Nov. 23, 1999
Introductory Note: this draft contains proposed regulatory language for the new or amended sections of the Commerce Department Export Regulations as they apply to encryption. It is not itself a draft of the actual regulation. Given the broad changes of the policy announced on September 16, we wished to provide an opportunity for greater consultation by circulating this Discussion Draft. We would welcome additional information from the private sector on how the proposed regulatory language would affect encryption exports and re-exports. Among the areas where additional information (data and technical examples) would be helpful are the proposed treatment of toolkits and open source code, and information on business models additional services that Internet or Telecommunications Service providers may offer. The next step in the process will be to prepare the regulation, based on the language below and on any additional information we receive. Please forward comments to James Lewis (jlewis@bxa.doc.gov) by December 6.
Sec.734.7 PUBLISHED INFORMATION AND SOFTWARE
(c) Notwithstanding paragraphs (a) and (b) of this section, note that encryption software controlled under ECCN 5D002 for "EI" reasons on the Commerce Control List (refer to Supplement No. 1 to part 774 of the EAR) remains subject to the EAR (refer to Sec.740.13 of the EAR for release under license exception treatment).
Sec.740.13 TECHNOLOGY AND SOFTWARE -- UNRESTRICTED (TSU)
This License Exception authorizes exports and re-exports of operation technology and software; sales technology and software; software updates (bug fixes); and "mass market" software subject to the General Software Note; and non-commercial encryption source-code. Note that encryption software is no longer subject to the General Software Note (see paragraph (d)(2) of this section).
(d) General Software Note: "mass market" software
(2) Software not eligible for this License Exception. This License Exception is not available for certain encryption software controlled under ECCN 5D002. (Refer to the Cryptography Note in Category 5 - part 2 of the Commerce Control List (CCL) for information on Mass Market Encryption commodities and software. Also refer to Sec.742.15(b)(1) and 748.3(b) of the EAR for information on item classifications for release from EI controls and NS controls).
(e) Non-Commercial Source Code
(1) Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export. Submit the notification to BXA and send a copy to ENC Encryption Request Coordinator (see Section 740.17(g)(5) for mailing addresses).
(2) Source code released under this provision remains of U.S. origin even when used or commingled with software or products of any origin, and any encryption product developed with source code released under this provision is subject to the EAR (see Section 740.17).
(3) The source code may be exported or re-exported to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
Sec. 740.17 ENCRYPTION COMMODITIES AND SOFTWARE (ENC).
(a) Exports and re-exports of certain encryption commodities and software. As enumerated below, you may export and re-export encryption commodities and software including components (as defined in part 772) under License Exception ENC after classification by BXA (see paragraph (e) of this section). License Exception ENC does not apply if the encryption commodity or software provides an open cryptographic interface (as defined in part 772).
(1) Encryption commodities, software and technology for U.S. subsidiaries. You may export and re-export any encryption item of any key length under ECCNs 5A002, 5D002 and 5E002 to foreign subsidiaries of U.S. firms (as defined in part 772). This includes source code and technology for internal company proprietary use, including the development of new products. U.S. firms may also transfer encryption technology (5E002) to a foreign national in the U.S., (except foreign nationals from Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) for internal company proprietary use, including the development of new products. All items developed with U.S. encryption commodities, software and technology are subject to the EAR.
(2) Encryption commodities and software. You may export and re-export any encryption commodities and software including components of any key length under ECCNs 5A002 and 5D002 to individuals, commercial firms and other non-government end users. The previous restriction limiting exports or re-exports to internal company proprietary use is now removed. Encryption products exported or re-exported under this paragraph can be used to provide products and services to any individual, commercial firm or other non-government end-users. Encryption items not classified as retail require a license for export and re-export to foreign government end-users (see definition in Part 772). Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this section.
