fbpx
Wikipedia

Export of cryptography from the United States

October 19, 2023

The export of cryptography from the United States to other countries has experienced various levels of restrictions over time.[2] World War II illustrated that code-breaking and cryptography can play an integral part in national security and the ability to prosecute war. Changes in technology and the preservation of free speech have been competing factors in the regulation and constraint of cryptographic technologies for export.

Export-restricted RSA encryption source code printed on a T-shirt made the T-shirt an export-restricted munition, as a freedom of speech protest against U.S. encryption export restrictions (Back side).[1] Changes in the export law means that it is no longer illegal to export this T-shirt from the U.S., or for U.S. citizens to show it to foreigners.

History Edit

Cold War era Edit

In the early days of the Cold War, the U.S. and its allies developed an elaborate series of export control regulations designed to prevent a wide range of Western technology from falling into the hands of others, particularly the Eastern bloc. All export of technology classed as 'critical' required a license. CoCom was organized to coordinate Western export controls.

Two types of technology were protected: technology associated only with weapons of war ("munitions") and dual use technology, which also had commercial applications. In the U.S., dual use technology export was controlled by the Department of Commerce, while munitions were controlled by the State Department. Since in the immediate post WWII period the market for cryptography was almost entirely military, the encryption technology (techniques as well as equipment and, after computers began to play a larger role in modern life, crypto software) was included as "Category XI - Miscellaneous Articles" and later "Category XIII - Auxiliary Military Equipment" item into the United States Munitions List on November 17, 1954. The multinational control of the export of cryptography on the Western side of the cold war divide was done via the mechanisms of CoCom.

By the 1960s, however, financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer. The U.S. Government's introduction of the Data Encryption Standard in 1975 meant that commercial uses of high quality encryption would become common, and serious problems of export control began to arise. Generally these were dealt with through case-by-case export license request proceedings brought by computer manufacturers, such as IBM, and by their large corporate customers.

PC era Edit

 
Netscape Navigator Install Disk stating "Not For export"

Encryption export controls became a matter of public concern with the introduction of the personal computer. Phil Zimmermann's PGP encryption software and its distribution on the Internet in 1991 was the first major 'individual level' challenge to controls on export of cryptography. The growth of electronic commerce in the 1990s created additional pressure for reduced restrictions. VideoCipher II also used DES to scramble satellite TV audio.

In 1989, non-encryption use of cryptography (such as access control and message authentication) was removed from export control with a Commodity Jurisdiction. [1] In 1992, an exception was formally added in the USML for non-encryption use of cryptography (and satellite TV descramblers) and a deal between NSA and the Software Publishers Association made 40-bit RC2 and RC4 encryption easily exportable using a Commodity Jurisdiction with special "7-day" and "15-day" review processes (which transferred control from the State Department to the Commerce Department). At this stage Western governments had, in practice, a split personality when it came to encryption; policy was made by the military cryptanalysts, who were solely concerned with preventing their 'enemies' acquiring secrets, but that policy was then communicated to commerce by officials whose job was to support industry.

Shortly afterward, Netscape's SSL technology was widely adopted as a method for protecting credit card transactions using public key cryptography. Netscape developed two versions of its web browser. The "U.S. edition" supported full size (typically 1024-bit or larger) RSA public keys in combination with full size symmetric keys (secret keys) (128-bit RC4 or 3DES in SSL 3.0 and TLS 1.0). The "International Edition" had its effective key lengths reduced to 512 bits and 40 bits respectively (RSA_EXPORT with 40-bit RC2 or RC4 in SSL 3.0 and TLS 1.0).[3] Acquiring the 'U.S. domestic' version turned out to be sufficient hassle that most computer users, even in the U.S., ended up with the 'International' version,[4] whose weak 40-bit encryption can currently be broken in a matter of days using a single computer. A similar situation occurred with Lotus Notes for the same reasons.

