iOS AppStore 上的 CCATS 和加密 [英] CCATS on iOS AppStore and encryption
问题描述
这将是一个很长的问题......实际上是一组相关的问题......我想制作一个 iOS 应用程序,它将在 Apples App Store 上出售,(显然).我的应用程序将在文档目录中存储一些敏感的用户数据.出于安全原因,我想到了一个可以保护数据的密码系统.有趣的事情开始了……这种数据安全机制实际上是牢不可破的.我将使用 AES-128/256、TwoFish 128/256 和 Serpent 128/256.用户可以选择在什么地方使用什么......我可能使用双重加密,数据先用 AES 加密,然后用 Serpent 加密,或者它们的任意组合.
我显然需要检查应用商店上的使用加密"按钮.问题是:
1) 我需要 CCATS 或 ERN 什么认证?
来自:
http://tigelane.blogspot.ro/2011/01/apple-itunes-export-restrictions-on.html
<块引用>- 转到此链接并使用他的说明.这是一篇很棒的文章:http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
- 对所有情况执行第 1 步和第 2 步.如果您构建了自己的加密机制,请遵循整篇文章.如果您使用 SSL 或其他公共域加密,然后您可以在拥有 SNAP-R 后停止帐户.
显然我需要完成整个认证过程……我确实制作了自己的机制.
2) 完整的 CCATS 能否 100% 在线完成?
在8 个简单步骤"的帖子中,它说我需要通过(蜗牛)邮件发送一些文件.后来有用户说没有必要了.注意:这些博文看起来很旧(2 年).
<块引用>优秀的描述!仅供参考:获取 CIN/PIN 的过程SNAP-R 现在完全是电子的
另一位用户说:
<块引用>您可能需要考虑更新您的帖子.我刚刚被告知一位 BIS 顾问表示不再需要将邮件硬塞进您的申请表和支持文件的副本.它可能对某些人来说是微不足道的,但在国际运输上浪费了 80 美元亏了 80 美元.
我希望我不需要通过邮件发送所有文件,因为将它们从欧盟送到美国需要一段时间.
最近欧盟有人使用 ERN/CCATS 流程吗?
3)我还看到他们要求您提供传真号码...我没有传真.这是一个大问题吗?
如果真的有必要,在线传真服务可以吗?
4) 我需要详细解释整个加密机制吗?还是只是算法?我会因为对大众市场的加密密码系统太好"而被拒绝吗?
大多数情况下,我是否需要解释或声明某些数据将被加密两次?或者将在磁盘上加密存储数据"是一个足够好的解释吗?
5) 我将使用一些密码扩展算法和散列(HMAC,使用 SHA-2,也许是 SHA-3)……我也需要报告吗?
stormCloud 的回答很棒.我打电话给 BIS,并与一位代表谈了一个小时,涵盖了大量的理论细节.我还了解到(代表说代表不应该告诉我这个)他们对那些只是打电话而不是试图首先弄清楚流程的人感到恼火.所以,我想分享我在 2013 年 9 月 24 日致电 BIS 的结果.
文档参考:
所有相关文件都列在此页面上.文档链接列在本网页左侧和中央的名为加密链接"的组中.
如何处理它们:
在第 774 部分第 5 部分第 ii 部分的补充 1"文档中,请参阅注释 4"以确定您的应用的所有主要功能是否不受第 5 类第 2 节的约束.语言很混乱.那里至少有一个双重否定.如果有疑问,只需将其归类为大众市场商品.
该代表敦促我不仅要考虑主要功能是否按预期用途豁免,而且如果用户以任何其他方式使用该应用程序,它们是否会被豁免.同样,如果有疑问,请归类为大众市场商品.
如果您选择归类为大众市场商品,则需要参考三个文件.请参阅 740.17 以确定您的软件是否应归类为 B1、B2 或 B3.B2x 类型绝对需要归类为大众市场商品.我没有说明 B1 或 B2 类型是否需要归类为大众市场商品.
补充 5 涉及对 Bx 类型进行分类.您将复制此文档并填写相关信息,然后与您的 SNAP-R 工作项一起提交.
此外,请参阅您在 1 月必须提交的报告的补充 8.