(i) Private internet and telecommunications service providers can provide under license exception ENC encryption products and services to any non-government entity. For encryption products not classified as retail, Internet and telecommunications service providers partially or wholly owned by governments are permitted under license exception to:
(a) Provide network layer encryption (Local Area Network, Wide Area Network, Virtual Private Networks), voice encryption or dedicated link-encryption services to any non-government end-user;
(b) Host application-specific servers and services, websites or e-commerce services for any non-government end-user;
(c) Protect internal business information (e.g., the protection of company proprietary and customer account information);
(d) Provide authentication services with commercial public key infrastructure products (e.g., via digital certificates). Data confidentiality public key infrastructure products are subject to license.
(ii) All other uses of non-retail encryption controlled by 5A002 and 5D002 by partially or wholly government owned Internet and Telecommunications service providers are subject to license.
(3) Retail encryption commodities and software. You may export and re-export to any end-user retail encryption commodities, software and components under ECCNs 5A002 and 5D002. Encryption products exported under this paragraph can be used to provide products and services to any end-user. Retail commodities, software and components are products which are: (a) sold in tangible form through retail outlets which are independent of the manufacturer, or (b) products specifically designed for individual consumer use which are sold directly by the manufacturer in tangible or intangible form.
(i) Retail encryption products include finance-specific encryption commodities and software of any key length that are restricted by design (e.g., highly field-formatted with validation procedures and not easily diverted to other end-uses) used to secure financial communications such as electronic commerce; general purpose operating systems and their associated user-interface client software, including general purpose operating systems with embedded networking and server capabilities; routers, networking and cable equipment designed for small office or home use; servers that interface directly with the user. Internet or telecommunications service providers may under this license exception use retail encryption commodities or software to provide services to any end-user.
(ii) Retail products do not include products which require substantial support for installation and use, where the cryptographic functionality can be easily changed by the user, or network-specific infrastructure products such as high end routers or switches, designed for large volume communications; or systems or products where the encryption or protocol features are or have been modified or customized to customer-specification.
(4) Commercial encryption source code and general purpose toolkits. You may export and re-export encryption source code not released under Section 740.13(e) or general purpose toolkits (application specific toolkits are covered under components, see Section 772) classified by BXA under ECCN 5D002 to non-government end-users, subject to the following provisions:
(i) for encryption source code (including published source code which is subject to proprietary commercial agreements or other restriction), any new product developed with this source code must be classified by BXA (see paragraph (e) of this section) prior to re-export.
(ii) for any source code or general purpose toolkit exported or re-exported for customization of products approved for internal company proprietary use, you must provide a generic, nonproprietary description of the modified product. Products developed or customized for any other use require a separate review by BXA (see paragraph (e) of this section).
(b) Ineligible Destinations. No encryption item(s) may be exported or re-exported under this license exception to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
(c) Retransfers. Retransfers of encryption items listed in paragraph (a) of this section to other end-users or end-uses are prohibited without prior authorization.
(d) Distributors and Resellers. U.S. or foreign distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the export or re-export meets the applicable terms and conditions of Sec.740.17.
(e) Eligibility for License Exception ENC.
(1) You may initiate review and classification of your encryption items as required by paragraph (a) of this section by submitting a classification request in accordance with the provisions of Sec.748.3(b) of the EAR. Indicate "License Exception ENC" in Block 9: Special purpose, on form BXA-748P. Submit the original request to BXA in accordance with Sec.748.3 of the EAR and send a copy of the request to ENC Encryption Request Coordinator (see paragraph (g)(5) of this Section for mailing addresses).
(2) Encryption commodities and software previously approved under a license, Encryption Licensing Arrangement, or made eligible for License Exception ENC or KMI are now eligible for export and re-export under License Exception ENC under all provisions of paragraph (a) except (a)(3) of section 740.17 without additional review. For paragraph (a)(3), another classification will be necessary to determine qualification as a "retail" encryption commodity or software.
