SSL Encryption broken, online banking 100% compromised

Author Topic: SSL Encryption broken, online banking 100% compromised  (Read 12420 times)

0 Members and 1 Guest are viewing this topic.

Anti_Illuminati

  • Guest
SSL Encryption broken, online banking 100% compromised
« on: January 30, 2009, 04:19:53 AM »
http://blogs.zdnet.com/security/?p=2339

SSL broken! Hackers create rogue CA certificate using MD5 collisions

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable. Jacob Appelbaum

The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).

“We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.

Our main result is that we are in possession of a “rogue” Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the “root CA certificates” present in the so called “trust list” of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as “secure”, using common security indicators such as a closed padlock in the browser’s window frame, the web address starting with “https://” instead of “http://”, and displaying reassuring phrases such as “This certificate is OK ” when the user clicks on security related menu items, buttons or links.

Researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands helped in the design and implementation of the attack using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles.

According to Sotirov, a rogue CA in combination with Dan Kaminsky’s DNS attack can have serious consequences:

For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.

Sotirov said the team was able to secure NDAs in advance of briefing the major browser vendors about the problem but because of issues — some practical and some political — there are no straightforward fixes unless the CAs stop using MD5 and move to the more secure SHA-1 algorithm.

To avoid abuse, the team back-dated its rogue CA (it was set only for August 2004) and will not release the private key. “We’re also not going to release the special code that we used to do the MD5 collisions until later this year,” Sotirov added.

“We don’t anticipate this attack to be repeatable very easily. If you do a naive implementation, you would need six months to run it successfully,” he added.

Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.

The key takeaway, according to Lenstra: “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.”

Offline papiowhisperer

  • Member
  • **
  • Posts: 86
  • Nobody's Slave
Re: SSL Encryption broken, online banking 100% compromised
« Reply #1 on: January 30, 2009, 04:26:38 AM »
This can't be good. I shudder to think what .gov will do.
information spreads at the speed of light, while ignorance is instantaneous at all points in the known universe - Dmitri Orlov

Anti_Illuminati

  • Guest
Re: SSL Encryption broken, online banking 100% compromised
« Reply #2 on: January 30, 2009, 04:45:42 AM »
Watch this:  Let's play a game of:  "You do the math."

http://blogs.zdnet.com/security/?p=2339

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.
________________________________________________________
Live Free or Die Hard 2: DoDAF: NWO's FINAL SOLUTION-eugenics/genocide
http://forum.prisonplanet.com/index.php?topic=80222.msg460192#msg460192

http://www.strategypage.com/htmw/htmurph/articles/20080309.aspx

Weaponizing PlayStation 3


March 9, 2008: The U.S. Air Force is buying 300 PlayStation 3 game consoles. Not to play games, but because it's the cheapest way to get the powerful processors that create the photorealistic graphics for PlayStation games. Air force researchers want to use these processors (similar to the ones found in high end video cards) to build faster computers for military use. The CPU manufacturer was not willing to sell the PlayStation processor separately, at least for a reasonable price. So it was easier to just buy PlayStation 3s.

This use of video game electronics, for other purposes, is nothing new. Military researchers began doing this sort of thing in the late 1990s with graphic processors. This led to the introduction last year of modified graphic cards, which produce supercomputer type results, but at a very low cost. These were basically Nvidia 8800 graphic cards tweaked to just crunch numbers (one card equals half a teraflop of computing power). Each of these PCI cards costs about $1,500. For under $20,000 you have yourself a four teraflop supercomputer, and it looks like just another PC. By building this kind of computing power into weapons systems (like sonars and radars), you can improve their performance (speed and accuracy) enormously. This kind of computing power also makes UAVs and other robotic systems much smarter, even when they are under the control of a human operator.

Offline TheHouseMan

  • Member
  • *****
  • Posts: 3,837
Re: SSL Encryption broken, online banking 100% compromised
« Reply #3 on: January 30, 2009, 08:56:41 AM »
Time to pull money out the banks... quick!! This is just one reason (and probably the least) why we should never trust a cashless society.

Offline gEEk squad

  • Member
  • *****
  • Posts: 2,000
  • You're World Delivered... to the NSA
Re: SSL Encryption broken, online banking 100% compromised
« Reply #4 on: January 30, 2009, 10:58:33 AM »
This isn't as bad as it sounds. Not only do you need a lot of expensive hardware to pull off the attack, but the user still needs to go to a phishing website for this attack to be utilized.

I'd guess that the NSA has been able to do this well before now. By the time Joe Schmo would be able to do this most servers would be using better encryption techniques.

