To be controlled in 5A002.a, an item must have “information security” as a primary function; be digital communications or networking systems; or be computers or other items having information storage or processing as a primary function. Below we further describe what types of products are covered under 5A002.a.1-a.4.

 

5A002 a.4 also controls items if the cryptography supports a non-primary function of the item AND the cryptographic functionality is performed by incorporated equipment or software that would as a standalone item be specified by Cat. 5 Part 2.

Examples: (a) An automobile where the only ‘cryptography for data confidentiality’ ‘in excess of 56 bits of symmetric key length, or equivalent’ is performed by a Category 5 – Part 2 Note 3 eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone (equipment), as a standalone item, is not controlled by ECCN 5A002 because it is excluded by the Cryptography Note (Note 3) (See ECCN 5A992.c). (b) An exercise bike with an embedded Category 5 – Part 2 Note 3 eligible web browser, where the only controlled cryptography is performed by the web browser. In this case, secure web browsing supports a non-primary function of the exercise bike but the web browser (“software”), as a standalone item, is not controlled by ECCN 5D002 because it is excluded by the Cryptography Note (Note 3) (See ECCN 5D992.c).

Examples of reviewing an item in 5A002 a.1- a.4

Example 1: The vending machine

  • In this example a vending machine can send encrypted communications in order to report that it has run out of soda. The main purpose of this item is to sell drinks, and the cryptographic functionality is there purely to enable it to fulfill this main purpose more efficiently. Such an item would be considered outside of 5A002 a.1 – a.4.
  • In this case the primary function is the obvious or main purpose of the item. It can also be thought of as the function which is not there to support other functions.
  • In this analysis you would look at the main purpose that the vending machine would be used for. The vending machine is not mainly for “information security”, digital communications or networking, and/or computing; and the cryptographic functionality of the item is just to support the main purpose of vending sodas, so the item would not be in Cat. 5, Part 2, 5A002 a.1 - a.4.

Example 2: The learning laptop

  • A child’s laptop that access the internet securely and only to a specified site for literacy based learning would be considered outside of 5A002 a.1- a.4. Its primary function is specific to literacy training and would not be considered a computing item like a general purpose laptop would. A general purpose computer that implements cryptography such as a laptop or desktop computer would be in Cat. 5, Part 2 because its main function is to provide general purpose computing.
  • A general purpose laptop or desktop computer may be used in multiple applications and provides a general set of features, whereas the learning laptop is an application specific item specifically designed with a set of functions targeted to a certain end use (literacy training). The cryptography is limited to secure communication for supporting literacy based learning.

Example 3: Wireless Chip

  • Another example is a communications chip that implements cryptography for secure Wi-Fi connections within a cell phone. This item would be in Cat. 5, Part 2 because it is a general purpose communications chip. However, a chip designed for a utility meter with features that allow it to wirelessly interface securely only with specific utility meter readers could be outside of Cat. 5, Part 2, 5A002 a.1- a.4 because it provides specific communication between a meter and reader.

Example 4: The App

  • Yet another example could be an app on a phone used for chatting or instant messaging using text, images and video. An app such as this would be in Cat. 5, Part 2 because it provides communications. However, an app designed for your local car shop to securely communicate between you and your mechanic about the status of your vehicle repair or maintenance would be considered outside of Cat. 5, Part 2, 5A002 a.1 – a.4. The app is using communications only in the context of vehicle repair.