(3) 40 and 56-bit DES or equivalent commodities and software previously classified as eligible for License Exception TSU (or for hardware, ENC) may be upgraded to 64-bits for the confidentiality algorithm and to 1024 bits (or less) used for asymmetric algorithm for key exchange and exported without an additional review provided that the only change is in key length. Exporters must certify to BXA in a letter from a senior corporate official that the only change to the encryption product is the key length for confidentiality or key exchange algorithms and that there is no other change in cryptographic functionality. Such certifications must include the original authorization number issued by BXA and the date of issuance. BXA must receive this certification prior to any export of such upgraded product. The certification should be sent to BXA with a copy of the certification to ENC Encryption Request Coordinator (see paragraph (g)(5) of this section for mailing addresses).
(f) Open cryptographic interfaces. License Exception ENC shall not apply to exports or re- exports of encryption commodities and software including components, if the encryption product provides an open cryptographic interface (as defined in part 772).
(g) Reporting requirements.
(1) No reporting is required for exports of:
(i) any encryption to U.S. subsidiaries;
(ii) finance-specific products;
(iii) encryption commodities or software including components with a symmetric algorithm not employing a key length exceeding 64 bits;
(iv) retail products when exported to individual consumers.
(2) Exporters must provide all available information as follows:
(i) for items exported to a distributor or other reseller, the name and address of the distributor or reseller and the quantity exported and, if known, the end user;
(ii) for items exported through direct sale, the name and address of the recipient and the quantity exported.
(3) For encryption components, you must submit the names and addresses of the product manufacturers using these products and a generic non-proprietary technical description of the products for which the component is being used (see Supplement No. 6 to part 742 for examples).
(4) Exporters of encryption commodities and software including components, which were previously classified under License Exception KMI, ENC, or have been licensed for export under an Encryption Licensing Arrangement, must comply with the reporting requirements of this section.
(5) Beginning [Date of Publication], you must submit reports required under this section semi-annually to BXA. For exports occurring between January 1 and June 30, a report is due no later than August 1. For exports occurring between July 1 and December 31, a report is due no later than February 1. The report must include the classification or other authorization number. These reports must be provided in electronic form to BXA; suggested file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BXA to better reflect their business models. Reports should be sent electronically to crypt@bxa.doc.gov, or disks and CDs can be mailed to the following addresses:
(1) Department of Commerce
Bureau of Export Administration
Office of Strategic Trade and Foreign Policy Controls
14th Street and Pennsylvania Ave., N.W., Room 2705
Washington, D.C. 20230
Attn: Encryption Reports
(2) A copy of the report should be sent to:
Attn: ENC Encryption Request Coordinator
9800 Savage Road, Suite 6131
Ft. Meade, MD 20755-6000
Sec.742.15 ENCRYPTION ITEMS
Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm national security, foreign policy and law enforcement interests. As the President indicated in E.O. 13026 and in his Memorandum of November 15, 1996, export of encryption software, like export of encryption hardware, is controlled because of this functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR.
(a) License requirements
Licenses are required for exports and re-exports to all destinations, except Canada, for items controlled under ECCNs having an "EI" (for "encryption items") under the "Control(s)" paragraph. Such items include: encryption commodities controlled under ECCN 5A002; encryption software controlled under ECCN 5D002; and encryption technology controlled under ECCN 5E002. Refer to part 772 of the EAR for the definition of "encryption items".
(b) Licensing policy
The following licensing policies apply to items identified in paragraph (a) of this section. Except as otherwise noted, applications will be reviewed on a case-by-case basis by BXA, in conjunction with other agencies, to determine whether the export or re-export is consistent with U.S. national security and foreign policy interests. For subsequent bundling and updates of these items see paragraph (n) of Sec.770.2 of the EAR.
(1) Encryption commodities, software and technology under ECCNs 5A992, 5D992 and 5E992. Certain encryption commodities, software and technology may be released from "EI" controls, after classification by BXA as ECCNs 5A992, 5D992 or 5E992. Items controlled under these ECCNs are not subject to either "EI" or "NS" controls and are eligible for export and re-export to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Refer to Sec.748.3(b)(3) of the EAR for additional information regarding classification requests. The following encryption items may be eligible for such treatment:
(i) 56-bit encryption commodities, software and technology. Encryption commodities, software and technology up to and including 56-bits may be classified under ECCNs 5A992, 5D992 or 5E992.
