ios - 什么时候检查 "This Application Uses Encryption"框？

Question

提交或更新应用时，您面临的一个问题是:

Have you added or made changes to encryption features since you last uploaded a binary for this product?

图片:

我的问题是，如果我使用您从 <CommonCrypto/CommonCryptor.h> 获得的加密图书馆，我是否必须为该问题勾选"is"？

我有一个文件，我想使用 CommonCrypto 加密、发送到 iphone 并在 iphone 上解密。与同事交谈时，我得到了不同的回应。一些人认为，由于它是一个包含的框架，所以它是公平的游戏，其他人则认为你必须获得政府批准。

CommonCrypto 似乎支持(最多)使用 ECB 密码模式的 AES 128 位加密。所以，这就是我计划使用的。

旁注:我计划使用 NSData+CommonCrypto类别来自 AlanQuatermain / aqtoolkit在github上。这只是 CommonCrypto 的包装，仅此而已。

相关的是，如果使用 HTTPS (SSL) 是否必须勾选 YES？参见 iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections - Continued .我不需要 https 连接，这仍然让我感到惊讶......

Answer 1

我相信我找到了我一直在寻找的答案。

免责声明 - 我不是律师(和你们一样)，不会对这个答案负责，但我认为我的发现可以/将会使社区受益。

我的应用是否符合大众市场项目的条件？

简短回答 - 我相信所有苹果应用程序都将被视为大众市场产品，但很难确定。但是，似乎即使是非大众市场商品也可以使用具有 56 位或更少 key 的对称 key 算法(您将在下面进一步阅读)。注意 DES 是一种使用 56 位 key 的对称 key 算法。

Cryptography Note (Note 3) of Category 5, Part 2 (“Information Security”), of the Commerce Control List

Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items that meet all of the following:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;

b. The cryptographic functionality cannot be easily changed by the user;

c. Designed for installation by the user without further substantial support by the supplier; and

d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (c) of this note

好的...如果它是大众市场商品，有哪些限制？

如果(见粗体)，您必须向政府提交分类请求:

N.B. to Note 3 (Cryptography Note): You must submit a classification request or encryption registration to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of § 742.15(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.

那么，基于此，我可以使用什么，不能使用什么？

免责声明::这是我对上述内容的解释 - 我不是律师

• AES 128 不能使用 除非提交请求，因为它使用 128 位 key 。
• DES 可以使用 因为它使用 56 位 key 。事实上，即使没有被归类为大众市场项目，DES 也可以使用。
• CAST 可以使用，因为它使用 40-128 位之间的 key (您必须使用 64 位或更少位的 key )。
• 3DES 无法使用。 3DES 的原始密码 key 是 64 位的，但据我了解它有 3 个 key ...所以我不确定是否通过，您可能必须提交请求。维基百科说它“由 NIST 指定只有 80 位安全”，这让我认为它不能使用。
• RC4 我相信您可以使用它而无需提交请求只要可变大小 key 为 64 位或更少。。

U. S. Bureau of Industry and Security - Encryption - May I self-classify my encryption item and export it WITHOUT encryption registration?

免责声明::我不是外行，这是我的解释。我不会负责。

您可以使用具有 56 位(或更少) key 的对称 key 算法(如 DES)。

此外，大众市场产品可以使用具有 64 位(或更少) key 的对称 key 算法。

加粗的重要部分。

Flow Chart 2 provides an overview of how to determine whether your product can be self-classified and exported without an encryption registration.

If you have a product that is controlled under Category 5, Part 2, certain products and transactions do not require any encryption registration, classification, or post-export reporting. This includes:

• Products classified under 5x992, including:
  • Products with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve.
  • Mass market products with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.
  • Certain mass market products listed under 742.15(b)(4)
  • Products with limited cryptographic functionality as described in the Note to 5A002.
  • Products that use encryption for authentication only.
• Certain 5x002 products/transactions, including:
  • Certain products/transactions are eligible for license exception ENC without any registration, classification, or reporting, including:
    • Exports and reexports to ‘private sector end-users’ as described in 740.17(a)(1);
    • Exports and reexports to a “U.S. Subisidary” as described in 740.17(a)(2).
    • Certain products listed under 740.17(b)(4):
  • Certain products that require only a notification before export:
    • “Publicly available” encryption software and source code under license exception TSU (740.13);
    • Beta Test software under license exception TMP (740.9).

In addition, if you are relying on the producer’s self-classification (pursuant to the producer’s encryption registration) or CCATS for an encryption item eligible for export or reexport under License Exception ENC or mass market, you are not required to submit an encryption registration, classification request or self-classification report. You are still required to comply with semi-annual sales reporting requirements under paragraph 740.17(e).