This is going to be one long question... Actually a set of related questions... I want to make an iOS app, that will be sold on Apples App Store, (obviously). My app will store some sensitive user data in the documents directory. For security reasons I thought of a cryptosystem that will secure that data. Here the fun starts... That data security mechanism will be virtually unbreakable. I will be using AES-128/256, TwoFish 128/256 and Serpent 128/256. The user can select what to use where... I may be using dual encryption, data being encrypted once with AES and then with Serpent, or any combination of thous.
这将是一个长期的问题......实际上是一组相关的问题...我想制作一个iOS应用程序,它将在Apples App Store上销售,(显然)。我的应用程序会将一些敏感的用户数据存储在文档目录中。出于安全考虑,我想到了一个可以保护数据的密码系统。这里的乐趣开始......数据安全机制几乎是牢不可破的。我将使用AES-128/256,TwoFish 128/256和Serpent 128/256。用户可以选择在哪里使用...我可能正在使用双重加密,数据使用AES加密一次,然后使用Serpent或thous的任意组合加密。
I obviously need to check the "uses encryption" button on the app store. The problem is:
我显然需要检查应用商店中的“使用加密”按钮。问题是:
1) what certification do I need CCATS or just ERN?
1)我需要什么认证CCATS或ERN?
From :
http://tigelane.blogspot.ro/2011/01/apple-itunes-export-restrictions-on.html
- Go to this link and use his instructions. This is a great post: http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
转到此链接并使用他的说明。这是一篇很棒的文章:http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
- Do step 1 and 2 for all cases. If you built your own encryption mechanism, that follow the entire post. If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.
对所有情况执行步骤1和2。如果您构建了自己的加密机制,则遵循整个帖子。如果您使用SSL或其他公共域加密,则可以在拥有SNAP-R帐户后停止。
I need apparently to do the whole certification process... I definitely made my own mechanism.
我显然需要完成整个认证过程......我绝对建立了自己的机制。
2) Can the full CCATS be done 100% online?
2)完整的CCATS可以100%在线完成吗?
In that "8 easy steps" post it said I need to send some documents by (snail)mail. Then later on a user said that it is not necessary anymore. Note: those blog posts seem old (2 years).
在“8个简单的步骤”帖子中,它说我需要通过(蜗牛)邮件发送一些文件。然后用户表示不再需要了。注意:这些博客文章看起来很旧(2年)。
Excellent description! FYI: The process for obtaining a CIN/PIN for SNAP-R is now entirely electronic
优秀的描述!仅供参考:获得SNAP-R的CIN / PIN的过程现在完全是电子的
Another user said:
另一位用户说:
You might want to consider updating your post. I've just been told by a BIS Counsellor that it's no longer necessary to snail mail in hard copies of your application form and supporting documentation. It may be something trivial to some but wasting $80 on international shipping is $80 down the drain.
您可能需要考虑更新您的帖子。我刚刚被国际清算银行顾问告知,不再需要在申请表和支持文件的硬拷贝中邮寄邮件。这对某些人来说可能是微不足道的,但在国际航运上浪费80美元是耗资80美元。
I hope I don't need to send all the documents by mail, as it will take a while to get them to the US from the EU.
我希望我不需要通过邮件发送所有文件,因为从欧盟将它们带到美国需要一段时间。
Has anyone in the EU used the ERN/ CCATS process recently?
欧盟是否有人最近使用过ERN / CCATS流程?
3)I also saw that they ask you for a fax number... I don't have a fax. Is that a big problem?
3)我也看到他们要求你提供传真号码......我没有传真。这是一个大问题吗?
If really necessary would an online fax service be ok?
如果真的有必要在线传真服务可以吗?
4) Do i need to explain the whole encryption mechanism in detail? Or just the algorithms? Can I be rejected for having a "too good for mass market encryption cryptosystem" ?
4)我是否需要详细解释整个加密机制?或者只是算法?我是否因为“对大众市场加密密码系统太好”而被拒绝?
Mostly, do I need to explain or declare that some data will be encrypted twice ? Or is " will store data encrypted on disk" a good enough explanation?