(ii) Key management products. Products which only provide key management with asymmetric key exchange algorithms not exceeding 512 bits may be eligible for classification under ECCNs 5A992 or 5D992.
(iii) 64-bit mass market encryption commodities and software. Mass market encryption commodities and software with key lengths not exceeding 64-bit may be eligible for classification by BXA under ECCNs 5A992 or 5D992. Refer to the Cryptography Note (Note 3) to Part 2 of Category 5 of the CCL for a definition of mass market commodities and software. Key exchange mechanisms up to and including 512 bits, proprietary key exchange mechanisms, or company proprietary commodities and software implementations may also be eligible for this treatment. Refer to Supplement No. 6 to part 742 and Sec.748.3(b)(3) of the EAR for additional information.
(iv) For classification of these encryption items under these ECCNs, mark "NLR" in Block 9: Special purpose, on form BXA-748P, of your classification request.
(2) Encryption commodities and software eligible for classification under ECCNs 5A002 and 5D002. Items classified by BXA as retail products under ECCNs 5A002 and 5D002 are permitted for export and re-export to any end-user. All other encryption commodities and software, including components, classified by BXA under ECCNs 5A002 and 5D002 may be exported to any individual, commercial firm or other non-government entity. Any encryption item (including technology classified under 5E002) will be permitted for export or re-export to U.S. subsidiaries (as defined in part 772). All products developed using U.S. encryption items are subject to the EAR. No exports are authorized without a license to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
(3) Encryption Licensing Arrangements. Applicants may submit license applications for exports and re-exports of encryption items not eligible for export under license exception in unlimited quantities for all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria, including exports and re-exports of encryption technology to strategic partners of U.S. companies (as defined in part 772). The applicant must specify the sales territory and class of end-user. Encryption Licensing Arrangements are valid for four years and may require reporting. Applications for the export and re-export of all other encryption items, such as encryption technology, open cryptographic interfaces, or exports or re-exports to foreign government end-users (as defined in part 772), will be reviewed on a case-by-case basis.
PART 770
Sec.770.2 Commodity interpretations.
(n) Interpretation 14: Encryption commodity and software reviews. Classification of encryption commodities or software is required to determine eligibility for all licensing mechanisms. Note that subsequent bundling, patches, upgrades or releases, including name changes, may be exported or re-exported under the applicable provisions of the EAR without further technical review as long as the functional encryption capacity of the originally reviewed encryption product has not been modified or enhanced. This does not extend to products controlled under a different category on the CCL.
PART 772 - DEFINITIONS OF TERMS
"Asymmetric algorithm". (Cat 5, part II) A cryptographic algorithm using different, mathematically-related keys for encryption and decryption. A common use of "asymmetric algorithms" is a key management.
Encryption Component. Any encryption commodity or software, including encryption chips, integrated circuits, application specific toolkits (including software development kits), executable or linkable modules which alone is incapable of performing complete cryptographic functions, and is designed or intended for use in or the production of another encryption item.
Foreign Government Entity (as applied to encryption items). A foreign government entity is (a) any government department, agency, or other entity performing governmental functions; e.g., Finance Ministry, Ministry of Defense, Ministry of Health, including governmental corporations, quasi-government agencies and State enterprises;;
(b) this term does not include the following public entities: utilities, banks, transportation, broadcast, non-research educational facilities, non-military health organizations and manufacturing or industrial entities, except those public manufacturing or industrial entities or their separate business units (as defined in part 772 of the EAR) who are engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List.
Open Cryptographic Interface. A mechanism which allows a customer or other party to insert cryptography without the intervention, help or assistance of the manufacturer or its agents, e.g., manufacturers signing of cryptographic code or proprietary interfaces.
