CCATS在iOS AppStore和加密 [英] CCATS on iOS AppStore and encryption
问题描述
这将是一个长的问题...实际上一组相关的问题...
我想制作一个iOS应用程序,这将在苹果App Store上销售(显然)。我的应用程序将在Documents目录中存储一些敏感的用户数据。出于安全考虑,我想到了一种可以保护数据的密码系统。这里的乐趣开始...数据安全机制将几乎不可破解。我将使用AES-128/256,TwoFish 128/256和Serpent 128/256。用户可以选择使用哪些地方...我可能正在使用双重加密,数据使用AES加密一次,然后使用Serpent或者任何组合进行加密。
我显然需要检查应用商店上的使用加密按钮。问题是:
1)我需要什么认证CCATS或ERN?
来自:
http://tigelane.blogspot.ro/2011/01/apple-itunes-export-restrictions-on.html
- 转到此链接并使用他的说明。这是一个很棒的帖子: http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
- 对于所有情况,请执行步骤1和2。如果你建立了自己的加密机制,那就跟随整个帖子。如果您使用SSL或其他
公有的域名加密功能,那么您可以在SNAP-R
账号后停止。
我需要明确地做整个认证过程...我绝对有自己的机制。
2 )完整的CCATS可以在网上100%完成吗?
在8个简单的步骤发布后,我需要发送一些文件(蜗牛)邮件。然后一个用户说,这不再需要了。注意:这些博客帖子似乎很旧(2年)。
优秀的描述! FYI:获取
SNAP-R的CIN / PIN的过程现在完全是电子的
另一位用户说: / p>
您可能需要考虑更新您的帖子。 BIS顾问刚刚被
告知,不再需要以硬
复制您的申请表和支持文件来邮寄邮件。可能
是一些微不足道的东西,但浪费80美元的国际航运
是80美元的流失。
我希望我不需要通过邮件发送所有的文件,因为需要一段时间才能让他们从欧盟来到美国。
欧盟有没有人最近使用ERN / CCATS流程?
3)我也看到他们要求你传真号码...我没有传真。这是一个大问题吗?
如果真的有必要,一个在线传真服务可以吗?
4)我需要详细解释整个加密机制吗?还是只是算法?对于对大众市场加密密码系统来说太好了,我可否被拒绝?
大多数情况下,我需要解释或声明一些数据将加密了两次?或者是将数据加密在磁盘上一个很好的解释?
5)我将使用一些密码扩展算法和散列(HMAC,与SHA -2,也许是SHA-3)...我还需要报告数据吗?
stormCloud的答案是很棒的。我打电话给国际清算银行,并与代理人谈了一小时,其中包括了理论细节的分配。我也学到了(代表说,代表不应该告诉我这一点),他们对刚刚打来的人感到厌烦,而不是首先想出这个过程。所以,我想分享一下自9/24/2013以来调用BIS的结果。
文件参考:
所有相关文件均为在此页面上列出。文件链接列在此网页的左侧和中央,标题为加密链接。
如何处理:
在第774部分第5部分第ii部分,请参见注4,以确定应用程序的所有主要功能是否免于第5类第2部分。该语言令人困惑。那里至少有一个双负数。如果有疑问,只是将其归类为大众市场商品。
代表们不仅要考虑主要功能是否按预期用途豁免,而且是否会如果用户以任何其他方式使用该应用,则可以免除。再次,如果有疑问,将其分类为大众市场商品。
如果您选择将其分类为大众市场商品,则需要参考三个文档。请参阅740.17以确定您的软件是否应归类为B1,B2或B3。 B2x类型绝对需要归为大众市场商品。我没有澄清B1或B2类型是否需要归类为大众市场商品。
补充5属于分类Bx类型。您将复制此文档并填写相关信息,然后使用您的SNAP-R工作项目提交。
另请参阅必须提交的报告中的补充8一月。
我们对于我们的应用程序的结论:
我们的特定应用程序不是)分类为第5类第2部分。这意味着我可以选择自我分类我们的应用程序作为EAR99而不是ECCN 5D992(大众市场)或5D002(而不是大众市场)。这也意味着我不需要在SNAP-R工作项中创建导出项目。 :)
这是我从BIS代表收到的完整电子邮件,让我将软件分类为大众市场商品:
必须在导出之前获取加密注册号(ERN)。 ERN是您获得的东西,永久使用或直到您提供的信息发生变化。获取ERN只需要几分钟的工作。您将在提交请求约一小时内收到ERN。之后,请务必将其添加到任何分类请求的附加信息块上,并将其用于补充8至第742部分报告的主题行。
如果您不能立即提交ERN的请求,并且明白您在这样做之前没有出口权限,请回复相同的内容,我将发布分类ERN所需的语言面对它。我更喜欢你继续请求加密注册号码(ERN),并用你的ERN回复这个请求。我将把您的ERN放在附加信息块中,并发出CCATS而不参考ERN。
将来,请始终将您的ERN包含在附加信息块中,按照第740.17(b)(2)条或( b)(3)和742.15(b)(3)。即使由740.17(b)(1)或742.15(b)(1)授权的商品在出口之前需要加密注册。因此,即使对于B1请求进行分类请求之前,在附加信息块中获取和提供ERN也是有意义的。
如何获取ERN:
在主要的BIS网站www.bis.doc.gov上,点击在策略指导下拉菜单下的加密一词。这将打开主要的加密网页。页面左侧第一列有两个蓝色框;但是,您可能需要向下滚动以找到第二个蓝色框。第二个蓝盒子说加密链接,是一套重要的加密规则,包括Supp。 5至742页。
选择第742部分补编第5号
将补充文件5个问题复制到文字处理文档中。
回答问题和PDF你的回答。
打开SNAP-R并选择创建工作项
从工作项类型列表中选择加密注册。