我们对应用的结论:
我们的特定应用程序(尚未)归入第 5 类第 2 部分.这意味着我可以选择将我们的应用程序自我分类"为 EAR99,而不是 ECCN 5D992(大众市场)或 5D002(非大众市场)).这也意味着我不需要在 SNAP-R 工作项中创建导出项.:)
这是我从 BIS 代表处收到的完整电子邮件,指导我将软件归类为大众市场商品:
必须在导出前获得加密注册号 (ERN).ERN 是您获得一次并永久使用或直到您提供的信息发生变化的东西.获得 ERN 只需要几分钟的工作.您将在提交请求后大约一个小时内收到 ERN.之后,始终将其包含在任何分类请求的附加信息块中,并在您的第 742 部分报告的补充 8 的主题行中使用.
如果您无法立即提交 ERN 请求并了解在您提交之前您无权出口,请回复说明相同的内容,我将发布带有 ERN 所需语言的分类表面.我希望您继续请求一个加密注册号 (ERN),然后使用您的 ERN 回复此请求.我会将您的 ERN 放在附加信息块中,并在不参考 ERN 的情况下签发 CCATS.
以后,请始终按照第 740.17(b)(2) 或 (b)(3) 和 742.15(b)(3) 节所述物品分类规定的要求,将您的 ERN 包含在附加信息块中) 的 EAR.即使是 740.17(b)(1) 或 742.15(b)(1) 授权的物品也需要在出口前进行加密注册.因此,即使对于B1"请求,在发出分类请求之前获取并提供附加信息块中的 ERN 通常是有意义的.
如何获得 ERN:
在 BIS 主网站 www.bis.doc.gov 上,单击政策指南"下拉菜单下的加密"一词.这将打开主加密网页.页面左侧第一列有两个蓝色框;但是,您可能需要向下滚动才能找到第二个蓝色框.第二个蓝框写着加密链接",是包括Supp在内的一套重要的加密规则.5 至第 742 部分.选择第 5 号补充文件至第 742 部分"的规定.将 Supplement 5 问题复制到文字处理文档中.回答问题并将您的回复设为 PDF.打开 SNAP-R 并选择创建工作项"从工作项类型列表中选择加密注册".附上您刚刚创建并提交的 .pdf.一小时内,计算机应以您的 ERN 响应以 'R' 开头的数字"向我提供该编号,并在所有未来加密 CCATS 工作项目的第 24 块附加信息"中输入.
TMI...我知道.有人读到这里吗?
This is going to be one long question... Actually a set of related questions... I want to make an iOS app, that will be sold on Apples App Store, (obviously). My app will store some sensitive user data in the documents directory. For security reasons I thought of a cryptosystem that will secure that data. Here the fun starts... That data security mechanism will be virtually unbreakable. I will be using AES-128/256, TwoFish 128/256 and Serpent 128/256. The user can select what to use where... I may be using dual encryption, data being encrypted once with AES and then with Serpent, or any combination of thous.
I obviously need to check the "uses encryption" button on the app store. The problem is:
1) what certification do I need CCATS or just ERN?
From :
http://tigelane.blogspot.ro/2011/01/apple-itunes-export-restrictions-on.html
- Go to this link and use his instructions. This is a great post: http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
- Do step 1 and 2 for all cases. If you built your own encryption mechanism, that follow the entire post. If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.
I need apparently to do the whole certification process... I definitely made my own mechanism.
2) Can the full CCATS be done 100% online?
In that "8 easy steps" post it said I need to send some documents by (snail)mail. Then later on a user said that it is not necessary anymore. Note: those blog posts seem old (2 years).
Excellent description! FYI: The process for obtaining a CIN/PIN for SNAP-R is now entirely electronic
Another user said:
You might want to consider updating your post. I've just been told by a BIS Counsellor that it's no longer necessary to snail mail in hard copies of your application form and supporting documentation. It may be something trivial to some but wasting $80 on international shipping is $80 down the drain.
I hope I don't need to send all the documents by mail, as it will take a while to get them to the US from the EU.
Has anyone in the EU used the ERN/ CCATS process recently?