"Symmetric algorithm". (Cat 5, part II) A cryptographic algorithm using an identical key for both encryption and decryption. A common use of "symmetric algorithms" is confidentiality of data.
PART 774
Part II - "Information Security"
Note 1: The control status of "information security" equipment, "software", systems, application specific "electronic assemblies", modules, integrated circuits, components, or functions is determined in Category 5, part 2 even if they are components or "electronic assemblies" of other equipment.
Note 2: Category 5 - part 2 encryption products, when accompanying their user for the user's personal use, are eligible for license exceptions TMP or BAG.
Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items that meet all of the following:
a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be easily changed by the user;
c. Designed for installation by the user without further substantial support by the supplier;
d. Does not contain a "symmetric algorithm" employing a key length exceeding 64-bits; and
e. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (d) of this note. See Sec.742.15(b)(1) of the EAR.
A. Systems, Equipment and Components
5A002 Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", and other specially designed components therefor.
List of Items Controlled
Unit: $ value
Related Controls: See also 5A992. This entry does not control: a.) "Personalized smart cards "where the cryptographic capability is restricted for use in equipment or systems excluded from control paragraphs b through f of this note. Note that if a "personalized smart card" has multiple functions, the control status of each function is assessed individually; b.) Receiving equipment for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption except that exclusively used for sending the billing or program-related information back to the broadcast providers c.) Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radiocommunications systems) that are not capable of end-to-end encryption; d.) Equipment where the cryptographic capability is not user-accessible and which is specially designed and limited to allow any of the following: 1.) Execution of copy-protected "software"; 2.) Access to any of the following: a.) Copy-protected read-only media; or b.) Information stored in encrypted form on media (e.g., in connection with the protection of intellectual property rights) where the media is offered for sale in identical sets to the public; or 3.) One-time copying of copyright protected audio/video data; e.) Cryptographic equipment specially designed and limited for banking use or money transactions; f.) Cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (i.e., a single, unrelayed hop between terminal and home basestation) is less than 400 meters according to the manufacturer's specifications.
Related Definitions: 1.) The term "money transactions" in paragraph e.) of Related Controls includes the collection and settlement of fares or credit functions. 2.) For the control of global navigation satellite systems receiving equipment containing or employing decryption (i.e., GPS or GLONASS) see 7A005.
Items:
Technical Note: Parity bits are not included in the key length.
a. Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", and other specially designed components therefor:
a.1. Designed or modified to use "cryptography" employing digital techniques performing any cryptographic function other than authentication or digital signature having any of the following:
Technical Notes:
1. Authentication and digital signature functions include their associated key management function.
2. Authentication includes all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.
3. "Cryptography" does not include "fixed" data compression or coding techniques.
Note: 5A002.a.1 includes equipment designed or modified to use "cryptography" employing analogue principles when implemented with digital techniques.
a.1.a. A "symmetric algorithm" employing a key length in excess of 56-bits; or
a.1.b. An "asymmetric algorithm" where the security of the algorithm is based on any of the following:
a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA);
a.1.b.2. Computation of discrete logarithms in a multiplicative group of a finite files of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group other than mentioned in 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve);
a.2. Designed or modified to perform cryptoanalytic functions;
a.3. [Reserved]
a.4. Specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for the health, safety or electromagnetic interference standards;
a.5. Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" or the hopping code for "frequency agility" systems;
a.6. Designed or modified to provide certified or certifiable "multilevel security" or user isolation at a level exceeding Class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or equivalent;
a.7. Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion.
5B002 Information Security - test, inspection and "production" equipment.
License Requirements
Reason for Control: NS, AT
Control(s)Country Chart
NS applies to entire entryNS Column 1
AT applies to entire entryAT Column 1
5E002 "Technology" according to the General Technology Note" for the "development", "production" or "use" of equipment controlled by 5A002 or 5B002 or "software" controlled by 5D002.
