Home      Discussion      Topics      Dictionary      Almanac
Signup       Login
Export of cryptography

Export of cryptography

Discussion
Ask a question about 'Export of cryptography'
Start a new discussion about 'Export of cryptography'
Answer questions from other users
Full Discussion Forum
 
Encyclopedia
The export of cryptography in the United States is the transfer from the United States to another country of devices and technology related to cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

.

Since World War II
World War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...

, many governments, including the U.S.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

 and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List
United States Munitions List
The United States Munitions List is a list of articles, services, and related technology designated as defense-related by the United States federal government. This designation is pursuant to sections 38 and 47 of the Arms Export Control Act...

 as an Auxiliary Military Technology.

In light of the enormous impact of cryptanalysis in World War II
History of cryptography
The history of cryptography begins thousands of years ago. Until recent decades, it has been the story of what might be called classic cryptography — that is, of methods of encryption that use pen and paper, or perhaps simple mechanical aids...

, it was abundantly clear to these governments that denying current and potential enemies access to cryptographic systems looked to be militarily valuable. They also wished to monitor the diplomatic communications of other nations, including the many new nations that were emerging in the post-colonial period
Colonialism
Colonialism is the establishment, maintenance, acquisition and expansion of colonies in one territory by people from another territory. It is a process whereby the metropole claims sovereignty over the colony and the social structure, government, and economics of the colony are changed by...

 and whose position on Cold War
Cold War
The Cold War was the continuing state from roughly 1946 to 1991 of political conflict, military tension, proxy wars, and economic competition between the Communist World—primarily the Soviet Union and its satellite states and allies—and the powers of the Western world, primarily the United States...

 issues was regarded as vital.

Since the U.S. and U.K.
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...

 had, they believed, developed more advanced cryptographic capabilities than others, the intelligence agencies in these countries had a notion that controlling all dissemination of the more effective crypto techniques might be beneficial.

The First Amendment
First Amendment to the United States Constitution
The First Amendment to the United States Constitution is part of the Bill of Rights. The amendment prohibits the making of any law respecting an establishment of religion, impeding the free exercise of religion, abridging the freedom of speech, infringing on the freedom of the press, interfering...

 made controlling all use of cryptography inside the U.S. difficult, but controlling access to U.S. developments by others was thought to be more practical — there were at least no constitutional impediments.

Accordingly, regulations were introduced as part of munitions controls which required licenses to export cryptographic methods (and even their description); the regulations established that cryptography beyond a certain strength (defined by algorithm and length of key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...

) would not be licensed for export except on a case-by-case basis. The expectation seems to have been that this would further national interests in reading 'their' communications and prevent others from reading 'ours'. This policy was also adopted elsewhere for various reasons.

The development, and public release, of Data Encryption Standard
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...

 (DES) and asymmetric key techniques in the 1970s, the rise of the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...

, and the willingness of some to risk and resist prosecution, eventually made this policy impossible to enforce, and by the late 1990s it was being relaxed in the US, and to some extent (e.g., France) elsewhere. As late as 1997, NSA officials in the US were concerned that the widespread use of strong encryption will frustrate their ability to provide SIGINT
SIGINT
Signals intelligence is intelligence-gathering by interception of signals, whether between people , whether involving electronic signals not directly used in communication , or combinations of the two...

 regarding foreign entities, including terrorist groups operating internationally. NSA officials anticipated that the American encryption software backed by an extensive infrastructure, when marketed, was likely to become a standard for international communications. In 1997, Louis Freeh
Louis Freeh
Louis Joseph Freeh was the 5th Director of the Federal Bureau of Investigation, serving from September 1993 to June 2001....

, then the Director of the FBI, said

For law enforcement, framing the issue is simple. In this time of dazzling telecommunications and computer technology where information can have extraordinary value, the ready availability of robust encryption is essential. No one in law enforcement disputes that. Clearly, in today's world and more so in the future, the ability to encrypt both contemporaneous communications and stored data is a vital component of information security.
As is so often the case, however, there is another aspect to the encryption issue that if left unaddressed will have severe public safety and national security ramifications. Law enforcement is in unanimous agreement that the widespread use of robust non-key recovery encryption
Key escrow
Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys...

 ultimately will devastate our ability to fight crime and prevent terrorism. Uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes.
For this reason, the law enforcement community is unanimous in calling for a balanced solution to this problem.

