![[ EFA logo ]](/Icons/logosml.gif){kind=icon}
|
|
Wassenaar Arrangement 1998 |
The Wassenaar Arrangement, which was originally established in 1996 to control the export of strategic military weapons, has now extended its scope to include mass market encryption tools, in a move that has been greeted with widespread disapproval.
The main changes in respect of cryptography are:
Wassenar Arrangement 1998
-------------------------
General Software Note
The Lists do not control "software" which is either:
1. Generally available to the public by being:
a. Sold from stock at retail selling points without restriction,
by means of:
1. Over-the-counter transactions;
2. Mail order transactions; or
3. Telephone call transactions; and
b. Designed for installation by the user without further
substantial support by the supplier; or
N.B. Entry 1 of the General Software Note does not release "software"
controlled by Category 5 - Part 2.
2. "In the public domain".
"In the public domain" means "technology" or "software" which has been
made available without restrictions upon its further dissemination.
N.B. Copyright restrictions do not remove "technology" or "software"
from being "in the public domain".
Part 2 - "INFORMATION SECURITY"
Note 1 The control status of "information security" equipment, "software",
systems, application specific "electronic assemblies", modules,
integrated circuits, components or functions is determined in
Category 5, Part 2 even if they are components or "electronic
assemblies" of other equipment.
Note 2 Category 5 - Part 2 does not control products when accompanying
their user for the user's personal use.
Note 3 Cryptography Note
5.A.2. and 5.D.2. do not control items that meet all of the following:
a. Generally available to the public by being sold, without
restriction, from stock at retail selling points by means of
any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot easily be changed by
the user;
c. Designed for installation by the user without further
substantial support by the supplier;
d. Does not contain a "symmetric algorithm" employing a key
length exceeding 64 bits; and
e. When necessary, details of the items are accessible and will
be provided, upon request, to the appropriate authority in
the exporter's country in order to ascertain compliance with
conditions described in paragraphs a. to d. above.
5.A.2. SYSTEMS, EQUIPMENT AND COMPONENTS
a. Systems, equipment, application specific "electronic
assemblies",
modules and integrated circuits for "information security",
as follows, and other specially designed components
therefor:
N.B. For the control of global navigation satellite systems
receiving equipment containing or employing decryption
(i.e. GPS or GLONASS), see 7.A.5.
5.A.2.a.1. Designed or modified to use "cryptography"
employing digital techniques performing any
cryptographic function other than authentication
or digital signature having any of the following:
Technical Notes
1. Authentication and digital signature functions include their
associated key management function.
2. Authentication includes all aspects of access control where
there is no encryption of files or text except as directly
related to the protection of passwords, Personal Identification
Numbers (PINs) or similar data to prevent unauthorised access.
3. "Cryptography" does not include "fixed" data compression or
coding techniques.
Note 5.A.2.a.1. includes equipment designed or modified to use
"cryptography" employing analogue principles when implemented
with digital techniques.
5.A.2.a.1.
a. A "symmetric algorithm" employing a key length in excess
of 56 bits; or
b. An "asymmetric algorithm" where the security of the
algorithm is based on any of the following:
1. Factorisation of integers in excess of 512 bits (e.g., RSA);
2. Computation of discrete logarithms in a multiplicative
group of a finite field of size greater than 512 bits
(e.g., Diffie-Hellman over Z/pZ); or
3. Discrete logarithms in a group other than mentioned in
5.A.2.a.1.b.2. in excess of 112 bits (e.g., Diffie-Hellman
over an elliptic curve);
2. Designed or modified to perform cryptanalytic functions;
3. Deleted;
4. Specially designed or modified to reduce the compromising
emanations of information-bearing signals beyond what is
necessary for health, safety or electromagnetic interference
standards;
5. Designed or modified to use cryptographic techniques to
generate the spreading code for "spread spectrum" or the
hopping code for "frequency agility" systems;
6. Designed or modified to provide certified or certifiable
"multilevel security" or user isolation at a level exceeding
Class B2 of the Trusted Computer System Evaluation Criteria
(TCSEC) or equivalent;
7. Communications cable systems designed or modified using
mechanical, electrical or electronic means to detect
surreptitious intrusion.
Note 5.A.2. does not control:
a. "Personalised smart cards" where the cryptographic
capability is restricted for use in equipment or systems
excluded from control under entries b. to f. of this Note;
N.B. If a "personalised smart card" has multiple functions,
the control status of each function is assessed individually.
b. Receiving equipment for radio broadcast, pay television or
similar restricted audience television of the consumer type,
without digital encryption except that exclusively used for
sending the billing or programme-related information back to
the broadcast providers;
c. Equipment where the cryptographic capability is not
user-accessible and which is specially designed and limited
to allow any of the following:
1. Execution of copy-protected software;
2. Access to any of the following:
a. Copy-protected read-only media; or
b. Information stored in encrypted form on media
(e.g. in connection with the protection of
intellectual property rights) when the media is
offered for sale in identical sets to the public; or
3. One-time copying of copyright protected audio/video data.
d. Cryptographic equipment specially designed and limited for
banking use or money transactions;
Technical Note
'Money transactions' in 5.A.2. Note d. includes the collection
and settlement of fares or credit functions.