Scribd Logo
Upload

Welcome to Scribd!

  • Encryption Classification Advanced Webinar Exercises & Answers

    Uploaded by

    Patham Iyer
    3 views7 pages
    Encryption classification

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Encryption classification

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views7 pages

    Encryption Classification Advanced Webinar Exercises & Answers

    Uploaded by

    Patham Iyer
    Encryption classification

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR

    DECEMBER 6, 2017

    Encryption Classification Advanced Webinar Exercises


    For each exercise, your goal is to come up with the correct ECCN and licensing authority (e.g.,
    NLR, ENC, License). The exercises highlighted in yellow cover scenarios put forth by webinar
    attendees. There are six exercises and one extra credit exercise.

    You may use the Encryption Survey for Export Classification to the extent possible given the
    information provided. If a portion of the survey does not apply, you can indicate this. You can
    also add questions to the survey if you think that would be helpful. You will need to use the
    EAR and Commerce Control List including, but not limited to Category 5 Part II, Section 740.17,
    742.15, Supplement 6 to Part 742.

    During the webinar, we will refer to the Encryption Survey when each exercise is discussed.
    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR
    DECEMBER 6, 2017

    Color key:

    Use information
    Sales information
    Technical information

    Exercise #1 – MOBILE APPLICATION

    WALKIE‐TALKIE COMPANY makes a software application for smart phones which turns a smart
    phone into a secure walkie‐talkie. The software application is made available for 1.99 on the
    iTunes Store and the Google Play store. The software application gets downloaded by users,
    and each user has to get a user id and password in order to use the app.

    The app actually connects to the WALKIE TALKIE COMPANY servers using Secure Socket Layer
    encryption and this is how the walkie ‐talkie service works (each walkie‐talkie session is
    encrypted end‐to‐end using SSL, which the company has obtained from OpenSSL.org). WALKIE
    TALKIE COMPANY does not sell the server side software at this point but may consider
    outsourcing the development of the next generation of the software to a start‐up company in
    China that is funded by the Chinese Ministry of Telecommunications. If WALKIE TALKIE
    COMPANY decides to do this they will have to send the server source code for the product and
    related information regarding how the information security features in the server work.

     What is the ECCN for the app and what is the licensing authority?

    The ECCN for the app is 5D992 and it can be shipped NLR to all destinations except embargo*

    Classification Challenge:
     What is the ECCN/licensing authority for the server side software? The server side
    software is 5D002 ‐‐ ENC (B)(1)
     What are the ECCNs/licensing authorities for the source code and technical data?
    5D002 – ENC (B)(2), 5E002
    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR
    DECEMBER 6, 2017

    Color key:

    Use information
    Sales information
    Technical information

    Exercise #2 – HEARING AID SYSTEM

    HEARING COMPANY makes a hearing aid system. The hearing aid system has two parts, one
    that goes in the ear and a transmitter that is held or worn around the neck. The hearing‐aid
    uses state‐of‐the‐art 128‐bit digital encryption technology to encrypt all data between the
    hearing aid and the hand‐held transmitter including conversations. The hearing‐aid is made
    available to consumers from their doctors or a 1‐800 number. The hearing aid can also be
    controlled by an app that is given away for free from HEARING COMPANY’S website. The app
    uses Bluetooth encryption to connect to the hearing aid device, and can also be configured to
    work with other Bluetooth devices, like speakers or Apple TV’s.

    CHIPCO makes a chip that is specially designed for the hearing‐aid system. The encryption
    functionality comes from the chip and is based on open source encryption algorithms.
    HEARING COMPANY is the only customer for the chip that CHIPCO makes.

    What is the ECCN/licensing authority for the hearing‐aid? EAR99/NLR

    Reference: 770.2 (m) Interpretation 13 commodities and software specially designed for medical
    end use that incorporate an item in Category 5 ‐ Part 2 are not controlled in Category 5 ‐ Part 2. See
    paragraph (a) of Supplement No. 3 to part 774 (Statements of Understanding) of the EAR.

    Also see SUPPLEMENT NO. 3 TO PART 774 – STATEMENTS OF UNDERSTANDING


    (a) Statement of Understanding ‐ medical equipment.

    What is the ECCN/licensing authority for the chip? EAR99/NLR


    Classification Challenge:
    What is the ECCN/licensing authority for the HEARING COMPANY’s app? 5D992/NLR because
    it’s a general‐purpose interface
    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR
    DECEMBER 6, 2017

    Color key:

    Use information
    Sales information
    Technical information

    Exercise #3 – SOFTWARE USED IN OIL AND GAS DRILLING

    DRILLINGCO makes a software application for use while drilling which collect data (readings
    from Wells and Equipment) in the field and send it to the home office for automatic loading
    into a shared production data base. The software is designed to use Windows Communication
    bindings to control how the data is secured in transmission between the client and the server.
    The code uses a configuration file on the server side to specify the security level. Currently its
    set to use no security. However, if one word in the configuration file is changed from "None" to
    "Transport" the product switches to using SSL/TLS to secure communications. The configuration
    file is an unsecured text file distributed as part of software product. The software product
    doesn't provide a front end (user interface, api, etc.) for modify the security setting.