Some Examples of items that are not Cat. 5, Part 2, 5A002 a.1-a.4

 

 

 

Decontrol   notes: Items or specially designed components are not classified in Cat. 5   Part 2 if encryption is limited to any of the following:

(a)   Smart cards and smart card ‘readers/writers’ as follows:

a.1.         A   smart card or an electronically readable personal document (e.g., token coin,   e passport) that meets any of the following:

a.1.a.     The   cryptographic capability meets all of the following:

                a.1.a.1. It is restricted for use in any of the   following:

                a.1.a.1.a. Equipment or systems, not described by   5A002.a.1 to a.4;

                a.1.a.1.b.   Equipment or systems, not using ‘cryptography for data confidentiality’ having ‘in excess of   56 bits of symmetric key length, or equivalent;’ or

                a.1.a.1.c.   Equipment or systems, excluded from 5A002.a by entries b. to f. of this Note;   and

                a.1.a.2.   It cannot be reprogrammed for any other use; or

                a.1.b.   Having all of the following:

                a.1.b.1.   It is specially designed and limited to allow protection of ‘personal data’   stored within;

                a.1.b.2.   Has been, or can only be, personalized for public or commercial transactions   or individual identification; and

                a.1.b.3.   Where the cryptographic capability is not user-accessible;

Technical Note to paragraph a.1.b of Note 2:   ‘Personal data’ includes any data specific to a particular person or entity,   such as the amount of money stored and data necessary for “authentication.”

                a.2.   ‘Readers/writers’ specially designed or modified, and limited, for items   specified by paragraph a.1 of this Note;

Technical Note to paragraph a.2   of Note 2: ‘Readers/writers’ include equipment that   communicates with smart cards or electronically readable documents through a   network.

 

(b)   Cryptographic equipment specially designed and limited for banking use or   'money transactions';

Technical   Note: 'Money transactions' in 5A002 Note (b) includes   the collection and settlement of fares or credit functions.

 

(c)   Portable or mobile radiotelephones for civil use (e.g., for use with   commercial civil cellular

radio   communication systems) that are not capable of transmitting encrypted data   directly

to   another radiotelephone or equipment (other than Radio Access Network (RAN)   equipment), nor of passing encrypted data through RAN equipment (e.g., Radio   Network Controller (RNC) or Base Station Controller (BSC));

 

(d)   Cordless telephone equipment not capable of end-to-end encryption where the   maximum

effective   range of unboosted cordless operation (i.e., a single, unrelayed hop between   terminal

and   home base station) is less than 400 meters according to the manufacturer's   specifications;

 

(e)   Portable or mobile radiotelephones and similar client wireless devices for   civil use, that implement only published or commercial cryptographic   standards (except for anti-piracy functions, which may be non-published) and   also meet the provisions of paragraphs a.2 to a.4 of the Cryptography Note   (Note 3 in Category 5 – Part 2), that have been customized for a specific   civil industry application with features that do not affect the cryptographic   functionality of these original non-customized devices;

 

(f)   Items, where the “information security” functionality is limited to wireless   “personal area network” functionality, meeting all of the following:

                f.1. Implement only published   or commercial cryptographic standards; and

f.2. The cryptographic capability is limited to   a nominal operating range not exceeding 30 meters according to the   manufacturer’s specifications, or not exceeding 100 meters according to the   manufacturer’s specifications for equipment that cannot interconnect with   more than seven devices;

Personal area network.   (Cat 5 Part 2)—A data communication system having all of the following   characteristics:

(a)   Allows an arbitrary number of independent or interconnected ‘data devices’ to   communicate directly with each other; and

(b)   Is confined to the communication between devices within the immediate   vicinity of an individual person or device controller (e.g., single room,   office, or automobile, and their nearby surrounding spaces).

Technical   Note: ‘Data device’ means equipment capable of transmitting or receiving   sequences of digital information.         