Offline donnay

  • Member
  • *****
  • Posts: 17,449
  • Live Free Or Die Trying!
Re: SSL Encryption broken, online banking 100% compromised
« Reply #5 on: January 30, 2009, 11:21:45 AM »
I wonder if these two stories tie-in with each other?

http://forum.prisonplanet.com/index.php?topic=82405.0
"Logic is an enemy and truth is a menace." ~ Rod Serling
"Cops today are nothing but an armed tax collector" ~ Frank Serpico
"To be normal, to drink Coca-Cola and eat Kentucky Fried Chicken is to be in a conspiracy against yourself."
"People that don't want to make waves sit in stagnant waters."

Offline Cipherscribe

  • Member
  • **
  • Posts: 96
Re: SSL Encryption broken, online banking 100% compromised
« Reply #6 on: January 30, 2009, 11:24:26 AM »
I'm not that technically proficient but doesn't this just mean that as long as we go to our banking website ourselves intstead of following a link, we'll be fine?

Offline Freeski

  • Member
  • *****
  • Posts: 20,706
Re: SSL Encryption broken, online banking 100% compromised
« Reply #7 on: January 30, 2009, 11:45:30 AM »
I'm not that technically proficient but doesn't this just mean that as long as we go to our banking website ourselves intstead of following a link, we'll be fine?

Yeah, I've always hated getting email money transfers via paypal, and my finger trembles when it says click your bank to log in. God knows what's going on behind the scenes there. I wonder if I'm really clicking my bank.
"He who passively accepts evil is as much involved in it as he who helps to perpetrate it. He who accepts evil without protesting against it is really cooperating with it." Martin Luther King, Jr.

Offline rawiron1

  • Member
  • *****
  • Posts: 3,032
Re: SSL Encryption broken, online banking 100% compromised
« Reply #8 on: January 30, 2009, 11:45:38 AM »
I use to work with "Dot Gov".  Guess I need to forward this to my old boss so she can freak out.   ;D  I am assuming CERT is aware of this?

Jason
Jason the Fed

nofakenews

  • Guest
Re: SSL Encryption broken, online banking 100% compromised
« Reply #9 on: January 30, 2009, 12:10:16 PM »
This isn't as bad as it sounds. Not only do you need a lot of expensive hardware to pull off the attack, but the user still needs to go to a phishing website for this attack to be utilized.

I'd guess that the NSA has been able to do this well before now. By the time Joe Schmo would be able to do this most servers would be using better encryption techniques.

Yeah I agree this is a md5 hashing algorithm and not encryption so this is theoretical in nature but as long as you are smart enough to use encryption you should be ok. I think this post is important as I look for more attacks to take control of our internet and just today I was listening to glen beck on the radio and he was talking about they don't like people doing all this talking online.  :-X

Offline Captain Obvious

  • Member
  • ***
  • Posts: 115
Re: SSL Encryption broken, online banking 100% compromised
« Reply #10 on: January 30, 2009, 12:11:13 PM »
what are they going to do? pay all my bills?

My online banking doesn't let me do anything interesting besides transfer money between accounts and pay bills. Doesn't show any account details.

zafada

  • Guest
Re: SSL Encryption broken, online banking 100% compromised
« Reply #11 on: January 30, 2009, 12:53:44 PM »
I'm not that technically proficient but doesn't this just mean that as long as we go to our banking website ourselves intstead of following a link, we'll be fine?

Yeah pretty much.  You need to be fooled into going to a replica site.

For instance, there's www.rnyspace.com...

See what I mean?

Offline blackturtle.us

  • Member
  • *****
  • Posts: 734
    • blackturtle.us
Re: SSL Encryption broken, online banking 100% compromised
« Reply #12 on: January 30, 2009, 12:59:21 PM »
From the article it sounds like the encryption has not been hacked. Rather hackers have found a way to steal the keys used to decrypt the message. If the MD5 algorithm could be directly hacked this would be a bigger problem. But what we have here is someone finding a way to steal what is in effect a password (not in the logon to your account sense, but in the decrypt the message sense as in PGP or something along those lines).

Offline ConcordeWarrior

  • Member
  • *****
  • Posts: 2,346
Re: SSL Encryption broken, online banking 100% compromised
« Reply #13 on: January 30, 2009, 02:06:09 PM »
http://www.microsoft.com/technet/security/advisory/961509.mspx

 ::)

From another forum, same topic.

Hardly earth shattering... the theory had been floating around for months before that, they just finally went and did it. Doubt it's gonna change anything either, many servers can already use SHA-1 instead of MD5... now the problem is getting all browser and other clients on the same page. Most common ones already can/do.

What is still not being talked about is how many collisions they had to track to get the hash... my guess it was several hundred thousand... really enough to not worry about this for a couple years yet. There is also some debate that not ALL MD5 certs can be cracked this way, only some. But anyways, anything recent will be ooff MD5 anyways so the point is kinda irrelevant.
The Sky is My Home

Anti_Illuminati

  • Guest
Re: SSL Encryption broken, online banking 100% compromised
« Reply #14 on: January 30, 2009, 02:19:00 PM »
http://www.microsoft.com/technet/security/advisory/961509.mspx

 ::)

From another forum, same topic.