Legal challenges by Peter Junger and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton signing the Executive Order 13026 transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of Export Administration Regulations. The Commodity Jurisdiction process was replaced with a Commodity Classification process, and a provision was added to allow export of 56-bit encryption if the exporter promised to add "key recovery" backdoors by the end of 1998. In 1999, the EAR was changed to allow 56-bit encryption (based on RC2, RC4, RC5, DES or CAST) and 1024-bit RSA to be exported without any backdoors, and new SSL cipher suites were introduced to support this (RSA_EXPORT1024 with 56-bit RC4 or DES). In 2000, the Department of Commerce implemented rules that greatly simplified the export of commercial and open source software containing cryptography, including allowing the key length restrictions to be removed after going through the Commodity Classification process (to classify the software as "retail") and adding an exception for publicly available encryption source code.[5]

Current status Edit

As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security.[6] Some restrictions still exist, even for mass market products; particularly with regards to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[6](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). For elliptic curves algorithms and asymmetric algorithms, the requirements for key length are 128 bit and 768 bits, respectively.[7] In addition, other items require a one-time review by, or notification to, BIS prior to export to most countries.[6] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[8] Export regulations have been relaxed from pre-1996 standards, but are still complex.[6] Other countries, notably those participating in the Wassenaar Arrangement,[9] have similar restrictions.[10]

U.S. export rules Edit

U.S. non-military exports are controlled by Export Administration Regulations (EAR), a short name for the U.S. Code of Federal Regulations (CFR) Title 15 chapter VII, subchapter C.

Encryption items specifically designed, developed, configured, adapted or modified for military applications (including command, control and intelligence applications) are controlled by the Department of State on the United States Munitions List.

Terminology Edit

Encryption export terminology is defined in EAR part 772.1.[11] In particular:

  • Encryption Component is an encryption commodity or software (but not the source code), including encryption chips, integrated circuits etc.
  • Encryption items include non-military encryption commodities, software, and technology.
  • Open cryptographic interface is a mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention, help or assistance of the manufacturer or its agents.
  • Ancillary cryptography items are the ones primarily used not for computing and communications, but for digital right management; games, household appliances; printing, photo and video recording (but not videoconferencing); business process automation; industrial or manufacturing systems (including robotics, fire alarms and HVAC); automotive, aviation and other transportation systems.

Export destinations are classified by the EAR Supplement No. 1 to Part 740 into four country groups (A, B, D, E) with further subdivisions;[12] a country can belong to more than one group. For the purposes of encryption, groups B, D:1, and E:1 are important:

  • B is a large list of countries that are subject to relaxed encryption export rules
  • D:1 is a short list of countries that are subject to stricter export control. Notable countries on this list include China and Russia
  • E:1 is a very short list of "terrorist-supporting" countries (as of 2009, includes five countries; previously contained six countries and was also called "terrorist 6" or T-6)

The EAR Supplement No. 1 to Part 738 (Commerce Country Chart) contains the table with country restrictions.[13] If a line of table that corresponds to the country contains an X in the reason for control column, the export of a controlled item requires a license, unless an exception can be applied. For the purposes of encryption, the following three reasons for control are important:

  • NS1 National Security Column 1
  • AT1 Anti-Terrorism Column 1
  • EI Encryption Items is currently same as NS1

Classification Edit

For export purposes each item is classified with the Export Control Classification Number (ECCN) with the help of the Commerce Control List (CCL, Supplement No. 1 to the EAR part 774). In particular:[6]

  • 5A002 Systems, equipment, electronic assemblies, and integrated circuits for "information security. Reasons for Control: NS1, AT1.
  • 5A992 "Mass market" encryption commodities and other equipment not controlled by 5A002. Reason for Control: AT1.
  • 5B002 Equipment for development or production of items classified as 5A002, 5B002, 5D002 or 5E002. Reasons for Control: NS1, AT1.
  • 5D002 Encryption software. Reasons for control: NS1, AT1.
    • used to develop, produce, or use items classified as 5A002, 5B002, 5D002
    • supporting technology controlled by 5E002
    • modeling the functions of equipment controlled by 5A002 or 5B002
    • used to certify software controlled by 5D002
  • 5D992 Encryption software not controlled by 5D002. Reasons for control: AT1.
  • 5E002 Technology for the development, production or use of equipment controlled by 5A002 or 5B002 or software controlled by 5D002. Reasons for control: NS1, AT1.
  • 5E992 Technology for the 5x992 items. Reasons for control: AT1.

