When To Check the "This Application Uses Encryption" Box?

Sam picture Sam · Mar 7, 2012 · Viewed 9k times · Source

When submitting or updating an app, one question you are faced with is:

Have you added or made changes to encryption features since you last uploaded a binary for this product?

Image: enter image description here

My question is, if I use the encryption you get from the <CommonCrypto/CommonCryptor.h> library, do I have to check YES to that Q?

I have a file I'd like to encrypt, send to the iphone, and decrypt on the iphone using CommonCrypto. I've gotten mixed responses when talking with coworkers. Some believe that since it's an included framework that it's fair game, others say you have to get government approval.

It appears CommonCrypto supports (at best) AES 128 bit encryption with a cipher mode of ECB. So, that's what I was planning on using.

Side Note: I plan on using the NSData+CommonCrypto category from AlanQuatermain / aqtoolkit on github. This is just a wrapper around CommonCrypto and nothing more.

Related is, do you have to check YES if you use HTTPS (SSL)? See iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections - Continued. I don't need https connections, still this surprises me...

Answer

Sam picture Sam · Mar 8, 2012

I believe I found the answer I was looking for.

Disclaimer - I am NOT a lawyer (like you folks) and will not be held responsible for this answer, but I think my findings can / will benefit the community.

Does my App Qualify as a Mass Market Item?

Short answer - I believe all apple apps would be considered Mass Market Items, but it's hard to be sure. However, it appears even non Mass Market Items can use a symmetric key algorithm with a 56 bit key or less (as you'll read further below). Note DES is a symmetric key algorithm that uses a 56 bit key.

Cryptography Note (Note 3) of Category 5, Part 2 (“Information Security”), of the Commerce Control List

Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items that meet all of the following:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

  1. Over-the-counter transactions;
  2. Mail order transactions;
  3. Electronic transactions; or
  4. Telephone call transactions;

b. The cryptographic functionality cannot be easily changed by the user;

c. Designed for installation by the user without further substantial support by the supplier; and

d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (c) of this note

Ok... So If it is a Mass Market Item, What are the Limitations?

You must submit a classification request to government if (see bold):

N.B. to Note 3 (Cryptography Note): You must submit a classification request or encryption registration to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of § 742.15(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.

So, based on that what CAN and CAN'T I use?

Disclaimer :: This is my interpretation of the above - again I'm not a lawyer

  • AES 128 can't be used without submitting a request since it uses a 128 bit key.
  • DES can be used since it uses a 56 bit key. In fact, DES can be used even without being classified as a Mass Market Item.
  • CAST can be used as it uses a key between 40-128 bits (you'd have to use a key of 64 bits or less).
  • 3DES can't be used. The original cipher key of 3DES is 64 bit, but as I understand it has 3 keys... So I'm not sure that passes and you'd probably have to submit a request. Wikipedia says that its "designated by NIST to have only 80 bits of security", which makes me think that it can't be used.
  • RC4 I believe you can use this without submitting a request as long as the variable size key is 64 bits or less.

U. S. Bureau of Industry and Security - Encryption - May I self-classify my encryption item and export it WITHOUT encryption registration?

Disclaimer :: I'm not a laywer, this is my interpretation. I won't be liable.

You can use a symmetric key algorithm (like DES) with a 56 bit key (or less).

Additionally, Mass Market Products may use symmetric key algorithms with a 64 bit key (or less).

Bolded important sections.

Flow Chart 2 provides an overview of how to determine whether your product can be self-classified and exported without an encryption registration.

If you have a product that is controlled under Category 5, Part 2, certain products and transactions do not require any encryption registration, classification, or post-export reporting. This includes:

  • Products classified under 5x992, including:
    • Products with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve.
    • Mass market products with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.
    • Certain mass market products listed under 742.15(b)(4)
    • Products with limited cryptographic functionality as described in the Note to 5A002.
    • Products that use encryption for authentication only.
  • Certain 5x002 products/transactions, including:
    • Certain products/transactions are eligible for license exception ENC without any registration, classification, or reporting, including:
      • Exports and reexports to ‘private sector end-users’ as described in 740.17(a)(1);
      • Exports and reexports to a “U.S. Subisidary” as described in 740.17(a)(2).
      • Certain products listed under 740.17(b)(4):
    • Certain products that require only a notification before export:
      • “Publicly available” encryption software and source code under license exception TSU (740.13);
      • Beta Test software under license exception TMP (740.9).

In addition, if you are relying on the producer’s self-classification (pursuant to the producer’s encryption registration) or CCATS for an encryption item eligible for export or reexport under License Exception ENC or mass market, you are not required to submit an encryption registration, classification request or self-classification report. You are still required to comply with semi-annual sales reporting requirements under paragraph 740.17(e).