Others as well feel that the export controls in place in the last half of the 20th century discouraged incorporation of widely known cryptographic tools into commercial products, particularly personal computer
Personal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...

 operating systems, and are a root cause of the present crisis in information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

, aside from interfering with U.S. trade in such products. They observe that many of the advances, including asymmetric key cryptography and many of its algorithms, were already public in any case.

Cold War era


In the early days of the Cold War
Cold War
The Cold War was the continuing state from roughly 1946 to 1991 of political conflict, military tension, proxy wars, and economic competition between the Communist World—primarily the Soviet Union and its satellite states and allies—and the powers of the Western world, primarily the United States...

, the U.S. and its allies developed an elaborate series of export control regulations designed to prevent a wide range of Western technology from falling into the hands of others, particularly the Eastern bloc
Eastern bloc
The term Eastern Bloc or Communist Bloc refers to the former communist states of Eastern and Central Europe, generally the Soviet Union and the countries of the Warsaw Pact...

. All export of technology classed as 'critical' required a license. CoCom
CoCom
CoCom is an acronym for Coordinating Committee for Multilateral Export Controls. CoCom was established by Western bloc powers in the first five years after the end of World War II, during the Cold War, to put an arms embargo on COMECON countries.CoCom ceased to function on March 31, 1994, and the...

 was organized to coordinate Western export controls.

Two types of technology were protected: technology associated only with weapons of war ("munitions") and dual use technology, which also had commercial applications. In the U.S., dual use technology export was controlled by the Department of Commerce, while munitions were controlled by the State Department. Since in the immediate post WWII period the market for cryptography was almost entirely military, the encryption technology (techniques as well as equipment and, after computers became important, crypto software) was included as a Category XIII item into the United States Munitions List
United States Munitions List
The United States Munitions List is a list of articles, services, and related technology designated as defense-related by the United States federal government. This designation is pursuant to sections 38 and 47 of the Arms Export Control Act...

. The multinational control of the export of cryptography on the Western side of the cold war divide was done via the mechanisms of CoCom.

By the 1960s, however, financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer. The U.S. Government's introduction of the Data Encryption Standard
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...

 in 1975 meant that commercial uses of high quality encryption would become common, and serious problems of export control began to arise. Generally these were dealt with through case-by-case export license request proceedings brought by computer manufacturers, such as IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...

, and by their large corporate customers.

PC era


Encryption export controls became a matter of public concern with the introduction of the personal computer
Personal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...

. Phil Zimmermann
Phil Zimmermann
Philip R. "Phil" Zimmermann Jr. is the creator of Pretty Good Privacy , the most widely used email encryption software in the world. He is also known for his work in VoIP encryption protocols, notably ZRTP and Zfone....

's PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...

 cryptosystem
Cryptosystem
There are two different meanings of the word cryptosystem. One is used by the cryptographic community, while the other is the meaning understood by the public.- General meaning :...

 and its distribution on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...

 in 1991 was the first major 'individual level' challenge to controls on export of cryptography. The growth of electronic commerce
Electronic commerce
Electronic commerce, commonly known as e-commerce, eCommerce or e-comm, refers to the buying and selling of products or services over electronic systems such as the Internet and other computer networks. However, the term may refer to more than just buying and selling products online...

 in the 1990s created additional pressure for reduced restrictions. Shortly afterward, Netscape's SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 technology was widely adopted as a method for protecting credit card transactions using public key cryptography.

SSL-encrypted messages used the RC4 cipher, and used 128-bit keys
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...

. U.S. government export regulations would not permit crypto systems using 128-bit keys to be exported. At this stage Western governments had, in practice, a split personality when it came to encryption; policy was made by the military cryptanalysts, who were solely concerned with preventing their 'enemies' acquiring secrets, but that policy was then communicated to commerce by officials whose job was to support industry.