大多数情况下,我是否需要解释或声明某些数据会被加密两次?或者“将存储数据加密到磁盘上”是一个足够好的解释吗?
5) I will be using some password extension algorithms and hashing (HMAC, with SHA-2, maybe SHA-3)... do I need to report thous too?
5)我将使用一些密码扩展算法和散列(HMAC,使用SHA-2,也许是SHA-3)......我是否也需要报告?
2 个解决方案
#1
9
stormCloud's answer is great. I called BIS, and talked to a rep for an hour covering allot of theoretical details. I also learned (the rep said the rep shouldn't tell me this) that they are annoyed with people that just call instead of trying to figure out the process first. So, I wanted to share what I found as a result of calling BIS as of 9/24/2013.
stormCloud的答案很棒。我打电话给国际清算银行,并与代表谈了一个小时,涵盖了所有的理论细节。我也学会了(代表说代表不应该告诉我),他们对那些只是打电话而不是试图先弄清楚这个过程的人感到恼火。因此,我希望分享自2013年9月24日起调用BIS后发现的内容。
Document references:
All pertinent documents are listed on this page. The documents links are listed on the left and center of this webpage in a group titled "Encrypted Links".
本页列出了所有相关文件。文档链接列在该网页的左侧和中间,标题为“加密链接”。
What to do with them:
怎么做他们:
In the document "Supplement 1 to part 774 Category 5 part ii", see "Note 4" to determine whether all of the primary functions of your app are exempt from category 5, section 2. The language is confusing. There is at least one double negative in there. If in doubt, just classify as a mass market commodity.
在文档“补充1至部分774第5类第ii部分”中,请参阅“注释4”以确定您的应用程序的所有主要功能是否免于第5类第2节。该语言令人困惑。那里至少有一个双重否定。如果有疑问,只需将其归类为大众市场商品。
The rep urged me to consider not only whether the primary functions are exempt per intended use, but whether they would be exempt if users used the app any other way. Again, if in doubt, classify as a mass market commodity.
该代表敦促我不仅考虑主要功能是否按照预期用途豁免,而且如果用户以任何其他方式使用该应用程序,是否可以免除这些功能。如果有疑问,再次归类为大众市场商品。
If you choose to classify as a mass market commodity, you will need to refer to three documents. See 740.17 to determine whether your software should be classified as B1, B2, or B3. B2x types definitely need to be classified as a mass market commodity. I did not clarify whether B1 or B2 types need to be classified as mass market commodities.
Supplement 5 pertains to classifying Bx types. You'll copy this document and fill in the relevant info, to in turn submit with your SNAP-R work item.
Additionally see Supplement 8 per the reports you must submit in January.
如果您选择将其归类为大众市场商品,则需要参考三个文件。请参阅740.17以确定您的软件是否应归类为B1,B2或B3。 B2x类型肯定需要归类为大众市场商品。我没有澄清B1或B2类型是否需要归类为大众市场商品。补充5涉及对Bx类型进行分类。您将复制此文档并填写相关信息,然后使用您的SNAP-R工作项提交。另外,根据您必须在1月提交的报告,请参阅补充说明8。
Our conclusion for our app:
我们的应用结论:
Our particular application is not (yet) categorized under category 5, part 2. What this means is I can choose to "self-classify" our application as EAR99 instead of ECCN 5D992 (mass market) or 5D002 (not mass market). This also means I do not need to create an export item in a SNAP-R work item. :)
我们的特定应用程序尚未归类为第5类第2部分。这意味着我可以选择将我们的应用程序“自我分类”为EAR99而不是ECCN 5D992(大众市场)或5D002(非大众市场)。这也意味着我不需要在SNAP-R工作项中创建导出项。 :)
This is the full email I received from the BIS rep to walk me through classifying software as a mass market commodity:
这是我从BIS代表处收到的完整电子邮件,指导我将软件归类为大众市场商品:
An Encryption Registration Number (ERN) must be obtained before export. An ERN is something you obtain once and use forever or until the information you provide changes. Obtaining an ERN takes only a few minutes of work. You will receive the ERN within about an hour of submitting the request. After that, always include it on the additional information block of any classification request and use it on the subject line of your Supplement 8 to Part 742 reports.