License Requirements
Reason for Control: NS, AT, EI
Control(s)Country Chart
NS applies to entire entryNS Column 1
AT applies to entire entryAT Column 1
EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to Sec.742.15 of the EAR.
Supplement No. 2 to Part 774
GENERAL TECHNOLOGY AND SOFTWARE NOTES
2. Note: The General Software Note does not apply to "software" controlled by Category 5 - part 2 ("Information Security"). For "software" controlled by Category 5, part 2, see Supplement No. 1 to part 774, Category 5, part 2, Note 3 - Cryptography Note.
SUPPLEMENT NO. 6 TO PART 742
Guidelines for Submitting a Classification Request for Encryption Items
Classification requests for encryption items must be submitted on Form BXA-748P, in accordance with Section 748.3 of the EAR. Insert in Block 9: Special Purpose of the Form BXA-748P, the phrase "License Exception ENC" or "NLR", based on your classification request. Failure to insert this phrase will delay processing. In addition, the Bureau of Export Administration recommends that such requests be delivered via courier service to: Bureau of Export Administration, Office of Exporter Services, Room 2705, 14th Street and Pennsylvania Ave., N.W. Washington, D.C. 20230. In addition, you must send a copy of the request and all supporting documents to: Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Fort Meade, MD 20755-6000.
(a) Requests for encryption items will be processed in thirty (30) working days from receipt of a properly completed request.
(b)(1) To submit a classification request for a technical review of commodities and software, you must provide the following information in a cover letter to the classification request:
(i) Clearly state at the top of the page either "ENC" or "NLR" - 30 Day Technical Review Requested;"
(ii) State that you have reviewed and determined that the commodity or software subject to the classification request meets the criteria of this Supplement;
(iii) State the name of the commodity or software product being submitted for review;
(iv) State how the commodity or software has been written to preclude user modification of the encryption algorithm, key management mechanism, and key space;
(v) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator;
(vi) Provide the following information for the commodity or software product:
(A) Description of encryption algorithm, e.g. source code, the commodity or software uses for data confidentiality and how the agorithm (s) is used. If any combination of different algorithms are used in the same product, also state how each is applied to the data.
(B) Pre-processing information of plaintext data before encryption (e.g. compression of the data).
(C) Post-processing information of cipher text data after encryption (e.g. packetization of the encrypted data).
(D) Description of public key algorithm or symmetric key algorithm, (e.g. source code, is used to encrypt keys and the applicable key space).
(E) For classification requests regarding components:
(1) Reference the application for the components if known;
(2) State if there is a general programming interface to the component;
(3) State whether the component is constrained by function;
(4) List any standards and protocols that the component adheres to;
(5) Include a complete description of all functionalities and their accessibility.
(F) For classification requests regarding source code:
(1) If applicable, reference the executable product that has already received a technical review.
(2) Include whether the source code has been modified by deleting the encryption algorithm, its associated key management routine(s) and all calls to the algorithm from the source code, or by providing the encryption algorithm and associated key management routine(s) in object code with all calls to the algorithm hidden. You must provide the technical details on how you have modified the source code.
(3) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines, and their related calls.
(c)(1) To submit a classification request for a technical review of technology, you must provide the following information in a cover letter to the classification request:
(i) Clearly state at the top of the page either "ENC" or "NLR" - 30 Day Technical Review Requested";
(ii) State that you have reviewed and determined that the technology subject to the classification request meets the criteria of this Supplement;
(iii) State the name of the technology being submitted for review;
(iv) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator;
(vii) Provide the following information for the technology product:
(A) Description of encryption algorithm, if any combination of different algorithms are used in the same product, also state how each is applied to the data.
(B) Description of public key algorithm or symmetric key algorithm, (e.g. source code, is used to encrypt keys and the applicable key space).
(d) For all encryption items, ensure that the information provided includes brochures or other documentation or specifications (to include applicable cryptographic source code) related to the technology, commodity or software, as well as any additional information which you believe would assist the review process.
[end]
Please send any questions or comments to webmaster@eff.org