    What is the ECCN/licensing authority for this software?

    EAR99 – because encryption is not the primary purpose, so it’s not in Cat 5 Part II. Reference
    website guidance.

    Red herring: cryptographic activation


    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR
    DECEMBER 6, 2017

    Color key:

    Use information
    Sales information
    Technical information

    Exercise #4 NETWORK OPERATIONS CENTER SOFTWARE

    NOCCORP makes software designed to manage large datacenter operations. The software
    features automated monitoring which allows network admins to view resources across an
    entire network, using a single console. Whether configuring a workstation or patching software,
    systems administrators to troubleshoot multiple networks’ resources. The software uses
    encrypted tunnels (SSH or Secure Shell) to access all network resources. The networks
    resources can include computers, routers, switches. The encryption in the NOCCORP software
    is used for Operations, Administration and Management only.

    NOCORP is in the process of releasing a new version of this software, NOCCORP v.2. A new
    feature of this software is that it can detect efforts to penetrate the network by hackers, as well
    as conduct advanced network vulnerability analysis and digital forensics.

    What is the ECCN/licensing authority for the NOCCORP software? 5D002.c.1, could argue
    EAR99 due to OAM functionality but I would submit for a CCATS. ENC 740.17(B)(1) or NLR if
    EAR99
    What is the ECCN/licensing authority for the NOCCORP v.2 software? Would likely shift
    classification to 5D002.c.1 because of primary function (5A002.a.1 or5A002 a.2), could be ENC
    740.17 (B)(3) because of vulnerability analysis and digital forensics.
    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR
    DECEMBER 6, 2017

    Exercise #5 – AVIONICS SERVER

    AIRCRAFT ELECTRIC COMPANY makes an avionics server used on board a commercial aircraft
    that compiles and stores information received from the aircraft such as navigation data, charts,
    maps, weather information, aircraft logs, and documents. The server wirelessly sends such
    information to certified displays or tablets in the aircraft cockpit to be viewed by the aircraft
    operator. The server also allows for limited secured web‐browsing to pre‐approved websites
    for the purposes of gathering data. The server is not marketed to the public and the hardware
    is not made publically available as it is sold only to aircraft manufacturers and operators. All
    hardware is manufactured within the United States. The server uses encryption to perform
    authentication, digital signature, data rights management, and it decrypts information received
    by the server. The server uses an open source operating system (e.g., LINUX) and data transfers
    and the wireless signal are encrypted using an open source Secure Socket Layer supporting a bit
    length of 256‐bits and a WPA2 for wireless connection. The open source encryption software is
    unmodified when incorporated into the server.

    What is the ECCN/licensing authority for the avionics server? Could argue that this is not in
    Cat 5 Part II (website guidance that references aviation), need to make sure its not in Cat.7.
    Uses of encryption seem to be covered by decontrol note, but would need to drill down on
    the wireless connectivity mentioned toward the end.

    Red herring: open source encryption

    Would the analysis change if instead of using the open source operating system with an open
    source Secure Socket Layer and WPA2 as previously described, the server used a mass market
    operating system (e.g., WINDOWS) even though the hardware itself is not mass market?
    No, not really.
    PREPARED FOR ATTENDEES OF THE ECTI ENCRYPTION CLASSIFICATION ADVANCED WEBINAR
    DECEMBER 6, 2017

    Color key:

    Use information
    Sales information
    Technical information

    EXERCISE #6 ‐‐ SEMICONDUCTOR MANUFACTURING EQUIPMENT

    SEMICO makes equipment for the manufacture of semiconductors. SEMICO make a Metal
    Organic Chemical Vapor Deposition (MOCVD) reactor designed for compound semiconductor
    epitaxial growth of material containing aluminum, gallium, indium, arsenic, phosphorus,
    antimony, or nitrogen. The reactor’s control panel, which is built into the machine, contains
    software which uses 256 bit AES encryption to encrypt configuration data so that the reactor’s
    settings can’t be tampered with. The reactor’s control panel can also be accessed remotely by
    the factory’s network administrators over an encrypted channel to allow them to check
    whether the machine is on‐line.

    What ECCN/Licensing Authority would be used for the SEMICO reactor? 3B001

    Extra Credit

    Exercise # 7 Quantum Key Distribution

    “As a quick summary, a colleague and I are considering starting a company that sells quantum
    key distribution systems. Some of our customers will be in China (banks and potentially their
    government) and we're wanting to verify the legality of doing this sort of thing before we
    continue with our business planning. My research has indicated that quantum key distribution
    systems are classified as "5A002" (mass market) and that it's not hard to obtain an ECN for
    these.”

    Is there any chance you know about the classification of quantum cryptography items?

    You might also like