必须在导出之前获取加密注册号(ERN)。 ERN是您获得一次并永久使用或直到您提供的信息发生变化的内容。获取ERN只需几分钟的工作。您将在提交请求后约一小时内收到ERN。之后,始终将其包含在任何分类请求的附加信息块中,并将其用于补充8至部分742报告的主题行。
If you cannot submit the request for an ERN immediately and understand that you are not authorized to export until you do so, please respond stating the same and I will issue the classification with the ERN required language on the face of it. I prefer that you go ahead and request an Encryption Registration Number (ERN) and reply to this request with your ERN. I will put your ERN in the additional information block and issue the CCATS without reference to the ERN.
如果您无法立即提交ERN请求,并且在您这样做之前了解您无权导出,请回复说明同样的情况,我将在其面前发出ERN所需语言的分类。我希望您继续请求加密注册号(ERN)并使用您的ERN回复此请求。我将把您的ERN放在附加信息块中,并在不参考ERN的情况下发布CCATS。
In the future, please always include your ERN in the additional information block as required by the regulations for classification of items described by Sections 740.17(b)(2) or (b)(3) and 742.15(b)(3) of the EAR. Even items authorized by 740.17(b)(1) or 742.15(b)(1) require an encryption registration prior to export. Therefore, it usually makes sense to obtain and provide the ERN in the additional information block prior to making a classification request even for "B1" requests.
将来,请始终按照第740.17(b)(2)或(b)(3)和742.15(b)(3)节所述项目分类的规定,将您的ERN包含在附加信息块中。耳。即使是740.17(b)(1)或742.15(b)(1)授权的项目,也需要在出口前进行加密注册。因此,在进行分类请求之前,即使对于“B1”请求,在附加信息块中获得并提供ERN通常也是有意义的。
HOW TO OBTAIN AN ERN:
如何获得ERN:
On the main BIS Website www.bis.doc.gov, click on the word "Encryption" under the Policy Guidance pull down menu. This brings up the main encryption web page. There are two blue boxes in the first column on the left side of the page; however, you may have to scroll down to find the second blue box. The second blue box says "Encryption Links" and is a set of important encryption regulation including Supp. 5 to Part 742. Choose the regulation "Supplement No. 5 to Part 742." Copy the Supplement 5 questions into a word processing document. Answer the questions and PDF your response. Open SNAP-R and select "Create work item" From the list of work item types select "Encryption Registration." Attach the .pdf you just created and submit. Within an hour, the computer should respond with your ERN "A number beginning with 'R'" Provide me with that number and put in in Block 24 "additional information" on all future encryption CCATS work items.
在主要的BIS网站www.bis.doc.gov上,单击“政策指导”下拉菜单下的“加密”一词。这将打开主加密网页。页面左侧第一列有两个蓝色框;但是,您可能需要向下滚动才能找到第二个蓝色框。第二个蓝色框表示“加密链接”,是一套重要的加密规则,包括Supp。 5至742部分。选择“第742部分补编第5号”的规定。将Supplement 5问题复制到文字处理文档中。回答问题并回复PDF。打开SNAP-R并选择“创建工作项”从工作项类型列表中选择“加密注册”。附上您刚创建的.pdf并提交。在一小时内,计算机应以您的ERN回复“以'R'开头的数字”为我提供该号码,并在第24栏中输入有关所有未来加密CCATS工作项的“附加信息”。
TMI...I know. Anyone read this far?
TMI ......我知道。有人读过这个吗?
#2
7
I think that you should ask an Export councillor that's insured to give legal advice, as what you are asking for really in some of your questions is sound legal advice.
我认为您应该向出口委员会询问被保险人提供法律建议,因为您在某些问题中的要求是合理的法律建议。
There are a number of export councillors listed at bis.doc.gov.
bis.doc.gov上列出了一些出口*。
Also over on bis.doc.gov is an extensive FAQ that covers some of you questions (links below).
另外在bis.doc.gov上有一个广泛的常见问题解答,涵盖了一些问题(链接如下)。
- http://www.bis.doc.gov/licensing/do_i_needaneccn.html
- http://www.bis.doc.gov/licensing/index.htm#faqs
- http://www.bis.doc.gov/encryption/enc_faqs.htm
hope that points you in the right direction.