Hardly earth shattering... the theory had been floating around for months before that, they just finally went and did it. Doubt it's gonna change anything either, many servers can already use SHA-1 instead of MD5... now the problem is getting all browser and other clients on the same page. Most common ones already can/do.

What is still not being talked about is how many collisions they had to track to get the hash... my guess it was several hundred thousand... really enough to not worry about this for a couple years yet. There is also some debate that not ALL MD5 certs can be cracked this way, only some. But anyways, anything recent will be ooff MD5 anyways so the point is kinda irrelevant.

Saying that online banking is 100% compromised =/= earth shattering.

In terms of security, if you have 100 doors, and 99 of those 100 are locked, you are not 99% safe, or 1% insecure.  You are 100% insecure.

Those CELL processors were powerful enough to get the attention of the USAF that they bought 300 of the PS3's to use in military systems.  Using such power it is feasible that even SHA-1 could be broken as well.  But SSL is still significantly in use, and I would not be surprised if those hackers get contacted by MITRE to come and work for them.  The govt. can seize on this type of opportunity to further propagate their ID theft extortion scam of making sure you are a victim of ID fraud in the future unless you are paying the NWO-the wolf guarding the henhouse, your monthly fee (slavery) for them not to more dramatically ruin your life.  The title may not have been the best, but they said "basically, we broke SSL", same difference.  The security of it is compromised, and should never be used again.

Offline TelepesT

  • Member
  • *****
  • Posts: 960
  • Genetic Dictator
    • Freedom T
Re: SSL Encryption broken, online banking 100% compromised
« Reply #15 on: January 30, 2009, 03:06:28 PM »
http://blogs.zdnet.com/security/?p=2339


Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.

The key takeaway, according to Lenstra: “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.”



Yeah - US Military Pays Foriegn hackers in some kind of conference to purposely break the MD5 SSL - to stimulate the computer industry - this will generate billions of dollars in updating servers and software costs. but the end result is another security system to hack  ;D
Ten Foot Lizard Man from Planet Snickle-Snack in the POP-TART sector 
Freedom T
Even if you are a minority of one, the truth is the truth.
- Mohandas Gandhi

Offline EchelonMonitor

  • Member
  • *****
  • Posts: 2,934
    • Infowars Ning Network--upload your photos for posting in the forum
Re: SSL Encryption broken, online banking 100% compromised
« Reply #16 on: January 30, 2009, 11:38:58 PM »
From what I read, they aren't able to break the encryption (sniff data and read it), just spoof a certificate so they can make a phishing site look legitimate.

The SSL certificate program is a big money-making scam anyway--I hope it breaks it.

Open SSL is free and works fine.

Offline 911aware

  • Member
  • *****
  • Posts: 519
Re: SSL Encryption broken, online banking 100% compromised
« Reply #17 on: January 30, 2009, 11:44:52 PM »
I'm not that technically proficient but doesn't this just mean that as long as we go to our banking website ourselves intstead of following a link, we'll be fine?


YES.  they would need to gain control of the bank's DNS account as well.  Always type in your own addresses.  Dont rely on search engines to give you mybank.com or whatever.
It's a dog eat dog world, and I'm wearing Milkbone underwear.  -norm

EvadingGrid

  • Guest
Re: SSL Encryption broken, online banking 100% compromised
« Reply #18 on: January 30, 2009, 11:49:42 PM »
More reasons for Internet 2 so far as the sheeple will be concerned.

Offline burx

  • Member
  • *
  • Posts: 34
Re: SSL Encryption broken, online banking 100% compromised
« Reply #19 on: January 31, 2009, 12:22:26 AM »
more reason for Amero, with avoiding the blame to the Inflationary banks.

Offline lordssyndicate

  • Member
  • *****
  • Posts: 1,141
  • Stop The New World Order
    • LinkedIn Profile
Re: SSL Encryption broken, online banking 100% compromised
« Reply #20 on: January 31, 2009, 06:30:37 AM »
Well .... quite interesting news.


It was only a matter of time before consumer hardware caught up to the point where it could compromise SSL.

Not surprising they did it on PS3 cells.

This leaves you thinking about the compute power behind an OpenSparc CPU.

8 Cores and 64 threads.... think of a PS3  CELL CPU on steriods......
They cost you about 10 grand right now but are definately worth it if you need the world's most powerfull cpus ....

Or if you have a FAB you can build one free since the CPU is Open Source.

