|
1.
Mass
Market, Retail and Non-Retail Strong Encryption
Products
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
/ De Minimis |
|
Mass
Market Strong Encryption
Commodities
or Software
Note:
no open cryptographic interfaces
742.15(b)
|
Any key
length |
5A992
/
5D992
Mass
Market
|
NLR
|
Any end
user
Any end
use
30 day
review requirement
|
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
reporting requirements.
Eligible
for De Minimis. |
|
“Retail”
Commodities, Software, or Components (chips, ICs, some toolkits,
some SDKs, some software modules)
Note:
no open cryptographic interfaces
740.17(b)(3)
|
Any key
length |
/
|
|
Any end
user
Any end
use
|
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
Yes, if
greater than 64-bits unless one of the exemptions
applies.
Encryption
toolkits – include non-proprietary technical description of the
products for which the toolkit is being used.
Must
request De Minimis eligibility. |
|
Commodities,
Test and Production Equipment, Software, General Purpose Encryption
Toolkits, or Components
Note: no
open cryptographic interfaces
740.17(b)(2)
|
Any key
length |
5A002
/
5B002
/
5D002
Non-Retail
|
|
Any end
user except foreign
governments
|
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria, and foreign
governments |
Yes, if
greater than 64-bits unless one of the exemptions
applies.
Encryption
toolkits – include non-proprietary technical description of the
products for which the toolkit is being
used.
Must
request De Minimis eligibility. |
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
|
|
Commodities,
Test and Production Equipment, Software (including source code), or
Technology
Open
cryptographic interfaces are permitted in this entry
740.17(b)(1)
|
Any key
length |
/
5B002
/
/
5E002
Internal
use |
|
Exports to
U.S. Subsidiaries for Internal use, and
Deemed
exports to foreign nationals in the U.S. for internal use.
All items
developed are subject to the EAR.
May be
exported without review by BIS.
|
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria, and foreign
governments |
No
reporting for US subs for internal company use or if 64-bits or
less |
|
Commodities,
Test and Production Equipment, Software, Technology, or Technical
Assistance
Open
cryptographic interfaces are permitted in this entry
740.17(a)
|
Any key
length |
5A002
/
5B002
/
5D002
/
5E002
EU and
Partners |
|
Any end
user
Any end
use
Eligible destinations include
the EU member countries and strategic trading partners
|
All other
countries |
Yes, if
greater than 64-bits unless one of the exemptions
applies.
Encryption
toolkits – include non-proprietary technical description of the
products for which the toolkit is being used.
|
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
|
|
Non
Mass-Market
64-bit
Encryption with > 512-bit key exchange
Commodities,
Software, or Components
Note: no open cryptographic
interfaces
740.17(b)(3)(ii)
|
Ł 64-bits encryption and >
512-bits but Ł 1024-bits
for key exchange; 160 bits for elliptic curve
algorithms
|
/
64-bit
Retail |
|
Any end
user
Any end
use
No
self-classification |
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
|
|
Software
for Beta Testing
Note: no
open cryptographic interfaces
740.9(c)(3)
|
Any key
length |
Beta Test
SW |
|
Any end
user
Beta
Testing
Must
intend to market as mass-market software after Beta testing
Submit
technical information prior to export
Final
product must be reviewed and classified by BIS.
|
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
Yes,
report names and addresses.
Exception:
individual consumers |
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
|
|
Mass-Market
Weak Encryption
Commodities,
Software, or Components
Note: no open cryptographic
interfaces
742.15(b)(1)
|
64 bits or
less encryption |
/
Mass-Market
Decontrolled
|
|
Any end
user
Any end
use
Exporters
may self-classify upon submission of technical information to
BIS. |
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
|
|
56-bits
encryption with 512-bits key exchange
Commodities,
Software, Components,
and Technology
742.15(b)(1)
|
56-bits or
less encryption and 512-bits or less for key exchange
|
/
/
Decontrolled
|
|
Any end
user
Any end
use
Exporters
may self-classify upon submission of technical information to
BIS. |
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
|
|
Commodities
/ Software – key management products
742.15(b)(1)
|
No
encryption with 512-bit or less key exchange
|
/
Decontrolled
|
|
Any end
user
Any end
use
Exporters
may self-classify upon submission of technical information to
BIS. |
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
|
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
|
|
Open
cryptographic interfaces are permitted in this entry
740.13(e) |
Any key
length |
Open /
Community Source Code
Unrestricted
|
|
Must be
publicly available under 734.3(b)(3) and
Any end
user
Any end
use
Notification
to BIS |
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
reporting requirements, just simultaneous notification to BIS.
|
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
|
|
Object
Code compiled from Open Source Code or Community Source Code
(Publicly
available, not subject to a fee or royalty, i.e., Freeware)
Note: open
cryptographic interfaces are permitted in this entry.