An item can be either self-classified, or a classification ("review") requested from the BIS. A BIS review is required for typical items to get the 5A992 or 5D992 classification.

See also Edit

References Edit

  1. ^ "Munitions T-shirt".
  2. ^ Diffie, Whitfield; Landau, Susan (2007), "The export of cryptography in the 20th and the 21st centuries", The History of Information Security, Elsevier, pp. 725–736, doi:10.1016/b978-044451608-4/50027-4, ISBN 978-0-444-51608-4, retrieved 2023-08-12
  3. ^ "Fortify for Netscape". www.fortify.net. Retrieved 1 Dec 2017.
  4. ^ . Archived from the original on September 16, 1999. Retrieved 2017-03-26.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  5. ^ "Revised U.S. Encryption Export Control Regulations". EPIC copy of document from U.S. Department of Commerce. January 2000. Retrieved 2014-01-06.
  6. ^ a b c d e Commerce Control List Supplement No. 1 to Part 774 Category 5 Part 2 - Info. Security
  7. ^ "CCL5 PT2" (PDF). www.bis.doc.gov. Retrieved 2022-10-10.
  8. ^ . Bis.doc.gov. 2004-12-09. Archived from the original on 2002-09-21. Retrieved 2009-11-08.
  9. ^ Participating States Archived 2012-05-27 at archive.today The Wassenaar Arrangement
  10. ^ The Wassenaar Arrangement, December 2009
  11. ^ "15 CFR § 772.1 - Definitions of terms as used in the Export Administration Regulations (EAR)". LII / Legal Information Institute. Retrieved 2021-09-30.
  12. ^ (PDF). Archived from the original (PDF) on 2009-06-18. Retrieved 2009-06-27.
  13. ^ (PDF). Archived from the original (PDF) on 2009-05-09. Retrieved 2009-06-27.

External links Edit

  • Crypto law survey
  • — An overview of the US export regulations can be found in the page.
  • Whitfield Diffie and Susan Landau, The Export of Cryptography in the 20th and the 21st Centuries. In Karl de Leeuw, Jan Bergstra, ed. The history of information security. A comprehensive handbook. Elsevier, 2007. p. 725
  • Encryption Export Controls. CRS Report for Congress RL30273. Congressional Research Service, ˜The Library of Congress. 2001 2019-02-28 at the Wayback Machine
  • The encryption debate: Intelligence aspects. CRS Report for Congress 98-905 F. Congressional Research Service, ˜The Library of Congress. 1998
  • Cryptography and Liberty 2000. An International Survey of Encryption Policy. Electronic Privacy Information Center. Washington, DC. 2000
  • National Research Council, Cryptography's Role in Securing the Information Society. National Academy Press, Washington, D.C. 1996 (full text link is available on the page).
  • The Evolution of US Government Restrictions on Using and Exporting Encryption Technologies (U), Micheal Schwartzbeck, Encryption Technologies, circa 1997, formerly Top Secret, approved for release by NSA with redactions September 10, 2014, C06122418