That's right SUNs newest most bad ass CPU is Open Source....

www.opensparc.net
"Biotechnology it's not so bad. It's just like all technologies it's in the wrong HANDS!"- Sepultura

Offline Satyagraha

  • Global Moderator
  • Member
  • *****
  • Posts: 8,939
Re: SSL Encryption broken, online banking 100% compromised
« Reply #21 on: October 16, 2009, 10:26:21 AM »

Updates to the Encryption Simplification Rule have been posted to cryptome:

=======================================================================

DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 730, 734, 738, 740, 742, 744, 772 and 774
[Docket No. 080211163-9110-02]
RIN 0694-AE18
http://cryptome.org/0001/bis101509.htm
 
Encryption Simplification Rule: Final

AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Final rule.

(Content of this doc will be posted following these two background articles)...

==============================================================

New BIS Encryption Regulation Contains Good and Bad News for US Exporters
November 2008
http://learnexportcompliance.com/news/2008/11/16/new-bis-encryption-regulation-contains-good-and-bad-news-for-us-exporters/

In response to industry pressure and a Presidential Directive issued earlier this year, the Bureau of Industry and Security (BIS) published an interim final rule on October 3, 2008 modifying the Export Administration Regulations (EAR) governing the export of hardware, software and technical data using encryption technology. The rule makes some marginal changes to the regulations but falls short of any significant restructuring of the regulatory regime which as been in place for almost a decade. Despite the limited nature of the changes, many U.S. companies will need to tweak their compliance practices immediately in order to comply with the new rules — there is no “grace period” for implementation.

The new rule, ironically entitled “Encryption Simplification” takes up eighteen pages in the Federal Register. BIS plans on developing additional guidance to be posted on its website as questions will inevitably be raised regarding the correct interpretation of certain provisions contained in the final rule.
Good News for Some

Companies in the business of making products for the consumer market will benefit from the regulatory changes. For example, companies that make mass-market products using weak cryptography (now defined as using key lengths not exceeding 80 bits; for asymmetric algorithms with key lengths not exceeding 1024 bits; and for elliptic curve algorithms with key lengths not exceeding 160 bits) no longer have to submit a notification of self-classification prior to export. These products can be classified as 5X992 and exported under “NLR”.

The new regulation introduces a category of products performing “ancillary cryptography” and exempts them from review and reporting requirements. Examples provided by BIS in its definition of ancillary cryptography in section 772.1 of the EAR include “business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, facilities systems controllers including fire alarms and HVAC); automotive, aviation and other transportation systems. Relief from the review and reporting requirements is also given to companies making products using short-range wireless technology.
BIS has also raised the thresholds that allow some network infrastructure equipment to be exported under the unrestricted provisions of ENC. As a consequence, low-end virtual private network (VPN) hardware and other wide area networking products can now potentially qualify for license-free shipment to both commercial government end-users worldwide.

All exporters will benefit by the inclusion of Bulgaria, Canada, Iceland, Romania and Turkey to the “License Free Zone” (also known as the “Supplement 3 countries”). Both government and commercial entities in these countries may receive product under ENC once a review request is submitted.
Bad News for Others

BIS has made a change affecting the classification of mass-market products that could present a compliance challenge for companies who may conduct a limited international release of product coincident with the submission of a technical review. Companies had previously been allowed to self-classify mass-market products as 5×992 and export under NLR (no license required) pending a 30 day BIS review. The new rules require that future products be temporarily classified as 5×002 pending a final BIS determination and export be made according to the provisions of ENC. This change is viewed as a roll-back of an existing liberalization and will undoubtedly be cited in comment letters to BIS. Companies will likely claim that expensive system change requirements in their order processing, export documentation and ERP systems will be required to comply with the new rule.

BIS is actively working on a long range plan to further modify the encryption regulations. However, given the fact that this is an election year and that fundamental changes to U.S. encryption export rules will require Wassenaar Arrangement approval there will likely be no further changes for at least a year to eighteen months.

— Felice Laird, Export Strategies LLC


==============================================================

December 9, 2004
U.S. Encryption Export Control Policy
Fact Sheet
http://www.bis.doc.gov/encryption/encfactsheet12_09_04.htm

U.S. encryption export policy continues to rest on three principles: review of encryption products prior to sale, streamlined post-export reporting, and license review of certain exports and reexports of strong encryption to foreign governments. Effective December 9, 2004, the Export Administration Regulations (EAR) have been amended in order to streamline and strengthen export and reexport controls on encryption items, in keeping with these principles.

This policy update includes the following features:

(1) All encryption items are eligible for 30 day review based on a more clearly articulated set of eligibility criteria

This rule simplifies the License Exception ENC technical review process by implementing a uniform 30 day period for most encryption reviews and clarifying the criteria by which the licensing requirement to certain “government end-users” is determined. Now, except for commodities and software that provide an “open cryptographic interface” or that are specified in the revised paragraph (b)(2) of License Exception ENC (§740.17(b)(2) of the EAR), all encryption products submitted for review under License Exception ENC qualify to both “government end-users” and non-“government end-users” under paragraph (b)(3) of the license exception (§740.17(b)(3)).