附加您刚创建并提交的.pdf。
在一小时之内,电脑应该回应你的ERN以'R'开头的号码
给我提供这个号码,然后在第24块的附加信息中填写所有未来的加密CCATS工作项。
TMI ...我知道。有人读了这么远吗?
This is going to be one long question... Actually a set of related questions... I want to make an iOS app, that will be sold on Apples App Store, (obviously). My app will store some sensitive user data in the documents directory. For security reasons I thought of a cryptosystem that will secure that data. Here the fun starts... That data security mechanism will be virtually unbreakable. I will be using AES-128/256, TwoFish 128/256 and Serpent 128/256. The user can select what to use where... I may be using dual encryption, data being encrypted once with AES and then with Serpent, or any combination of thous.
I obviously need to check the "uses encryption" button on the app store. The problem is:
1) what certification do I need CCATS or just ERN?
From :
http://tigelane.blogspot.ro/2011/01/apple-itunes-export-restrictions-on.html
- Go to this link and use his instructions. This is a great post: http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
- Do step 1 and 2 for all cases. If you built your own encryption mechanism, that follow the entire post. If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.
I need apparently to do the whole certification process... I definitely made my own mechanism.
2) Can the full CCATS be done 100% online?
In that "8 easy steps" post it said I need to send some documents by (snail)mail. Then later on a user said that it is not necessary anymore. Note: those blog posts seem old (2 years).
Excellent description! FYI: The process for obtaining a CIN/PIN for SNAP-R is now entirely electronic
Another user said:
You might want to consider updating your post. I've just been told by a BIS Counsellor that it's no longer necessary to snail mail in hard copies of your application form and supporting documentation. It may be something trivial to some but wasting $80 on international shipping is $80 down the drain.
I hope I don't need to send all the documents by mail, as it will take a while to get them to the US from the EU.
Has anyone in the EU used the ERN/ CCATS process recently?
3)I also saw that they ask you for a fax number... I don't have a fax. Is that a big problem?
If really necessary would an online fax service be ok?
4) Do i need to explain the whole encryption mechanism in detail? Or just the algorithms? Can I be rejected for having a "too good for mass market encryption cryptosystem" ?