October 19, 2023
export, cryptography, from, united, states, this, article, possibly, contains, original, research, please, improve, verifying, claims, made, adding, inline, citations, statements, consisting, only, original, research, should, removed, november, 2022, learn, wh. This article possibly contains original research Please improve it by verifying the claims made and adding inline citations Statements consisting only of original research should be removed November 2022 Learn how and when to remove this template message The export of cryptography from the United States to other countries has experienced various levels of restrictions over time 2 World War II illustrated that code breaking and cryptography can play an integral part in national security and the ability to prosecute war Changes in technology and the preservation of free speech have been competing factors in the regulation and constraint of cryptographic technologies for export Export restricted RSA encryption source code printed on a T shirt made the T shirt an export restricted munition as a freedom of speech protest against U S encryption export restrictions Back side 1 Changes in the export law means that it is no longer illegal to export this T shirt from the U S or for U S citizens to show it to foreigners Contents 1 History 1 1 Cold War era 1 2 PC era 1 3 Current status 2 U S export rules 2 1 Terminology 2 2 Classification 3 See also 4 References 5 External linksHistory EditCold War era Edit In the early days of the Cold War the U S and its allies developed an elaborate series of export control regulations designed to prevent a wide range of Western technology from falling into the hands of others particularly the Eastern bloc All export of technology classed as critical required a license CoCom was organized to coordinate Western export controls Two types of technology were protected technology associated only with weapons of war munitions and dual use technology which also had commercial applications In the U S dual use technology export was controlled by the Department of Commerce while munitions were controlled by the State Department Since in the immediate post WWII period the market for cryptography was almost entirely military the encryption technology techniques as well as equipment and after computers began to play a larger role in modern life crypto software was included as Category XI Miscellaneous Articles and later Category XIII Auxiliary Military Equipment item into the United States Munitions List on November 17 1954 The multinational control of the export of cryptography on the Western side of the cold war divide was done via the mechanisms of CoCom By the 1960s however financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer The U S Government s introduction of the Data Encryption Standard in 1975 meant that commercial uses of high quality encryption would become common and serious problems of export control began to arise Generally these were dealt with through case by case export license request proceedings brought by computer manufacturers such as IBM and by their large corporate customers PC era Edit nbsp Netscape Navigator Install Disk stating Not For export Encryption export controls became a matter of public concern with the introduction of the personal computer Phil Zimmermann s PGP encryption software and its distribution on the Internet in 1991 was the first major individual level challenge to controls on export of cryptography The growth of electronic commerce in the 1990s created additional pressure for reduced restrictions VideoCipher II also used DES to scramble satellite TV audio In 1989 non encryption use of cryptography such as access control and message authentication was removed from export control with a Commodity Jurisdiction 1 In 1992 an exception was formally added in the USML for non encryption use of cryptography and satellite TV descramblers and a deal between NSA and the Software Publishers Association made 40 bit RC2 and RC4 encryption easily exportable using a Commodity Jurisdiction with special 7 day and 15 day review processes which transferred control from the State Department to the Commerce Department At this stage Western governments had in practice a split personality when it came to encryption policy was made by the military cryptanalysts who were solely concerned with preventing their enemies acquiring secrets but that policy was then communicated to commerce by officials whose job was to support industry Shortly afterward Netscape s SSL technology was widely adopted as a method for protecting credit card transactions using public key cryptography Netscape developed two versions of its web browser The U S edition supported full size typically 1024 bit or larger RSA public keys in combination with full size symmetric keys secret keys 128 bit RC4 or 3DES in SSL 3 0 and TLS 1 0 The International Edition had its effective key lengths reduced to 512 bits and 40 bits respectively RSA EXPORT with 40 bit RC2 or RC4 in SSL 3 0 and TLS 1 0 3 Acquiring the U S domestic