To strengthen this review process, this rule authorizes the Bureau of Industry and Security (BIS) to, at any time, require additional technical information about an encryption item submitted for review and, if the information is not furnished, to suspend or revoke authorization to use License Exception ENC with respect to the item for which the information is sought.

(2) The European Union “license-free zone” has been updated

This rule expands the list (Supplement No. 3 to part 740 of the EAR) of countries to which certain encryption items may be sent immediately (i.e., without a 30 day waiting period), once a review request is submitted to the U.S. Government. This list now covers all current members of the European Union (EU) to include those countries that joined the EU on May 1, 2004. Specifically, this rule adds Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia, and Slovenia to Supplement No. 3 to part 740 because those countries were admitted to the European Union on May 1, 2004 and were previously not listed in this supplement. (Although the Czech Republic, Hungary, and Poland were also admitted to the European Union on May 1, 2004, these three countries were previously part of the EU “license-free zone” and therefore already listed in Supplement No. 3 to part 740.)

To further ensure that companies in the U.S. can effectively trade with their “license-free zone” partners, this rule allows encryption items and related technical assistance to private sector end-users headquartered in Canada or any country listed in Supplement 3 to part 740 for internal company use in the development of new products, without prior technical review. However, review is still required for new products produced or developed with an item that had been exported or reexported without review for such internal company use, before the products are transferred to others.

(3) Separate requests for de minimis eligibility are no longer required

This rule removes the requirement to make a separate request for de minimis eligibility when submitting a review request under License Exception ENC. Except for prohibitions on de minimis treatment for encryption technology controlled under Export Control Classification Number (ECCN) 5E002 to any foreign destination, or for “network infrastructure” products and other commodities and software listed in §740.17(b)(2) of the EAR going to a destination in Country Group E:1, foreign made items incorporating U.S. origin encryption items that have met specified notification or review requirements will be treated like foreign made items that incorporate other U.S. origin items, in terms of de minimis eligibility.

(4) Certain changes made to previously notified “publicly available” encryption software do not require additional notification

For “publicly available” encryption software that has been posted to the Internet under the notification procedures of License Exception TSU (§740.13(e) of the EAR), this rule permits updates or modifications to be made to such software without additional notification, provided the Internet location of the software has not changed.

(5) References to “retail” have been removed

To alleviate confusion with respect to the treatment of “mass market” encryption products under §742.15(b)(2) of the EAR, this rule removes the word “retail” from License Exception ENC (except from a “grandfathering” paragraph that allows the continued export and reexport of encryption commodities and software previously classified as “retail” without additional review).

(6) Beta test encryption software and key length upgrade procedures have been simplified

This rule removes the requirement that exporters of beta test encryption software report the names and addresses of their beta testers, and permits key lengths of products that have previously been reviewed and authorized under License Exception ENC to be increased with a simple e-mail notification procedure (instead of through a certified letter from a corporate official).

=======================================================================
Here's the update posted to cryptome.. edited for length.. see full doc at cryptome link
=======================================================================

DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 730, 734, 738, 740, 742, 744, 772 and 774
[Docket No. 080211163-9110-02]
RIN 0694-AE18
http://cryptome.org/0001/bis101509.htm
 
Encryption Simplification Rule: Final

AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Final rule.

SUMMARY: The Bureau of Industry and Security (BIS) published the
interim final rule entitled ``Encryption Simplification'' on October 3,
2008 (73 FR 57495). This rule finalizes that rule, corrects errors
published in the October 3, 2008 interim final rule, and resolves
inconsistencies in that rule identified by the public.

DATES: Effective Dates: This rule is effective October 15, 2009.

SUPPLEMENTARY INFORMATION:

Background


    BIS published the interim final rule entitled ``Encryption
Simplification'' on October 3, 2008 (73 FR 57495). This rule removed
section 744.9 of the EAR, which set forth requirements for
authorization from BIS for U.S. persons to provide technical assistance
(including training) to foreign persons with the intent to aid a
foreign person in the development or manufacture outside the United
States of encryption commodities or software that, if of U.S.-origin,
would be ``EI'' controlled under ECCNs 5A002 or 5D002. Section 744.9
was added to the EAR in 1996 when jurisdiction over dual-use encryption
items was transferred from the Department of State to the Department of
Commerce. However, other parts of the EAR that referred to section
744.9 were inadvertently not removed. Therefore, this rule removes
these references in Sec.  730.5(d), Sec.  734.5(c), Sec. 
736.2(b)(7)(ii), and Sec.  744.1(a)(1). In addition, other corrections
are made to harmonize with revisions made in the ``Encryption
Simplification'' rule published on October 3, 2008. Some of the
revisions in this rule are the results of requests for clarification
from the public on the October 3 encryption simplification rule.


