CCATS on iOS AppStore and encryption

user1028028 picture user1028028 · Apr 2, 2013 · Viewed 7.6k times · Source

This is going to be one long question... Actually a set of related questions... I want to make an iOS app, that will be sold on Apples App Store, (obviously). My app will store some sensitive user data in the documents directory. For security reasons I thought of a cryptosystem that will secure that data. Here the fun starts... That data security mechanism will be virtually unbreakable. I will be using AES-128/256, TwoFish 128/256 and Serpent 128/256. The user can select what to use where... I may be using dual encryption, data being encrypted once with AES and then with Serpent, or any combination of thous.

I obviously need to check the "uses encryption" button on the app store. The problem is:

1) what certification do I need CCATS or just ERN?

From :

http://tigelane.blogspot.ro/2011/01/apple-itunes-export-restrictions-on.html

  1. Go to this link and use his instructions. This is a great post: http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
  2. Do step 1 and 2 for all cases. If you built your own encryption mechanism, that follow the entire post. If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.

I need apparently to do the whole certification process... I definitely made my own mechanism.

2) Can the full CCATS be done 100% online?

In that "8 easy steps" post it said I need to send some documents by (snail)mail. Then later on a user said that it is not necessary anymore. Note: those blog posts seem old (2 years).

Excellent description! FYI: The process for obtaining a CIN/PIN for SNAP-R is now entirely electronic

Another user said:

You might want to consider updating your post. I've just been told by a BIS Counsellor that it's no longer necessary to snail mail in hard copies of your application form and supporting documentation. It may be something trivial to some but wasting $80 on international shipping is $80 down the drain.

I hope I don't need to send all the documents by mail, as it will take a while to get them to the US from the EU.

Has anyone in the EU used the ERN/ CCATS process recently?

3)I also saw that they ask you for a fax number... I don't have a fax. Is that a big problem?

If really necessary would an online fax service be ok?

4) Do i need to explain the whole encryption mechanism in detail? Or just the algorithms? Can I be rejected for having a "too good for mass market encryption cryptosystem" ?

Mostly, do I need to explain or declare that some data will be encrypted twice ? Or is " will store data encrypted on disk" a good enough explanation?

5) I will be using some password extension algorithms and hashing (HMAC, with SHA-2, maybe SHA-3)... do I need to report thous too?

Answer

stephen picture stephen · Sep 25, 2013

stormCloud's answer is great. I called BIS, and talked to a rep for an hour covering allot of theoretical details. I also learned (the rep said the rep shouldn't tell me this) that they are annoyed with people that just call instead of trying to figure out the process first. So, I wanted to share what I found as a result of calling BIS as of 9/24/2013.

Document references:

All pertinent documents are listed on this page. The documents links are listed on the left and center of this webpage in a group titled "Encrypted Links".

What to do with them:

In the document "Supplement 1 to part 774 Category 5 part ii", see "Note 4" to determine whether all of the primary functions of your app are exempt from category 5, section 2. The language is confusing. There is at least one double negative in there. If in doubt, just classify as a mass market commodity.

The rep urged me to consider not only whether the primary functions are exempt per intended use, but whether they would be exempt if users used the app any other way. Again, if in doubt, classify as a mass market commodity.

If you choose to classify as a mass market commodity, you will need to refer to three documents. See 740.17 to determine whether your software should be classified as B1, B2, or B3. B2x types definitely need to be classified as a mass market commodity. I did not clarify whether B1 or B2 types need to be classified as mass market commodities.
Supplement 5 pertains to classifying Bx types. You'll copy this document and fill in the relevant info, to in turn submit with your SNAP-R work item.
Additionally see Supplement 8 per the reports you must submit in January.

Our conclusion for our app:

Our particular application is not (yet) categorized under category 5, part 2. What this means is I can choose to "self-classify" our application as EAR99 instead of ECCN 5D992 (mass market) or 5D002 (not mass market). This also means I do not need to create an export item in a SNAP-R work item. :)

This is the full email I received from the BIS rep to walk me through classifying software as a mass market commodity:

An Encryption Registration Number (ERN) must be obtained before export. An ERN is something you obtain once and use forever or until the information you provide changes. Obtaining an ERN takes only a few minutes of work. You will receive the ERN within about an hour of submitting the request. After that, always include it on the additional information block of any classification request and use it on the subject line of your Supplement 8 to Part 742 reports.

If you cannot submit the request for an ERN immediately and understand that you are not authorized to export until you do so, please respond stating the same and I will issue the classification with the ERN required language on the face of it. I prefer that you go ahead and request an Encryption Registration Number (ERN) and reply to this request with your ERN. I will put your ERN in the additional information block and issue the CCATS without reference to the ERN.

In the future, please always include your ERN in the additional information block as required by the regulations for classification of items described by Sections 740.17(b)(2) or (b)(3) and 742.15(b)(3) of the EAR. Even items authorized by 740.17(b)(1) or 742.15(b)(1) require an encryption registration prior to export. Therefore, it usually makes sense to obtain and provide the ERN in the additional information block prior to making a classification request even for "B1" requests.

HOW TO OBTAIN AN ERN:

On the main BIS Website www.bis.doc.gov, click on the word "Encryption" under the Policy Guidance pull down menu. This brings up the main encryption web page. There are two blue boxes in the first column on the left side of the page; however, you may have to scroll down to find the second blue box. The second blue box says "Encryption Links" and is a set of important encryption regulation including Supp. 5 to Part 742. Choose the regulation "Supplement No. 5 to Part 742." Copy the Supplement 5 questions into a word processing document. Answer the questions and PDF your response. Open SNAP-R and select "Create work item" From the list of work item types select "Encryption Registration." Attach the .pdf you just created and submit. Within an hour, the computer should respond with your ERN "A number beginning with 'R'" Provide me with that number and put in in Block 24 "additional information" on all future encryption CCATS work items.

TMI...I know. Anyone read this far?