version turned out to be sufficient hassle that most computer users even in the U S ended up with the International version 4 whose weak 40 bit encryption can currently be broken in a matter of days using a single computer A similar situation occurred with Lotus Notes for the same reasons Legal challenges by Peter Junger and other civil libertarians and privacy advocates the widespread availability of encryption software outside the U S and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e commerce led to a series of relaxations in US export controls culminating in 1996 in President Bill Clinton signing the Executive Order 13026 transferring the commercial encryption from the Munition List to the Commerce Control List Furthermore the order stated that the software shall not be considered or treated as technology in the sense of Export Administration Regulations The Commodity Jurisdiction process was replaced with a Commodity Classification process and a provision was added to allow export of 56 bit encryption if the exporter promised to add key recovery backdoors by the end of 1998 In 1999 the EAR was changed to allow 56 bit encryption based on RC2 RC4 RC5 DES or CAST and 1024 bit RSA to be exported without any backdoors and new SSL cipher suites were introduced to support this RSA EXPORT1024 with 56 bit RC4 or DES In 2000 the Department of Commerce implemented rules that greatly simplified the export of commercial and open source software containing cryptography including allowing the key length restrictions to be removed after going through the Commodity Classification process to classify the software as retail and adding an exception for publicly available encryption source code 5 Current status Edit This section needs to be updated Please help update this article to reflect recent events or newly available information October 2016 As of 2009 update non military cryptography exports from the U S are controlled by the Department of Commerce s Bureau of Industry and Security 6 Some restrictions still exist even for mass market products particularly with regards to export to rogue states and terrorist organizations Militarized encryption equipment TEMPEST approved electronics custom cryptographic software and even cryptographic consulting services still require an export license 6 pp 6 7 Furthermore encryption registration with the BIS is required for the export of mass market encryption commodities software and components with encryption exceeding 64 bits 75 FR 36494 For elliptic curves algorithms and asymmetric algorithms the requirements for key length are 128 bit and 768 bits respectively 7 In addition other items require a one time review by or notification to BIS prior to export to most countries 6 For instance the BIS must be notified before open source cryptographic software is made publicly available on the Internet though no review is required 8 Export regulations have been relaxed from pre 1996 standards but are still complex 6 Other countries notably those participating in the Wassenaar Arrangement 9 have similar restrictions 10 U S export rules EditU S non military exports are controlled by Export Administration Regulations EAR a short name for the U S Code of Federal Regulations CFR Title 15 chapter VII subchapter C Encryption items specifically designed developed configured adapted or modified for military applications including command control and intelligence applications are controlled by the Department of State on the United States Munitions List Terminology Edit Encryption export terminology is defined in EAR part 772 1 11 In particular Encryption Component is an encryption commodity or software but not the source code including encryption chips integrated circuits etc Encryption items include non military encryption commodities software and technology Open cryptographic interface is a mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention help or assistance of the manufacturer or its agents Ancillary cryptography items are the ones primarily used not for computing and communications but for digital right management games household appliances printing photo and video recording but not videoconferencing business process automation industrial or manufacturing systems including robotics fire alarms and HVAC automotive aviation and other transportation systems Export destinations are classified by the EAR Supplement No 1 to Part 740 into four country groups A B D E with further subdivisions 12 a country can belong to more than one group For the purposes of encryption groups B D 1 and E 1 are important B is a large list of countries that are subject to relaxed encryption export rules D 1 is a short list of countries that are subject to stricter export control Notable countries on this list include China and Russia E 1 is a very short list of terrorist supporting countries as of 2009 includes five countries previously contained six countries and was also called terrorist 6 or T 6 The EAR Supplement No 1 to Part 738 Commerce Country Chart contains the table with country