Part 738

    Paragraph (a)(2)(ii)(B) of section 738.4 is amended by removing a
reference to the mass market review requirements in section 742.15(b)
for 5A992 and 5D992, and replacing it with an instruction that the
export may be executed under the No License Required (NLR) principle
unless the License Requirement section refers the reader to another
section of the EAR. E.g., in ECCN 5A002 the License Requirement section
not only refers the reader to the Commerce Country Chart in Supplement
No. 1 of part 738, but it also refers the reader to section 742.15 of
the EAR to determine license requirements.

Part 740

    Section 740.17(b)(1)-(3): paragraph (b) is changed for clarity,
transparency, and simplification of language authorizing export after
review. Authorization language to Supplement 3 countries under the
subparagraphs of (b)(1) was complex and confusing to exporters. Under
the reorganization of License Exception ENC, there is no need to
exclude exports to countries listed in Supplement 3 from authorization
under paragraphs (b)(2) and (b)(3). Such exclusions are removed here.
Once a review has been submitted, Paragraph (b)(1)(i) is intended to
authorize immediate export to the Supplement 3 countries of all
encryption items (except ``cryptanalytic items'' to ``government end-
users''). After the review is complete, all items except technology and
Open Cryptographic Interfaces (OCIs) are authorized by paragraphs
(b)(2), (b)(3), or (b)(4). As the language has been revised, four sets
of authorization language will cover almost all items authorized for
export and reexport. The four authorizations will be:

(a) and (b)(1)(i) technology and OCI;
(a) and (b)(2) ENC restricted commodities and software;
(a) and (b)(3) ENC unrestricted commodities and software; and
(b)(4) ENC commodities and software as described.

Prior to the implementation of this final rule, paragraph (b)(4)
authorized immediate export under (b)(2) or (b)(3) for source code and
key length limited items. However, with the authorization under (b)(4),
it was no longer clear that (b)(2) items were not authorized for
immediate export to ``government end-users'' outside the Supplement 3
countries. The added language implemented by this rule makes clear that
this continues to be true. Products that would not be authorized for
permanent export to certain ``government end-users'' should not be
authorized for temporary export to those end-users.
    This rule revises section 740.17(b)(1)(i) of the EAR to remove the
phrase ``(excluding source code),'' because BIS has received a number
of inquires from the public who are confused by this phrase appearing
in this paragraph. This paragraph describes exports and reexports to
government end-users and non-government end-users located in a country
listed in Supplement No. 3 of section 740.17 of the EAR that are
eligible for License Exception ENC once a review request is registered
with BIS, including commodities and software that are pending review
(under section 742.15(b)) for mass market treatment (ECCNs 5A992.c and
5D992.c). Encryption source code is not eligible for such mass market
treatment. This is what the phrase ``(excluding source code)'' refers
to. Although this phrase only refers to software that is pending review
for mass market treatment (under section 742.15(b)), and thus does not
pertain to any other License Exception ENC-eligible encryption source
code (e.g., as described in section 740.17(b)(2)(ii)), it has
nonetheless proven confusing and so is being removed.
    This rule revises section 740.17(b)(4) to fix an incorrect citation
and clarify concerning what is authorized by each subsection of
paragraph (b)(4). Paragraph (b)(4) should contain specific
authorization language like all other License Exception ENC paragraphs.
The addition of the introductory sentence accomplishes this. The second
sentence makes it clear that paragraph (b)(4)(ii) does not authorize
subsequent export from the United States of the foreign developed
products.
    This rule adds text to sections 740.17(b)(4)(ii) and 742.15(b)(2)
to provide clarification to the regulated community that foreign
products developed with or incorporating U.S.-origin encryption source
code authorized for export under License Exception TSU (section
740.13(e)) that are subject to the EAR are also excluded from review
requirements and that after a mass market review request is submitted,
there is no waiting period for export to certain end-users as
authorized by sections 740.17(a) and 740.17(b)(1)(i), or for certain
encryption items as authorized by section 740.17(b)(1)(ii).
    This rule also makes slight editorial corrections to sections
740.9(c)(3), 740.13(d)(2), 740.17(b)(2)(ii) and 740.17(e)(1)(i)(C).

Part 742

    The second sentence in paragraph (b)(1) of section 742.15 is
revised and the fourth sentence removed to conform to the new mandatory
SNAP-R procedures (published August 21, 2008, effective October 20,
2008, 73 FR 49323) for submission of review requests.

