The Wassenaar Arrangement - Dual-Use and Munitions Lists - July 1996


[76]

CATEGORY 5 - PART 2 - "INFORMATION SECURITY"

Part 2 - "INFORMATION SECURITY"

Note  The control status of "information security" equipment, "software", systems, application specific "electronic assemblies", modules, integrated circuits, components or functions is determined in Category 5, Part 2 even if they are components or "electronic assemblies" of other equipment.

5.A.2. SYSTEMS, EQUIPMENT AND COMPONENTS

a. Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", as follows, and other specially designed components therefor:

N.B: For the control of global navigation satellite systems receiving equipment containing or employing decryption (i.e. GPS or GLONASS), see 7.A.5.

1. Designed or modified to use "cryptography" employing digital techniques to ensure "information security";

2. Designed or modified to perform cryptanalytic functions;

3. Designed or modified to use "cryptography" employing analogue techniques to ensure "information security";

Note  5.A.2.a.3. does not control the following:

1. Equipment using "fixed" band scrambling not exceeding 8 bands and in which the transpositions change not more frequently than once every second;

2. Equipment using "fixed" band scrambling exceeding 8 bands and in which the transpositions change not more frequently than once every ten seconds;

3. Equipment using "fixed" frequency inversion and in which the transpositions change not more frequently than once every second;

4. Facsimile equipment;

5. Restricted audience broadcast equipment;

6. Civil television equipment.

4. Designed or modified to suppress the compromising emanations of information-bearing signals;

Note  5.A.2.a.4. does not control equipment specially designed to suppress emanations for reasons of health and safety.


[77]

5. Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" or the hopping code for "frequency agility" systems;

6. Designed or modified to provide certified or certifiable "multilevel security" or user isolation at a level exceeding Class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or equivalent;

7. Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion.

Note  5.A.2. does not control:
a. "Personalized smart cards" or specially designed components therefor, with any of the following characteristics:
1. Not capable of message traffic encryption or encryption of user-supplied data or related key management functions therefor; or

2. When restricted for use in equipment or systems excluded from control under entries 1. to 6. of the Note to 5.A.2.a.3. or under entries b. to h. of this Note;

b. Equipment containing "fixed" data compression or coding techniques;

c. Receiving equipment for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption and where digital decryption is limited to the video, audio or management functions;

d. Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radiocommunications systems) that are not capable of end-to-end encryption;

e. Decryption functions specially designed to allow the execution of copy-protected "software", provided the decryption functions are not user-accessible;

f. Access control equipment, such as automatic teller machines, self-service statement printers or point of sale terminals, which protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password or PIN protection;

g. Data authentication equipment which calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication;

h. Cryptographic equipment specially designed and limited for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers or point of sale terminals.


[78]

5.B.2. TEST, INSPECTION AND PRODUCTION EQUIPMENT

a. Equipment specially designed for:
1. The "development" of equipment or functions controlled by Category 5 - Part 2, including measuring or test equipment;

2. The "production" of equipment or functions controlled by Category 5 - Part 2, including measuring, test, repair or production equipment;

b. Measuring equipment specially designed to evaluate and validate the "information security" functions specified in 5.A.2 or 5.D.2.

5.C.2. MATERIALS - None.

5.D.2. SOFTWARE

a. "Software" specially designed or modified for the "development", "production" or "use" of equipment or "software" controlled by Category 5 - Part 2;

b. "Software" specially designed or modified to support "technology" specified in 5.E.2.;

c. Specific "software", as follows:

1. "Software" having the characteristics, or performing or simulating the functions of the equipment specified in 5.A.2. or 5.B.2.;

2. "Software" to certify "software" specified in 5.D.2.c.1.

Note  5.D.2. does not control:

a. "Software" required for the "use" of equipment excluded from control under the Note to 5.A.2.;

b. "Software" providing any of the functions of equipment excluded from control under the Note to 5.A.2.

5.E.2. TECHNOLOGY

a. "Technology" according to the General Technology Note for the "development", "production" or "use" of equipment or "software" controlled by Category 5 - Part 2.


Table of Contents


Hypertext by JYA/Urban Deadline.