowing the key length restrictions to be removed after going through the Commodity Classification process (to classify the software as "retail") and adding an exception for publicly available encryption source code.


Current status

, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's
Bureau of Industry and Security The Bureau of Industry and Security (BIS) is an agency of the United States Department of Commerce that deals with issues involving national security and high technology. A principal goal for the bureau is helping stop the proliferation of weapo ...
.Commerce Control List Supplement No. 1 to Part 774 Category 5 Part 2 - Info. Security
/ref> Some restrictions still exist, even for mass market products; particularly with regards to export to "
rogue states "Rogue state" (or sometimes "outlaw state") is a term applied by some international theorists to states that they consider threatening to the world's peace. These states meet certain criteria, such as being ruled by Authoritarianism, authorita ...
" and
terrorist Terrorism, in its broadest sense, is the use of criminal violence to provoke a state of terror or fear, mostly with the intention to achieve political or religious aims. The term is used in this regard primarily to refer to intentional violen ...
organizations. Militarized encryption equipment,
TEMPEST Tempest is a synonym for a storm. '' The Tempest'' is a play by William Shakespeare. Tempest or The Tempest may also refer to: Arts and entertainment Films * ''The Tempest'' (1908 film), a British silent film * ''The Tempest'' (1911 film), a ...
-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license(pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (). For elliptic curves algorithms and asymmetric algorithms, the requirements for key length are 128 bit and 768 bits, respectively. In addition, other items require a one-time review by, or notification to, BIS prior to export to most countries. For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. Export regulations have been relaxed from pre-1996 standards, but are still complex. Other countries, notably those participating in the
Wassenaar Arrangement The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime (MECR) with 42 participating states including many former Comecon (Warsaw Pact) countries established ...
, have similar restrictions.


U.S. export rules

U.S. non-military exports are controlled by
Export Administration Regulations The Export Administration Regulations (EAR) are a set of regulations found a15 C.F.R. § 730 ''et seq'' They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department. The EAR regulates export and expor ...
(EAR), a short name for the U.S.
Code of Federal Regulations In the law of the United States, the ''Code of Federal Regulations'' (''CFR'') is the codification of the general and permanent regulations promulgated by the executive departments and agencies of the federal government of the United States. ...
(CFR) Title 15 chapter VII, subchapter C. Encryption items specifically designed, developed, configured, adapted or modified for military applications (including command, control and intelligence applications) are controlled by the
Department of State The United States Department of State (DOS), or State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs of other nati ...
on the
United States Munitions List The United States Munitions List (USML) is a list of articles, services, and related technology designated as Military, defense and space-related by the Federal government of the United States, United States federal government. This designation ...
.


Terminology

Encryption export terminology is defined in EAR part 772.1. In particular: * ''Encryption Component'' is an encryption commodity or software (but not the source code), including encryption chips, integrated circuits etc. * ''Encryption items'' include non-military encryption commodities, software, and technology. * ''Open cryptographic interface'' is a mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention, help or assistance of the manufacturer or its agents. * ''Ancillary cryptography'' items are the ones primarily used not for computing and communications, but for digital right management; games, household appliances; printing, photo and video recording (but not videoconferencing);
business process automation Business process automation (BPA), also known as business automation or digital transformation, is the technology-enabled automation of complex business processes. It can streamline a business for simplicity, achieve digital transformation, increa ...
; industrial or manufacturing systems (including
robotics Robotics is an interdisciplinary branch of computer science and engineering. Robotics involves design, construction, operation, and use of robots. The goal of robotics is to design machines that can help and assist humans. Robotics integrat ...
,
fire alarm A fire alarm system warns people when smoke, fire, carbon monoxide or other fire-related or general notification emergency, emergencies are detected. These alarms may be activated automatically from smoke detectors and heat detectors or may also ...
s and
HVAC Heating, ventilation, and air conditioning (HVAC) is the use of various technologies to control the temperature, humidity, and purity of the air in an enclosed space. Its goal is to provide thermal comfort and acceptable indoor air quality. HV ...
); automotive,
aviation Aviation includes the activities surrounding mechanical flight and the aircraft industry. ''Aircraft'' includes fixed-wing and rotary-wing types, morphable wings, wing-less lifting bodies, as well as lighter-than-air craft such as hot air ...
and other transportation systems. Export destinations are classified by the EAR Supplement No. 1 to Part 740 into four ''country groups'' (A, B, D, E) with further subdivisions; a country can belong to more than one group. For the purposes of encryption, groups B, D:1, and E:1 are important: * B is a large list of countries that are subject to relaxed encryption export rules * D:1 is a short list of countries that are subject to stricter export control. Notable countries on this list include
China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
and
Russia Russia (, , ), or the Russian Federation, is a List of transcontinental countries, transcontinental country spanning Eastern Europe and North Asia, Northern Asia. It is the List of countries and dependencies by area, largest country in the ...
* E:1 is a very short list of "terrorist-supporting" countries (as of 2009, includes five countries; previously contained six countries and was also called "terrorist 6" or T-6) The EAR Supplement No. 1 to Part 738 (Commerce Country Chart) contains the table with ''country restrictions''. If a line of table that corresponds to the country contains an X in the ''reason for control'' column, the export of a controlled item requires a license, unless an ''exception'' can be applied. For the purposes of encryption, the following three reasons for control are important: * NS1 National Security Column 1 * AT1 Anti-Terrorism Column 1 * EI Encryption Items is currently same as NS1