The longest key size
Key size
In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm . An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits...

 allowed for export without individual license proceedings was 40 bits, so Netscape developed two versions of its web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...

. The "U.S. edition" had the full 128-bit strength. The "International Edition" had its effective key length reduced to 40 bits by revealing 88 bits of the key in the SSL protocol. Acquiring the 'U.S. domestic' version turned out to be sufficient hassle that most computer users, even in the U.S., ended up with the 'International' version, whose weak 40-bit encryption could be broken in a matter of days using a single personal computer. A similar situation occurred with Lotus Notes for the same reasons.

Legal challenges
Bernstein v. United States
Bernstein v. United States is a set of court cases brought by Daniel J. Bernstein challenging restrictions on the export of cryptography from the United States....

 by Peter Junger
Peter Junger
Peter D. Junger was a computer law professor and Internet activist, most famous for having fought against the U.S. government's regulations of and export controls on encryption software....

 and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton
Bill Clinton
William Jefferson "Bill" Clinton is an American politician who served as the 42nd President of the United States from 1993 to 2001. Inaugurated at age 46, he was the third-youngest president. He took office at the end of the Cold War, and was the first president of the baby boomer generation...

 signing the Executive order 13026 transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, the software shall not be considered or treated as "technology" in the sense of Export Administration Regulations. This order permitted the United States Department of Commerce
United States Department of Commerce
The United States Department of Commerce is the Cabinet department of the United States government concerned with promoting economic growth. It was originally created as the United States Department of Commerce and Labor on February 14, 1903...

 to implement rules that greatly simplified the export of commercial and open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

 software containing cryptography, which they did in 2000.

Current status


As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security
Bureau of Industry and Security
The Bureau of Industry and Security is an agency of the United States Department of Commerce which deals with issues involving national security and high technology. A principal goal for the bureau is helping stop proliferation of weapons of mass destruction, while furthering the growth of United...

. Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist
Terrorism
Terrorism is the systematic use of terror, especially as a means of coercion. In the international community, however, terrorism has no universally agreed, legally binding, criminal law definition...

 organizations. Militarized encryption equipment, TEMPEST
TEMPEST
TEMPEST is a codename referring to investigations and studies of compromising emission . Compromising emanations are defined as unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any...

-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license(pp. 6–7). Many items must still undergo a one-time review by or notification to BIS prior to export to most countries. For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. Export regulations have been relaxed from pre-1996 standards, but are still complex, and often require expert legal and cryptographic consultation. Other countries, notably those participating in the Wassenaar Arrangement
Wassenaar Arrangement
The Wassenaar Arrangement is a multilateral export control regime with 40 participating states including many former COMECON countries.It is the successor to the Cold war-era Coordinating Committee for Multilateral Export Controls , and was...

, have similar restrictions.

US export rules


US non-military exports are controlled by Export Administration Regulations (EAR), a short name for the US Code of Federal Regulations
Code of Federal Regulations
The Code of Federal Regulations is the codification of the general and permanent rules and regulations published in the Federal Register by the executive departments and agencies of the Federal Government of the United States.The CFR is published by the Office of the Federal Register, an agency...

 (CFR) Title 15 chapter VII, subchapter C.

Encryption items specifically designed, developed, configured, adapted or modified for military
applications ( including command, control and intelligence applications) are controlled by
the Department of State on the United States Munitions List
United States Munitions List
The United States Munitions List is a list of articles, services, and related technology designated as defense-related by the United States federal government. This designation is pursuant to sections 38 and 47 of the Arms Export Control Act...

.

Terminology


Encryption export terminology is defined in EAR part 772.1. In particular:
  • Encryption Component is an encryption commodity or software (but not the source code), including encryption chips, integrated circuits etc.
  • Encryption items include non-military encryption commodities, software, and technology.
  • Open cryptographic interface is a mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention, help or assistance of the manufacturer or its agents.
  • Ancillary cryptography items are the ones primarily used not for computing and communications, but for digital right management; games, household appliances; printing, photo and video recording (but not videoconferencing); business process automation
    Business process automation
    Business process automation, or BPA, is the strategy a business uses to automate processes in order to contain costs. It consists of integrating applications, restructuring labor resources and using software applications throughout the organization....

