Technical Note:  Authentication and other uses of encryption that are not controlled

Category 5, Part 2 of the Commerce Control List covers items designed or modified to use cryptography that employ digital techniques and perform any cryptographic function other than authentication, digital signature, or execution of copy-protected software (including their associated key management function).

The use of encryption limited to authentication, as described, results in a classification of the product NOT in Cat. 5, Part 2. In that case, you should review other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1).  If it is not described in any other Category then it can be classified as EAR99.

Authentication includes verifying the identity of user, process or device, often as a prerequisite to allowing access to resources in an information system. This includes verifying the origin or content of a message or other information, and all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.

Digital signature, data integrity and non-repudiation functions are also not covered by Cat. 5, Part 2. These are means for providing proof of the integrity and origin of data.  

Execution of copy protected software can also encompass Digital Rights Management (DRM); encryption that is used to verify the customer for use of software.

© BIS 2020