   

(g)   Mobile telecommunications Radio Access Network (RAN) equipment designed for   civil use, which also meet the provisions of paragraphs a.2 to a.4 of the   Cryptography Note (Note 3 in Category 5 -- Part 2), having an RF output power   limited to 0.1W (20 dBm) or less, and supporting 16 or fewer concurrent   users;

   

(h)Routers,   switches or relays, where the "information security" functionality   is limited to tasks of "Operations, Administration or Maintenance"   ("OAM") implementing only published or commercial cryptographic   standards;

(Software limited to the tasks   of OAM is also not in Cat. 5 part 2, See Note under 5D002.c )

“Operations,   Administration or Maintenance” (“OAM”) (Cat 5P2) Means performing one or more of   the following tasks:

a.   Establishing or managing any of the following:

1.   Accounts or privileges of users or administrators;

2.   Settings of an item; or

3.   Authentication data in support of the tasks described in paragraphs a.1 or   a.2;

b.   Monitoring or managing the operating condition or performance of an item; or

c. Managing   logs or audit data in support of any of the tasks described in paragraphs a.   or b.

Note:   “OAM” does not include any of the following tasks or their associated key   management functions:

a.   Provisioning or upgrading any cryptographic functionality that is not   directly related to establishing or managing authentication data in support   of the tasks described in paragraphs a.1 or a.2 above; or

b. Performing any   cryptographic functionality on the forwarding or data plane of an item.

 


See also FAQ #9

 

   

(i)   General purpose computing equipment or servers, where the “information   security” functionality meets all of the following:

1.   Uses only published or commercial cryptographic standards; and

2.   Is any of the following:

a.   Integral to a CPU that meets the provisions of Note 3 in Category 5 - Part 2;

b.   Integral to an operating system that is not specified by 5D002; or

c.   Limited to “OAM” of the equipment.


See FAQ #13

The chart above outlines the decontrol text found in the Commerce Control List under the entry for 5A002.a. For some entries the chart above includes a right hand column with corresponding definitions from Part 772 of the EAR and/or additional points to note.

If the encryption is limited to that described above in the table, then 5A002.a does not apply. In that case you should review other entries in Category 5 Part 2 and other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1). If it is not described in any other Category then it can be classified as EAR99.

 

 

 

 

 

≤ 56 symmetric, ≤ 512 asymmetric, and ≤ 112 bit elliptic curve

Category 5 Part 2 includes certain key length thresholds for cryptography. Specifically, 5A002.a says “in excess of 56 bits of symmetric key length, or equivalent”. This term is further defined in Technical Note 1 under 5A002.a and it means the following:

A “symmetric algorithm” employing a key length in excess of 56-bits is controlled in Category 5, Part 2. Therefore, items with a key length of 56 bits or less are not in 5A002.a.  Note that parity bits do not count towards the key length. Symmetric algorithms use an identical key for both encryption and decryption.

Asymmetric algorithms use different, mathematically related keys for encryption and decryption.
An “Asymmetric algorithm” is controlled in Category 5 Part 2 if the security of the algorithm is based on any of the following:

-          Factorisation of integers in excess of 512 bits (e.g., RSA);

-          Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or

-          Discrete logarithms in a group other than mentioned in paragraph b.2. in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve).

Therefore, items with a key length ≤ 56 symmetric, ≤ 512 asymmetric, and ≤ 112 bit elliptic curve are not classified in 5A002.a. In that case, you should review other entries in Category 5 Part 2 and other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1).  If it is not described in any other Category then it can be classified as EAR99.


 

 

 

Technical Note:  Authentication and other uses of encryption that are not controlled


Category 5, Part 2 of the Commerce Control List covers items designed or modified to use cryptography that employ digital techniques and perform any cryptographic function other than authentication, digital signature, or execution of copy-protected software (including their associated key management function).


The use of encryption limited to authentication, as described, results in a classification of the product NOT in Cat. 5, Part 2. In that case, you should review other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1).  If it is not described in any other Category then it can be classified as EAR99.


Authentication includes verifying the identity of user, process or device, often as a prerequisite to allowing access to resources in an information system. This includes verifying the origin or content of a message or other information, and all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.


Digital signature, data integrity and non-repudiation functions are also not covered by Cat. 5, Part 2. These are means for providing proof of the integrity and origin of data.  


Execution of copy protected software can also encompass Digital Rights Management (DRM); encryption that is used to verify the customer for use of software.

   
© BIS 2020