    Supplement No. 6 to part 742 ``Guidelines for Submitting Review
Requests for Encryption Items'' is amended by removing the fourth and
fifth sentences of the introductory paragraph to harmonize with the new
mandatory SNAP-R procedures
(published August 21, 2008, effective
October 20, 2008, 73 FR 49323) for submission of review requests. This
rule adds text to introductory paragraph (a), which was inadvertently
omitted in the October 3 rule, explaining that appropriate technical
information must accompany the review request. This language was in the
introductory paragraph to Supplement 6 prior to the October 3
publication. The intent was to move it to paragraph (a) where it would
be more visible. Instead it was inadvertently removed. Also, paragraph
(c)(6) is corrected to refer to ECC (elliptic curve cryptography), as
opposed to ECCN (Export Control Classification Number).

Part 744

    The fifth sentence in paragraph (a)(1) of section 744.1 of the EAR
is removed, because it refers to section 744.9, which was removed by
the October 3 encryption simplification rule.

Part 772

    Exporters have been confused by the Nota Bene to the ``personal
area network'' (PAN) definition. This rule deletes some of the text in
that note for clarity. In one of the deleted sentences, the words
``enterprise'' and ``long range'' in the absence of a specific 30 meter
range limitation could be read to include intermediate-range devices.
What is authorized by section 740.17(b)(4)(iii) are certain ``PAN''
items with nominal operating ranges not exceeding 30 meters. This rule
deletes other text where the language could also be misunderstood to
describe items clearly not eligible for section 740.17(b)(4)(iii)
treatment. ``PAN'' items are not necessarily eligible for section

[[Page 52882]]

740.17(b)(4)(iii). Eliminating the confusing examples should help the
public understand why a ``data capable wireless telephone'', for
example, is not eligible for section 740.17(b)(4)(iii) self-
classification.

    In addition, this rule revises the Nota Bene for the term
``ancillary cryptography'' by making editorial clarifications, as well
as adding a footnote to clarify that for the purpose of this
definition, the term `transportation systems' does not include any
Automatic Identification System (AIS)/Vessel Traffic Service (VTS).
Secure AIS/VTS and their maritime applications are not considered
``ancillary cryptography''.

Supplement No. 1 to Part 774--Commerce Control List

    ECCN 5B002 is amended by adding License Exception ENC to the
License Exception section to clarify that this ECCN may be considered
for License Exception ENC eligibility.
    ECCN 5E002 is amended by adding License Exception ENC to the
License Exception section to clarify that this ECCN may be considered
for License Exception ENC eligibility.
    ECCN 5E992 is amended by inserting ``according to the General
Technology Note'' into the heading to more clearly define the scope of
this ECCN.
    Although the Export Administration Act expired on August 20, 2001,
the President, through Executive Order 13222 of August 17, 2001, 3 CFR,
2001 Comp., p. 783 (2002), as extended by the Notice of August 13, 2009
(74 Fed. Reg. 41,325 (August 14, 2009)), has continued the Export
Administration Regulations in effect under the International Emergency
Economic Powers Act.


List of Subjects

15 CFR Part 730

    Administrative practice and procedure, Advisory committees,
Exports, Reporting and recordkeeping requirements, Strategic and
critical materials.

15 CFR Part 734

    Administrative practice and procedure, Exports, Inventions and
patents, Research Science and technology.

15 CFR Parts 738 and 772

    Exports.

15 CFR Part 740

    Administrative practice and procedure, Exports, Reporting and
recordkeeping requirements.

15 CFR Part 742

    Exports, Terrorism.

15 CFR Part 744

    Exports, Reporting and recordkeeping requirements, Terrorism.

15 CFR Part 774

    Exports, Reporting and recordkeeping requirements.

* * * * *

PART 740--[AMENDED]
Sec.  740.13  Technology and Software--Unrestricted (TSU).

* * * * *
    (d) * * *
    (2) Exclusions. * * * (Once such mass market encryption software
has been reviewed by BIS and released from ``EI'' and ``NS'' controls
pursuant to Sec.  742.15(b) of the EAR, it is controlled under ECCN
5D992.c and is thus outside the scope of License Exception TSU.) See
Sec.  742.15(b) of the EAR for exports and reexports of mass market
encryption products controlled under ECCN 5D992.c.
* * * * *

Sec.  740.17  Encryption Commodities, Software and Technology (ENC).