740.13(e)(2)
|
Any key
length |
Unrestricted
|
|
Any end
user
Any end
use
No fee or
payment permitted
|
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria
|
No
reporting requirements. |
|
|
|
|
|
|
|
|
|
|
|
|
Product
|
Encryption
Bit Length |
ECCN /
Type |
License
Exception |
End Use /
Restrictions |
License
Requirement |
Reporting
|
|
Other
Source Code
Note: No
open cryptographic interfaces when compiled
740.17(b)(4)(ii)
|
Any key
length |
Proprietary
Source Code |
|
Any end
user, except foreign
governments
Any end
use
New
products developed in the U.S. are subject to the EAR.
Foreign
products developed by bundling or compiling of source code are not
subject to reporting requirements.
Notification
to BIS |
Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria, and foreign
governments |
Simultaneous
notification to BIS. Reporting requirements include a
non-proprietary description of the commercial product developed
using the source code. |
Mass
Market Products.
(a) Generally
available to the public by being sold, without restriction, from stock at
retail selling points by means of any of the following:
(1)
Over-the-counter
transactions;
(2) Mail order
transactions;
(3) Electronic
transactions; or
(4) Telephone
call transactions;
(b) The
cryptographic functionality cannot be easily changed by the user;
(c) Designed for
installation by the user without further substantial support by the
supplier; and
(d) When
necessary, details of the items are accessible and will be provided, upon
request, to the appropriate authority in the exporter’s country in order
to ascertain compliance with conditions described in paragraphs (a)
through (c) of this note.
Retail
Test.
(i) Generally
available to the public by means of any of the following:
(A)
Sold in tangible
form through retail outlets independent of the manufacturer;
(B)
Specifically
designed for individual consumer use and sold or transferred through
tangible or intangible means; or
(C)
Which are sold
or will be sold in large volume without restriction through mail order
transactions, electronic transactions, or telephone call transactions;
and
(ii) Meeting all
of the following:
(A)
The
cryptographic functionality cannot be easily changed by the user;
(B)
Substantial
support is not required for installation and use;
(C)
The
cryptographic functionality has not been modified or customized to
customer specification; and
(D) Are not network
infrastructure products such as high end routers or switches designed for
large volume communications.
Reporting
Exemptions.
In general, U.S.
exporters must file a biannual report including the name and address of
the recipient of every cryptographic product (and the end-user, if known)
unless one of the following exemptions applies:
(i) any
encryption to U.S. subsidiaries for internal company use;
(ii) Encryption
commodities or software with a symmetric key length not exceeding 64
bits;
(iii) Retail
products exported to individual consumers;
(iv) Encryption
items exported via free or anonymous download;
(v) Encryption
items from or to a U.S. bank, financial institution or their subsidiaries,
affiliates, customers or contractors for banking or financial
operations;
(vi) Items that
incorporate components limited to providing short-range wireless
encryption functions;
(vii) Retail
operating systems, or desktop applications (e.g. e-mail, browsers, games,
word processing, data base, financial applications or utilities) designed
for, bundled with, or pre-loaded on single CPU computers, laptops or
hand-held devices;
(vii) Client
Internet appliance and client wireless LAN cards;
or
(ix) Foreign
products developed by bundling or compiling of source code.
EU and
Partners.
Eligible destinations: Austria, Belgium, Denmark,
Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands,
Portugal, Spain, Sweden, United Kingdom Australia, Czech Republic,
Hungary, Japan, New Zealand, Norway, Poland and Switzerland. These items may also be exported
or reexported to any destination for the internal use of foreign
subsidiaries or offices of firms, organizations and governments
headquartered in Canada or in the countries listed above.
Foreign
Governments.
For purposes of
the US Regulations, the definition of “government” is as
follows:
Government
End-user (as applied to encryption items). A government end-user is (a) any
foreign central, regional or local government department, agency, or other
entity performing governmental functions; including governmental research
institutions, governmental corporations or their separate business units
which are engaged in the manufacture or distribution of items or services
controlled on the Wassenaar Munitions List, and international
governmental organizations;
(b) this term
does not include the following public entities: utilities (including
telecommunications companies and Internet service providers); banks and
financial institutions; transportation; broadcast or entertainment;
educational organizations; civil health and medical organizations; retail
or wholesale firms; and manufacturing or industrial entities not engaged
in the manufacture or distribution of items or services controlled on the
Wassenaar Munitions List.
<-- Back to
previous page
|