Mostly, do I need to explain or declare that some data will be encrypted twice ? Or is " will store data encrypted on disk" a good enough explanation?
5) I will be using some password extension algorithms and hashing (HMAC, with SHA-2, maybe SHA-3)... do I need to report thous too?
stormCloud's answer is great. I called BIS, and talked to a rep for an hour covering allot of theoretical details. I also learned (the rep said the rep shouldn't tell me this) that they are annoyed with people that just call instead of trying to figure out the process first. So, I wanted to share what I found as a result of calling BIS as of 9/24/2013.
Document references:
All pertinent documents are listed on this page. The documents links are listed on the left and center of this webpage in a group titled "Encrypted Links".
What to do with them:
In the document "Supplement 1 to part 774 Category 5 part ii", see "Note 4" to determine whether all of the primary functions of your app are exempt from category 5, section 2. The language is confusing. There is at least one double negative in there. If in doubt, just classify as a mass market commodity.
The rep urged me to consider not only whether the primary functions are exempt per intended use, but whether they would be exempt if users used the app any other way. Again, if in doubt, classify as a mass market commodity.
If you choose to classify as a mass market commodity, you will need to refer to three documents. See 740.17 to determine whether your software should be classified as B1, B2, or B3. B2x types definitely need to be classified as a mass market commodity. I did not clarify whether B1 or B2 types need to be classified as mass market commodities.
Supplement 5 pertains to classifying Bx types. You'll copy this document and fill in the relevant info, to in turn submit with your SNAP-R work item.
Additionally see Supplement 8 per the reports you must submit in January.
Our conclusion for our app:
Our particular application is not (yet) categorized under category 5, part 2. What this means is I can choose to "self-classify" our application as EAR99 instead of ECCN 5D992 (mass market) or 5D002 (not mass market). This also means I do not need to create an export item in a SNAP-R work item. :)
This is the full email I received from the BIS rep to walk me through classifying software as a mass market commodity:
An Encryption Registration Number (ERN) must be obtained before export. An ERN is something you obtain once and use forever or until the information you provide changes. Obtaining an ERN takes only a few minutes of work. You will receive the ERN within about an hour of submitting the request. After that, always include it on the additional information block of any classification request and use it on the subject line of your Supplement 8 to Part 742 reports.
If you cannot submit the request for an ERN immediately and understand that you are not authorized to export until you do so, please respond stating the same and I will issue the classification with the ERN required language on the face of it. I prefer that you go ahead and request an Encryption Registration Number (ERN) and reply to this request with your ERN. I will put your ERN in the additional information block and issue the CCATS without reference to the ERN.
In the future, please always include your ERN in the additional information block as required by the regulations for classification of items described by Sections 740.17(b)(2) or (b)(3) and 742.15(b)(3) of the EAR. Even items authorized by 740.17(b)(1) or 742.15(b)(1) require an encryption registration prior to export. Therefore, it usually makes sense to obtain and provide the ERN in the additional information block prior to making a classification request even for "B1" requests.
HOW TO OBTAIN AN ERN:
On the main BIS Website www.bis.doc.gov, click on the word "Encryption" under the Policy Guidance pull down menu. This brings up the main encryption web page. There are two blue boxes in the first column on the left side of the page; however, you may have to scroll down to find the second blue box. The second blue box says "Encryption Links" and is a set of important encryption regulation including Supp. 5 to Part 742. Choose the regulation "Supplement No. 5 to Part 742." Copy the Supplement 5 questions into a word processing document. Answer the questions and PDF your response. Open SNAP-R and select "Create work item" From the list of work item types select "Encryption Registration." Attach the .pdf you just created and submit. Within an hour, the computer should respond with your ERN "A number beginning with 'R'" Provide me with that number and put in in Block 24 "additional information" on all future encryption CCATS work items.
TMI...I know. Anyone read this far?
这篇关于CCATS在iOS AppStore和加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