    ; industrial or manufacturing systems (including robotics
    Robotics
    Robotics is the branch of technology that deals with the design, construction, operation, structural disposition, manufacture and application of robots...

    , fire alarms and HVAC
    HVAC
    HVAC refers to technology of indoor or automotive environmental comfort. HVAC system design is a major subdiscipline of mechanical engineering, based on the principles of thermodynamics, fluid mechanics, and heat transfer...

    ); automotive, aviation
    Aviation
    Aviation is the design, development, production, operation, and use of aircraft, especially heavier-than-air aircraft. Aviation is derived from avis, the Latin word for bird.-History:...

     and other transportation systems.


Export destinations are classified by the EAR Supplement No. 1 to Part 740 into four country groups (A, B, D, E) with further subdivisions; a country can belong to more than one group. For the purposes of encryption, groups B, D:1, and E:1 are important:
  • B is a large list of countries that are subject to relaxed encryption export rules
  • D:1 is a short list of countries that are subject to stricter export control. Notable countries on this list include China
    China
    Chinese civilization may refer to:* China for more general discussion of the country.* Chinese culture* Greater China, the transnational community of ethnic Chinese.* History of China* Sinosphere, the area historically affected by Chinese culture...

     and Russia
    Russia
    Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...

  • E:1 is a very short list of "terrorist-supporting" countries (as of 2009, includes 5 countries; previously contained six countries and was also called "terrorist 6" or T-6)


The EAR Supplement No. 1 to Part 738 (Commerce Country Chart) contains the table with country restrictions. If a line of table that corresponds to the country contains an X in the reason for control column, the export of a controlled item requires a license, unless an exception can be applied. For the purposes of encryption, the following three reasons for control are important:
  • NS1 National Security Column 1
  • AT1 Anti-Terrorism Column 1
  • EI Encryption Items is currently same as NS1

Classification


For export purposes each item is classified with the Export Control Classification Number
Export Control Classification Number
An Export Control Classification Number is a specific alpha-numeric code that identifies the level of export control for articles, technology and software that are exported from member states of the Wassenaar Arrangement, including the United States...

 (ECCN) with the help of the Commerce Control List (CCL, Supplement No. 1 to the EAR part 774). In particular :
  • 5A002 Systems, equipment, electronic assemblies, and integrated circuits for "information security. Reasons for Control: NS1, AT1.
  • 5A992 "Mass market" encryption commodities and other equipment not controlled by 5A002. Reason for Control: AT1.
  • 5B002 Equipment for development or production of items classified as 5A002, 5B002, 5D002 or 5E002. Reasons for Control: NS1, AT1.
  • 5D002 Encryption software. Reasons for control: NS1, AT1.
  • used to develop, produce, or use items classified as 5A002, 5B002, 5D002
  • supporting technology controlled by 5E002
  • modeling the functions of equipment controlled by 5A002 or 5B002
  • used to certify software controlled by 5D002
  • 5D992 Encryption software not controlled by 5D002. Reasons for control: AT1.
  • 5E002 Technology for the development, production or use of equipment controlled by 5A002 or 5B002 or software controlled by 5D002. Reasons for control: NS1, AT1.
  • 5E992 Technology for the 5x992 items. Reasons for control: AT1.


An item can be either self-classified, or a classification ("review") requested from the BIS. A BIS review is required for typical items to get the 5A992 or 5D992 classification.

See also



  • Bernstein v. United States
    Bernstein v. United States
    Bernstein v. United States is a set of court cases brought by Daniel J. Bernstein challenging restrictions on the export of cryptography from the United States....

  • Junger v. Daley
    Junger v. Daley
    Junger v. Daley is a court case brought by Peter Junger challenging restrictions on the export of encryption software outside of the United States....

  • Restrictions on the import of cryptography
    Restrictions on the import of cryptography
    Historically, a number of countries have attempted to restrict the import of cryptography tools. This article aims to keep a record of current restrictions on the import of cryptographic into countries...


External links