Controlled Software and Encryption

Back to Topics Page

Export control regulations enumerated in the ITAR and the EAR govern both software and encryption. Both the physical export of software and encryption, as well as the sharing of software and encryption may be highly controlled under export regulations. This applies to software and encryption that is received from another party, as well as software and encryption that is developed at the university.

Export Controls and “Strong” Encryption:

Strong dual-use encryption, addressed in Category 5 Part II of the EAR’s Commerce Control List (CCL) at 5A002 (encrypted hardware) and 5D002 (encryption software), is defined as:

  • Employing a symmetric algorithm with a key length in excess of 56-bits;
  • Employing an asymmetric algorithm based on:
  • A factorization of integers in excess of 512 bits (i.e. RSA);
  • Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (i.e. Diffie-Hellman over Z/pZ);
  • Discrete logarithms in a group in excess of 112 bits (i.e. Diffie-Hellman over an elliptic curve);
  • Designed or modified to perform dual-use cryptanalytic functions;
  • Designed or modified to use quantum cryptography;
  • Specially designed or modified to reduce the compromising emanations of information bearing signals beyond that necessary for health, safety or electromagnetic interference;
  • Using cryptographic techniques to generate the spreading code for dual-use spread spectrum systems including the hopping code for frequency hopping systems;
  • Using cryptographic techniques to generate channelizing codes, scrambling codes or network identification codes for systems using ultra-wideband modulation techniques;
  • Using cryptography in communications cable systems designed or modified to detect surreptitious intrusion using mechanical, electrical or electronic means.

Strong dual-use encryption software is NOT:

  • Cryptographic code limited to authentication and digital signature including associated key management functions;
  • Software using fixed data compression or coding techniques;
  • Encryption/decryption code designed to protect libraries, design attributes or associated data for the design of semiconductor devices or integrated circuits.

It is important to note that many encryption products contain “strong” encryption.

The sharing, shipping, transmission, or transfer of almost all dual-use encryption software in either source code or object code is subject to the Export Administration Regulations. Even most of today’s publicly available dual-use encryption software, which uses “strong” encryption, is captured by the EAR and requires the availability of a License Exception to exit the US. If you wish to send or transmit products containing strong encryption to a foreign person, please contact Export Control for assistance.

Publicly available software containing strong encryption: The release of even publicly available strong encryption software is carefully regulated. While publicly available (i.e. open-source) software is exempt from export control, when that software contains strong encryption export controls may still apply. Before strong dual-use encryption code is made publicly available via the internet or otherwise placed electronically in the public domain, exporters must provide the US Government with either a copy of the strong dual-use encryption code or a one-time notification of the internet location (URL) of the code. This must be done before making the software publicly available. Notification after transmission or transfer of the software outside the US is an export control violation.

Software Received or Purchased from Another Party:

Before purchasing or receiving non-public software, FIU personnel should determine the export control classification of the software. The classification may be listed on the manufacturer’s website, and the manufacturer should be able to provide this information. If the export classification (ECCN or USML#) cannot be obtained on the web or by phone, please contact Export Control for assistance.

Providing access to export-controlled software to a foreign person may constitute an export violation, even when that access occurs on-campus. In many cases, control is only required around the software source code, and users can access the software interface without restrictions. Export Control will work with FIU faculty and staff to determine how to make controlled software as accessible as possible. If you know or determine that software is controlled and/or contains strong encryption, please contact Export Control before installing the software or providing access to the software.

Software Developed at or by FIU:

Most software developed at or by FIU is the product of non-proprietary, fundamental research as will be made publicly available. To reinforce this, researchers should upload FIU-generated software onto a publicly available website as soon as possible. Access to the code must not include login requirements or other password or authentication procedures. Prior to uploading software that contains “strong” encryption (see above), please contact Export Control for assistance.

Software developed during the course of controlled research (such as proprietary software developed for an industry sponsor) is export controlled and must not be uploaded to a cloud-based system or to a website without approval from Export Control. Export Control will work with faculty and ITS to determine appropriate procedures for working with and sharing controlled software.

Lastly, US person researchers should also be aware that without US government approval, US persons are prohibited from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of dual-use encryption software or hardware employing strong encryption code. This prohibition does NOT limit FIU personnel from teaching or discussing general information about cryptography software development that arises during FIU fundamental research.