希望能指出你正确的方向。
#1
9
stormCloud's answer is great. I called BIS, and talked to a rep for an hour covering allot of theoretical details. I also learned (the rep said the rep shouldn't tell me this) that they are annoyed with people that just call instead of trying to figure out the process first. So, I wanted to share what I found as a result of calling BIS as of 9/24/2013.
stormCloud的答案很棒。我打电话给国际清算银行,并与代表谈了一个小时,涵盖了所有的理论细节。我也学会了(代表说代表不应该告诉我),他们对那些只是打电话而不是试图先弄清楚这个过程的人感到恼火。因此,我希望分享自2013年9月24日起调用BIS后发现的内容。
Document references:
All pertinent documents are listed on this page. The documents links are listed on the left and center of this webpage in a group titled "Encrypted Links".
本页列出了所有相关文件。文档链接列在该网页的左侧和中间,标题为“加密链接”。
What to do with them:
怎么做他们:
In the document "Supplement 1 to part 774 Category 5 part ii", see "Note 4" to determine whether all of the primary functions of your app are exempt from category 5, section 2. The language is confusing. There is at least one double negative in there. If in doubt, just classify as a mass market commodity.
在文档“补充1至部分774第5类第ii部分”中,请参阅“注释4”以确定您的应用程序的所有主要功能是否免于第5类第2节。该语言令人困惑。那里至少有一个双重否定。如果有疑问,只需将其归类为大众市场商品。
The rep urged me to consider not only whether the primary functions are exempt per intended use, but whether they would be exempt if users used the app any other way. Again, if in doubt, classify as a mass market commodity.
该代表敦促我不仅考虑主要功能是否按照预期用途豁免,而且如果用户以任何其他方式使用该应用程序,是否可以免除这些功能。如果有疑问,再次归类为大众市场商品。
If you choose to classify as a mass market commodity, you will need to refer to three documents. See 740.17 to determine whether your software should be classified as B1, B2, or B3. B2x types definitely need to be classified as a mass market commodity. I did not clarify whether B1 or B2 types need to be classified as mass market commodities.
Supplement 5 pertains to classifying Bx types. You'll copy this document and fill in the relevant info, to in turn submit with your SNAP-R work item.
Additionally see Supplement 8 per the reports you must submit in January.
如果您选择将其归类为大众市场商品,则需要参考三个文件。请参阅740.17以确定您的软件是否应归类为B1,B2或B3。 B2x类型肯定需要归类为大众市场商品。我没有澄清B1或B2类型是否需要归类为大众市场商品。补充5涉及对Bx类型进行分类。您将复制此文档并填写相关信息,然后使用您的SNAP-R工作项提交。另外,根据您必须在1月提交的报告,请参阅补充说明8。
Our conclusion for our app:
我们的应用结论:
Our particular application is not (yet) categorized under category 5, part 2. What this means is I can choose to "self-classify" our application as EAR99 instead of ECCN 5D992 (mass market) or 5D002 (not mass market). This also means I do not need to create an export item in a SNAP-R work item. :)
我们的特定应用程序尚未归类为第5类第2部分。这意味着我可以选择将我们的应用程序“自我分类”为EAR99而不是ECCN 5D992(大众市场)或5D002(非大众市场)。这也意味着我不需要在SNAP-R工作项中创建导出项。 :)
This is the full email I received from the BIS rep to walk me through classifying software as a mass market commodity:
这是我从BIS代表处收到的完整电子邮件,指导我将软件归类为大众市场商品:
An Encryption Registration Number (ERN) must be obtained before export. An ERN is something you obtain once and use forever or until the information you provide changes. Obtaining an ERN takes only a few minutes of work. You will receive the ERN within about an hour of submitting the request. After that, always include it on the additional information block of any classification request and use it on the subject line of your Supplement 8 to Part 742 reports.