3)I also saw that they ask you for a fax number... I don't have a fax. Is that a big problem?
If really necessary would an online fax service be ok?
4) Do i need to explain the whole encryption mechanism in detail? Or just the algorithms? Can I be rejected for having a "too good for mass market encryption cryptosystem" ?
Mostly, do I need to explain or declare that some data will be encrypted twice ? Or is " will store data encrypted on disk" a good enough explanation?
5) I will be using some password extension algorithms and hashing (HMAC, with SHA-2, maybe SHA-3)... do I need to report thous too?
stormCloud's answer is great. I called BIS, and talked to a rep for an hour covering allot of theoretical details. I also learned (the rep said the rep shouldn't tell me this) that they are annoyed with people that just call instead of trying to figure out the process first. So, I wanted to share what I found as a result of calling BIS as of 9/24/2013.
Document references:
All pertinent documents are listed on this page. The documents links are listed on the left and center of this webpage in a group titled "Encrypted Links".
What to do with them:
In the document "Supplement 1 to part 774 Category 5 part ii", see "Note 4" to determine whether all of the primary functions of your app are exempt from category 5, section 2. The language is confusing. There is at least one double negative in there. If in doubt, just classify as a mass market commodity.
The rep urged me to consider not only whether the primary functions are exempt per intended use, but whether they would be exempt if users used the app any other way. Again, if in doubt, classify as a mass market commodity.
If you choose to classify as a mass market commodity, you will need to refer to three documents. See 740.17 to determine whether your software should be classified as B1, B2, or B3. B2x types definitely need to be classified as a mass market commodity. I did not clarify whether B1 or B2 types need to be classified as mass market commodities.
Supplement 5 pertains to classifying Bx types. You'll copy this document and fill in the relevant info, to in turn submit with your SNAP-R work item.
Additionally see Supplement 8 per the reports you must submit in January.
Our conclusion for our app:
Our particular application is not (yet) categorized under category 5, part 2. What this means is I can choose to "self-classify" our application as EAR99 instead of ECCN 5D992 (mass market) or 5D002 (not mass market). This also means I do not need to create an export item in a SNAP-R work item. :)
This is the full email I received from the BIS rep to walk me through classifying software as a mass market commodity:
An Encryption Registration Number (ERN) must be obtained before export. An ERN is something you obtain once and use forever or until the information you provide changes. Obtaining an ERN takes only a few minutes of work. You will receive the ERN within about an hour of submitting the request. After that, always include it on the additional information block of any classification request and use it on the subject line of your Supplement 8 to Part 742 reports.
If you cannot submit the request for an ERN immediately and understand that you are not authorized to export until you do so, please respond stating the same and I will issue the classification with the ERN required language on the face of it. I prefer that you go ahead and request an Encryption Registration Number (ERN) and reply to this request with your ERN. I will put your ERN in the additional information block and issue the CCATS without reference to the ERN.
In the future, please always include your ERN in the additional information block as required by the regulations for classification of items described by Sections 740.17(b)(2) or (b)(3) and 742.15(b)(3) of the EAR. Even items authorized by 740.17(b)(1) or 742.15(b)(1) require an encryption registration prior to export. Therefore, it usually makes sense to obtain and provide the ERN in the additional information block prior to making a classification request even for "B1" requests.
HOW TO OBTAIN AN ERN:
On the main BIS Website www.bis.doc.gov, click on the word "Encryption" under the Policy Guidance pull down menu. This brings up the main encryption web page. There are two blue boxes in the first column on the left side of the page; however, you may have to scroll down to find the second blue box. The second blue box says "Encryption Links" and is a set of important encryption regulation including Supp. 5 to Part 742. Choose the regulation "Supplement No. 5 to Part 742." Copy the Supplement 5 questions into a word processing document. Answer the questions and PDF your response. Open SNAP-R and select "Create work item" From the list of work item types select "Encryption Registration." Attach the .pdf you just created and submit. Within an hour, the computer should respond with your ERN "A number beginning with 'R'" Provide me with that number and put in in Block 24 "additional information" on all future encryption CCATS work items.
TMI...I know. Anyone read this far?
这篇关于iOS AppStore 上的 CCATS 和加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
