Textual Amendments
5A002, 5D002.a.1., 5D002.b. and 5D002.c.1. do not control items as follows:
Items that meet all of the following:
Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
Over-the-counter transactions;
Mail order transactions;
Electronic transactions; or
Telephone call transactions;
The cryptographic functionality cannot easily be changed by the user;
Designed for installation by the user without further substantial support by the supplier; and
When necessary, details of the goods are accessible and will be provided, upon request, to the [F2Secretary of State] in order to ascertain compliance with conditions described in paragraphs 1. to 3. above;
Hardware components or ‘executable software’, of existing items described in paragraph a. of this Note, that have been designed for these existing items, meeting all of the following:
"Information security" is not the primary function or set of functions of the component or ‘executable software’;
The component or ‘executable software’ does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items;
The feature set of the component or ‘executable software’ is fixed and is not designed or modified to customer specification; and
For the purpose of the Cryptography Note, ‘executable software’ means "software" in executable form, from an existing hardware component excluded from 5A002 by the Cryptography Note.
Textual Amendments
F2Words in Annex 1 substituted (31.12.2020) by virtue of The Trade etc. in Dual-Use Items and Firearms etc. (Amendment) (EU Exit) Regulations 2019 (S.I. 2019/771), regs. 1, 3(22)(f) (with reg. 5) (as amended by S.I. 2020/1502, regs. 2(3), 10); 2020 c. 1, Sch. 5 para. 1(1)
The item is of potential interest to a wide range of individuals and businesses; and
The price and information about the main functionality of the item are available before purchase without the need to consult the vendor or supplier. A simple price enquiry is not considered to be a consultation.
[5A002] "Information security" systems, equipment and components, as follows:
Designed or modified to use ‘cryptography for data confidentiality’ having a ‘described security algorithm’, where that cryptographic capability is usable, has been activated, or can be activated by any means other than secure "cryptographic activation", as follows:
Items having "information security" as a primary function;
Digital communication or networking systems, equipment or components, not specified in 5A002.a.1.;
Computers, other items having information storage or processing as a primary function, and components therefor, not specified in 5A002.a.1. or 5A002.a.2.;
Items, not specified in 5A002.a.1. to 5A002.a.3., where the ‘cryptography for data confidentiality’ having a ‘described security algorithm’ meets all of the following:
It supports a non-primary function of the item; and
It is performed by incorporated equipment or "software" that would, as a standalone item, be specified in Category 5 – Part 2.
"Authentication";
Digital signature;
Data integrity;
Non-repudiation;
Digital rights management, including the execution of copy-protected "software";
Encryption or decryption in support of entertainment, mass commercial broadcasts or medical records management; or
Key management in support of any function described in paragraph a. to f. above.
A "symmetric algorithm" employing a key length in excess of 56 bits, not including parity bits;
An "asymmetric algorithm" where the security of the algorithm is based on any of the following:
Factorisation of integers in excess of 512 bits (e.g., RSA);
Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
Discrete logarithms in a group other than mentioned in paragraph b.2. in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve); or
An "asymmetric algorithm" where the security of the algorithm is based on any of the following:
Shortest vector or closest vector problems associated with lattices (e.g., NewHope, Frodo, NTRUEncrypt, Kyber, Titanium);
Finding isogenies between Supersingular elliptic curves (e.g., Supersingular Isogeny Key Encapsulation); or
Decoding random codes (e.g., McEliece, Niederreiter).
An algorithm described by Technical Note 2.c. may be referred to as being post-quantum, quantum-safe or quantum-resistant.
Whether the item meets the criteria of 5A002.a.1. to 5A002.a.4.; or
Whether the cryptographic capability for data confidentiality specified in 5A002.a. is usable without "cryptographic activation".
Smart cards and smart card ‘readers/writers’ as follows:
A smart card or an electronically readable personal document (e.g., token coin, e-passport) that meets any of the following:
The cryptographic capability meets all of the following:
It is restricted for use in any of the following:
Equipment or systems not described by 5A002.a.1. to 5A002.a.4.;
Equipment or systems not using ‘cryptography for data confidentiality’ having a ‘described security algorithm’; or
Equipment or systems, excluded from 5A002.a., by paragraphs b. to f. of this Note; and
It cannot be reprogrammed for any other use; or:
Having all of the following:
It is specially designed and limited to allow protection of ‘personal data’ stored within;
Has been, or can only be, personalised for public or commercial transactions or individual identification; and
Where the cryptographic capability is not user-accessible;
‘Personal data’ includes any data specific to a particular person or entity, such as the amount of money stored and data necessary for "authentication".
Cryptographic equipment specially designed and limited for banking use or ‘money transactions’;
‘Money transactions’ in 5A002.a. Note 2.b. includes the collection and settlement of fares or credit functions.
Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radio communication systems) that are not capable of transmitting encrypted data directly to another radiotelephone or equipment (other than Radio Access Network (RAN) equipment), nor of passing encrypted data through RAN equipment (e.g., Radio Network Controller (RNC) or Base Station Controller (BSC));
Cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (i.e. a single, unrelayed hop between terminal and home base station) is less than 400 metres according to the manufacturer’s specifications;
Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti-piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5, Part 2), that have been customised for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customised devices;
Items, where the "information security" functionality is limited to wireless "personal area network" functionality, implementing only published or commercial cryptographic standards;
Mobile telecommunications Radio Access Network (RAN) equipment designed for civil use, which also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5, Part 2), having an RF output power limited to 0,1 W (20 dBm) or less, and supporting 16 or fewer concurrent users;
Routers, switches, gateways or relays, where the "information security" functionality is limited to the tasks of "Operations, Administration or Maintenance" ("OAM") implementing only published or commercial cryptographic standards; or
General purpose computing equipment or servers, where the "information security" functionality meets all of the following:
Uses only published or commercial cryptographic standards; and
Is any of the following:
Integral to a CPU that meets the provisions of Note 3 to Category 5–Part 2;
Integral to an operating system that is not specified in 5D002; or
Limited to "OAM" of the equipment.
Items specially designed for a ‘connected civil industry application’, meeting all of the following:
Being any of the following:
A network-capable endpoint device meeting any of the following:
The "information security" functionality is limited to securing ‘non-arbitrary data’ or the tasks of "Operations, Administration or Maintenance" ("OAM"); or
The device is limited to a specific ‘connected civil industry application’; or
Networking equipment meeting all of the following:
Being specially designed to communicate with the devices specified in paragraph j.1.a. above; and
The "information security" functionality is limited to supporting the ‘connected civil industry application’ of devices specified in paragraph j.1.a. above, or the tasks of "OAM" of this networking equipment or of other items specified in paragraph j. of this Note; and
Where the "information security" functionality implements only published or commercial cryptographic standards, and the cryptographic functionality cannot easily be changed by the user.
Being a ‘cryptographic activation token’;
A ‘cryptographic activation token’ is an item designed or modified for any of the following:
Converting, by means of "cryptographic activation", an item not specified in Category 5 – Part 2 into an item specified in 5A002.a. or 5D002.c.1., and not released by the Cryptography Note (Note 3 in Category 5 – Part 2); or
Enabling, by means of "cryptographic activation", additional functionality specified in 5A002.a. of an item already specified in Category 5 – Part 2.
Designed or modified to use or perform "quantum cryptography";
"Quantum cryptography" is also known as Quantum Key Distribution (QKD).
Designed or modified to use cryptographic techniques to generate channelising codes, scrambling codes or network identification codes, for systems using ultra-wideband modulation techniques and having any of the following:
A bandwidth exceeding 500 MHz; or
A "fractional bandwidth" of 20 % or more;
Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" systems, other than those specified in 5A002.d., including the hopping code for "frequency hopping" systems.
[5A003] Systems, equipment and components, for non-cryptographic "information security", as follows:
Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion;
Specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety or electromagnetic interference standards.
[5A004] Systems, equipment and components for defeating, weakening or bypassing "information security", as follows:
Designed or modified to perform ‘cryptanalytic functions’.
‘Cryptanalytic functions’ are functions designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data, including clear text, passwords or cryptographic keys.
Items, not specified in 4A005 or 5A004.a., designed to perform all of the following:
‘Extract raw data’ from a computing or communications device; and
Circumvent "authentication" or authorisation controls of the device, in order to perform the function described in 5A004.b.1.
‘Extract raw data’ from a computing or communications device means to retrieve binary data from a storage medium (e.g., RAM, flash or hard disk) of the device without interpretation by the device’s operating system or filesystem.
Debuggers, hypervisors;
Items limited to logical data extraction;
Data extraction items using chip-off or JTAG; or
Items specially designed and limited to jail-breaking or rooting.
[5B002] "Information security" test, inspection and "production" equipment, as follows:
Equipment specially designed for the "development" or "production" of equipment specified in 5A002, 5A003, 5A004 or 5B002.b.;
Measuring equipment specially designed to evaluate and validate the "information security" functions of the equipment specified in 5A002, 5A003 or 5A004, or of "software" specified in 5D002.a. or 5D002.c.
None.
[5D002] "Software" as follows:
"Software" specially designed or modified for the "development", "production" or "use" of any of the following:
Equipment specified in 5A002 or "software" specified in 5D002.c.1.;
Equipment specified in 5A003 or "software" specified in 5D002.c.2.; or
Equipment or "software", as follows:
Equipment specified in 5A004.a. or "software" specified in 5D002.c.3.a.;
Equipment specified in 5A004.b. or "software" specified in 5D002.c.3.b.
"Software" having the characteristics of a ‘cryptographic activation token’ specified in 5A002.b.;
"Software" having the characteristics of, or performing or simulating the functions of, any of the following:
Not used.
[5E002] "Technology" as follows:
"Technology" according to the General Technology Note for the "development", "production" or "use" of equipment specified in 5A002, 5A003, 5A004 or 5B002, or of "software" specified in 5D002.a. or 5D002.c.
"Technology" having the characteristics of a ‘cryptographic activation token’ specified in 5A002.b.