restrictions 13 If a line of table that corresponds to the country contains an X in the reason for control column the export of a controlled item requires a license unless an exception can be applied For the purposes of encryption the following three reasons for control are important NS1 National Security Column 1 AT1 Anti Terrorism Column 1 EI Encryption Items is currently same as NS1Classification Edit For export purposes each item is classified with the Export Control Classification Number ECCN with the help of the Commerce Control List CCL Supplement No 1 to the EAR part 774 In particular 6 5A002 Systems equipment electronic assemblies and integrated circuits for information security Reasons for Control NS1 AT1 5A992 Mass market encryption commodities and other equipment not controlled by 5A002 Reason for Control AT1 5B002 Equipment for development or production of items classified as 5A002 5B002 5D002 or 5E002 Reasons for Control NS1 AT1 5D002 Encryption software Reasons for control NS1 AT1 used to develop produce or use items classified as 5A002 5B002 5D002 supporting technology controlled by 5E002 modeling the functions of equipment controlled by 5A002 or 5B002 used to certify software controlled by 5D002 5D992 Encryption software not controlled by 5D002 Reasons for control AT1 5E002 Technology for the development production or use of equipment controlled by 5A002 or 5B002 or software controlled by 5D002 Reasons for control NS1 AT1 5E992 Technology for the 5x992 items Reasons for control AT1 An item can be either self classified or a classification review requested from the BIS A BIS review is required for typical items to get the 5A992 or 5D992 classification See also EditBernstein v United States Denied trade screening Export control Junger v Daley Restrictions on the import of cryptography FREAK Crypto warsReferences Edit Munitions T shirt Diffie Whitfield Landau Susan 2007 The export of cryptography in the 20th and the 21st centuries The History of Information Security Elsevier pp 725 736 doi 10 1016 b978 044451608 4 50027 4 ISBN 978 0 444 51608 4 retrieved 2023 08 12 Fortify for Netscape www fortify net Retrieved 1 Dec 2017 January 25 1999 archive of the Netscape Communicator 4 61 download page showing a more difficult path to download 128 bit version Archived from the original on September 16 1999 Retrieved 2017 03 26 a href Template Cite web html title Template Cite web cite web a CS1 maint bot original URL status unknown link Revised U S Encryption Export Control Regulations EPIC copy of document from U S Department of Commerce January 2000 Retrieved 2014 01 06 a b c d e Commerce Control List Supplement No 1 to Part 774 Category 5 Part 2 Info Security CCL5 PT2 PDF www bis doc gov Retrieved 2022 10 10 U S Bureau of Industry and Security Notification Requirements for Publicly Available Encryption Source Code Bis doc gov 2004 12 09 Archived from the original on 2002 09 21 Retrieved 2009 11 08 Participating States Archived 2012 05 27 at archive today The Wassenaar Arrangement Wassenaar Arrangement on Export Controls for Conventional Arms and Dual Use Goods and Technologies Guidelines amp Procedures including the Initial Elements The Wassenaar Arrangement December 2009 15 CFR 772 1 Definitions of terms as used in the Export Administration Regulations EAR LII Legal Information Institute Retrieved 2021 09 30 EAR Supplement No 1 to Part 740 PDF Archived from the original PDF on 2009 06 18 Retrieved 2009 06 27 EAR Supplement No 1 to Part 738 PDF Archived from the original PDF on 2009 05 09 Retrieved 2009 06 27 External links EditCrypto law survey Bureau of Industry and Security An overview of the US export regulations can be found in the licensing basics page Whitfield Diffie and Susan Landau The Export of Cryptography in the 20th and the 21st Centuries In Karl de Leeuw Jan Bergstra ed The history of information security A comprehensive handbook Elsevier 2007 p 725 Encryption Export Controls CRS Report for Congress RL30273 Congressional Research Service The Library of Congress 2001 Archived 2019 02 28 at the Wayback Machine The encryption debate Intelligence aspects CRS Report for Congress 98 905 F Congressional Research Service The Library of Congress 1998 Encryption Technology Congressional Issues CRS Issue Brief for Congress IB96039 Congressional Research Service The Library of Congress 2000 Cryptography and Liberty 2000 An International Survey of Encryption Policy Electronic Privacy Information Center Washington DC 2000 National Research Council Cryptography s Role in Securing the Information Society National Academy Press Washington D C 1996 full text link is available on the page The Evolution of US Government Restrictions on Using and Exporting Encryption Technologies U Micheal Schwartzbeck Encryption Technologies circa 1997 formerly Top Secret approved for release by NSA with redactions September 10 2014 C06122418 Retrieved from https en wikipedia org w index php title Export of cryptography from the United States amp oldid 1177719135, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.