必须在导出之前获取加密注册号(ERN)。 ERN是您获得一次并永久使用或直到您提供的信息发生变化的内容。获取ERN只需几分钟的工作。您将在提交请求后约一小时内收到ERN。之后,始终将其包含在任何分类请求的附加信息块中,并将其用于补充8至部分742报告的主题行。
If you cannot submit the request for an ERN immediately and understand that you are not authorized to export until you do so, please respond stating the same and I will issue the classification with the ERN required language on the face of it. I prefer that you go ahead and request an Encryption Registration Number (ERN) and reply to this request with your ERN. I will put your ERN in the additional information block and issue the CCATS without reference to the ERN.
如果您无法立即提交ERN请求,并且在您这样做之前了解您无权导出,请回复说明同样的情况,我将在其面前发出ERN所需语言的分类。我希望您继续请求加密注册号(ERN)并使用您的ERN回复此请求。我将把您的ERN放在附加信息块中,并在不参考ERN的情况下发布CCATS。
In the future, please always include your ERN in the additional information block as required by the regulations for classification of items described by Sections 740.17(b)(2) or (b)(3) and 742.15(b)(3) of the EAR. Even items authorized by 740.17(b)(1) or 742.15(b)(1) require an encryption registration prior to export. Therefore, it usually makes sense to obtain and provide the ERN in the additional information block prior to making a classification request even for "B1" requests.
将来,请始终按照第740.17(b)(2)或(b)(3)和742.15(b)(3)节所述项目分类的规定,将您的ERN包含在附加信息块中。耳。即使是740.17(b)(1)或742.15(b)(1)授权的项目,也需要在出口前进行加密注册。因此,在进行分类请求之前,即使对于“B1”请求,在附加信息块中获得并提供ERN通常也是有意义的。
HOW TO OBTAIN AN ERN:
如何获得ERN:
On the main BIS Website www.bis.doc.gov, click on the word "Encryption" under the Policy Guidance pull down menu. This brings up the main encryption web page. There are two blue boxes in the first column on the left side of the page; however, you may have to scroll down to find the second blue box. The second blue box says "Encryption Links" and is a set of important encryption regulation including Supp. 5 to Part 742. Choose the regulation "Supplement No. 5 to Part 742." Copy the Supplement 5 questions into a word processing document. Answer the questions and PDF your response. Open SNAP-R and select "Create work item" From the list of work item types select "Encryption Registration." Attach the .pdf you just created and submit. Within an hour, the computer should respond with your ERN "A number beginning with 'R'" Provide me with that number and put in in Block 24 "additional information" on all future encryption CCATS work items.
在主要的BIS网站www.bis.doc.gov上,单击“政策指导”下拉菜单下的“加密”一词。这将打开主加密网页。页面左侧第一列有两个蓝色框;但是,您可能需要向下滚动才能找到第二个蓝色框。第二个蓝色框表示“加密链接”,是一套重要的加密规则,包括Supp。 5至742部分。选择“第742部分补编第5号”的规定。将Supplement 5问题复制到文字处理文档中。回答问题并回复PDF。打开SNAP-R并选择“创建工作项”从工作项类型列表中选择“加密注册”。附上您刚创建的.pdf并提交。在一小时内,计算机应以您的ERN回复“以'R'开头的数字”为我提供该号码,并在第24栏中输入有关所有未来加密CCATS工作项的“附加信息”。
TMI...I know. Anyone read this far?
TMI ......我知道。有人读过这个吗?
#2
7
I think that you should ask an Export councillor that's insured to give legal advice, as what you are asking for really in some of your questions is sound legal advice.
我认为您应该向出口委员会询问被保险人提供法律建议,因为您在某些问题中的要求是合理的法律建议。
There are a number of export councillors listed at bis.doc.gov.
bis.doc.gov上列出了一些出口*。
Also over on bis.doc.gov is an extensive FAQ that covers some of you questions (links below).
另外在bis.doc.gov上有一个广泛的常见问题解答,涵盖了一些问题(链接如下)。
- http://www.bis.doc.gov/licensing/do_i_needaneccn.html
- http://www.bis.doc.gov/licensing/index.htm#faqs
- http://www.bis.doc.gov/encryption/enc_faqs.htm
hope that points you in the right direction.
希望能指出你正确的方向。