* * * * *
    (b) * * *
    (1) * * *
    (ii) Export and reexport to countries not listed in Supplement No.
3 of this part. License Exception ENC authorizes the export and
reexport of the following commodities and software (except certain
exports and reexports to ``government end-users'' as further described
in paragraph (b)(2) of this section, or any ``open cryptographic
interface'' item):
* * * * *
    (2) Review required with 30 day wait (non-``government end-users''
only). Thirty (30) days after your review request is registered with
BIS in accordance with paragraph (d) of this section and subject to the
reporting requirements in paragraph (e) of this section, License
Exception ENC authorizes the export or reexport of the following
commodities and software to ``government end-users'' located or
headquartered in a country listed in Supplement 3 to this part, and
also to non-``government end-users'' located in a country not listed in
Country Group E:1 of Supplement No. 1 to part 740 of the EAR:
* * * * *
    (4) Items excluded from review requirements. License Exception ENC
authorizes the export and reexport of the commodities and software
described in this paragraph (b)(4) without review (for encryption
reasons) by BIS, except that paragraph (b)(4)(ii) of this section does
not authorize exports from the United States of foreign products
developed with or incorporating U.S.-origin encryption source code,
components, or toolkits.
* * * * *
(ii) Foreign products developed with or incorporating U.S.-origin encryption

[[Page 52884]]

source code, components, or toolkits. Foreign products developed with
or incorporating U.S.-origin encryption source code, components or
toolkits that are subject to the EAR, provided that the U.S.-origin
encryption items have previously been reviewed and authorized by BIS
(or else authorized for export under License Exception TSU upon meeting
the notification requirements of section 740.13(e) of the EAR, without
need for further review) and the cryptographic functionality has not
been changed. Such products include foreign-developed products that are
designed to operate with U.S. products through a cryptographic
interface.
* * * * *

Sec.  742.15  Encryption items.

* * * * *
    (b) * * *
    (1) Procedures for requesting review. * * * Review requests must be
submitted to BIS in accordance with Sec. Sec.  748.1 and 748.3 of the
EAR. See paragraph (r) of Supplement No. 2 to part 748 of the EAR for
special instructions about this submission. Submissions to the ENC
Encryption Request Coordinator should be directed to the mailing
address indicated in Sec.  740.17(e)(1)(ii) of the EAR. BIS will notify
you if there are any questions concerning your request for review
(e.g., because of missing or incompatible support documentation). * * *
    (2) Action by BIS. * * * (Note that once a mass market review
request is submitted, there is no waiting period for export or reexport
under License Exception ENC to certain end users as authorized by
Sec. Sec.  740.17(a) and (b)(1)(i), or for certain items as authorized
by Sec.  740.17(b)(1)(ii), while the mass market request is pending
review with BIS.) * * *
* * * * *

0
14. Supplement No. 6 to part 742 is amended by:
0
a. Revising the introductory text;
0
b. Adding paragraph (a) introductory text; and
0
c. Revising the acronym ``ECCN'' to read ``ECC'' in paragraph (c)(6).
    The revision and addition read as follows:

Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests
for Encryption Items

18. In section 772.1 the definition for ``ancillary cryptography'' is
amended by revising the Nota Bene (N.B.) and the definition for
``personal area network'' is amended by revising the Nota Bene to read
as follows:


Sec.  772.1  Definitions of terms as used in the Export Administration
Regulations (EAR).


"Ancillary cryptography''.

    N.B. Examples of commodities and software that perform
``ancillary cryptography'' are items specially designed and limited
to: Piracy and theft prevention for software, music, etc.; games and
gaming; household utilities and appliances; printing, reproduction,
imaging and video recording or playback (but not videoconferencing);
business process modeling and automation (e.g., supply chain
management, inventory, scheduling and delivery); industrial,
manufacturing or mechanical systems (including robotics, other
factory or heavy equipment, and facilities systems controllers, such
as fire alarms and HVAC); automotive, aviation and other
transportation systems.\1\ Commodities and software included in this
description are not limited to wireless communication and are not
limited by range or key length.

    \1\ For the purpose of this definition, the term
``transportation systems'' does not include any Automatic
Identification System (AIS)/Vessel Traffic Service (VTS). Secure
AIS/VTS and their maritime applications are not considered
``ancillary cryptography''.


    ``Personal area network''. * * *

    N.B. ``Personal area network'' items include but are not limited
to items designed to comply with the Institute of Electrical and
Electronic Engineers (IEEE) 802.15.1 standard, class 2 (10 meters)
and class 3 (1 meter), but not class 1 (100 meters) items. IEEE
802.15.1 class 2 and class 3 devices include hands-free headsets,
wireless mice, keyboards and printers, bar code scanners and game
console wireless controllers, as well as devices or software for
transfer of files between devices using Object Exchange (OBEX).
* * * * *

PART 774--[AMENDED]

20. In Supplement No. 1 to part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, Export Control Classification Number (ECCN) 5B002
is amended by revising the License Exception section to read as
follows:

    5B002 Information Security--test, inspection and ``production''
equipment.

Dated: October 7, 2009.
Matthew S. Borman,
Acting Assistant Secretary for the Bureau of Industry and Security.


[FR Doc. E9-24697 Filed 10-14-09; 8:45 am]



And  the King shall answer and say unto them, Verily I say unto you, 
Inasmuch as ye have done it unto one of the least of these my brethren,  ye have done it unto me.

Matthew 25:40