Classification

For export purposes each item is classified with the
Export Control Classification Number The Export Administration Regulations (EAR) are a set of regulations found a15 C.F.R. § 730 ''et seq'' They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department. The EAR regulates export and expor ...
(ECCN) with the help of the Commerce Control List (CCL, Supplement No. 1 to the EAR part 774). In particular: * 5A002 Systems, equipment, electronic assemblies, and integrated circuits for "information security. Reasons for Control: NS1, AT1. * 5A992 "Mass market" encryption commodities and other equipment not controlled by 5A002. Reason for Control: AT1. * 5B002 Equipment for development or production of items classified as 5A002, 5B002, 5D002 or 5E002. Reasons for Control: NS1, AT1. * 5D002 Encryption software. Reasons for control: NS1, AT1. ** used to develop, produce, or use items classified as 5A002, 5B002, 5D002 ** supporting technology controlled by 5E002 ** modeling the functions of equipment controlled by 5A002 or 5B002 ** used to certify software controlled by 5D002 * 5D992 Encryption software not controlled by 5D002. Reasons for control: AT1. * 5E002 Technology for the development, production or use of equipment controlled by 5A002 or 5B002 or software controlled by 5D002. Reasons for control: NS1, AT1. * 5E992 Technology for the 5x992 items. Reasons for control: AT1. An item can be either self-classified, or a classification ("review") requested from the BIS. A BIS review is required for typical items to get the 5A992 or 5D992 classification.


See also

* '' Bernstein v. United States'' * Denied trade screening *
Export control Export control is legislation that regulates the export of goods, software and technology. Some items could potentially be useful for purposes that are contrary to the interest of the exporting country. These items are considered to be ''controlled ...
* ''
Junger v. Daley ''Junger v. Daley'' is a court case brought by Peter Junger challenging restrictions on the export of encryption software outside of the United States. The case was first brought in 1996 (as ''Junger v. Christopher''), when Junger was a professor ...
'' *
Restrictions on the import of cryptography A number of countries have attempted to restrict the import of cryptography tools. Rationale Countries may wish to restrict import of cryptography technologies for a number of reasons: * Imported cryptography may have backdoors or security hol ...
*
FREAK A freak is a person who is physically deformed or transformed due to an extraordinary medical condition or body modification. This definition was first attested with this meaning in the 1880s as a shorter form of the phrase " freak of nature ...
*
Crypto wars Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencie ...


References


External links


''Crypto law survey''

Bureau of Industry and Security
— An overview of the US export regulations can be found in th

page.
Whitfield Diffie and Susan Landau, ''The Export of Cryptography in the 20th and the 21st Centuries''. In Karl de Leeuw, Jan Bergstra, ed. The history of information security. A comprehensive handbook. Elsevier, 2007. p. 725

''Encryption Export Controls. ''CRS Report for Congress RL30273. Congressional Research Service, ˜The Library of Congress. 2001

''The encryption debate: Intelligence aspects.'' CRS Report for Congress 98-905 F. Congressional Research Service, ˜The Library of Congress. 1998

''Encryption Technology: Congressional Issues'' CRS Issue Brief for Congress IB96039. Congressional Research Service, ˜The Library of Congress. 2000


* ttp://www.nap.edu/catalog.php?record_id=5131 National Research Council, Cryptography's Role in Securing the Information Society National Academy Press, Washington, D.C. 1996 (full text link is available on the page).
The Evolution of US Government Restrictions on Using and Exporting Encryption Technologies (U)
Micheal Schwartzbeck, ''Encryption Technologies,'' circa 1997, formerly Top Secret, approved for release by NSA with redactions September 10, 2014, C06122418 {{SSL/TLS Computer law Export and import control of cryptography United States trade policy Transport Layer Security