Skip to main content
OKState.edu
Quicklinks
/
Search
 Apply
Close
Search
DirectoryA-Z Site Index
Quicklinks
Logins
myOKSTATEEmailO-Key AccountCanvas
Academic Schedule
Academic CalendarCatalogClass ScheduleRegistrar
Places & Departments
BookstoreBursarIT HelpdeskLibraryParking & TransitStudent Union
Trending Now
Visit CampusOSU CalendarCampus Map
Go back to top of page

Division of the
Vice President for Research

Open Main MenuClose Main Menu

 

About
Who We Are 
Facts and Stats 
Centers and Institutes Experts and Media Faculty Resources Partnerships

 

About
Who We Are 
Facts and Stats 
Centers and Institutes Experts and Media Faculty Resources Partnerships
Search
DirectoryA-Z Site Index
Quicklinks
Logins
myOKSTATEEmailO-Key AccountCanvas
Academic Schedule
Academic CalendarCatalogClass ScheduleRegistrar
Places & Departments
BookstoreBursarIT HelpdeskLibraryParking & TransitStudent Union
Trending Now
Visit CampusOSU CalendarCampus Map
Go back to top of page

Export Control

 

Controlled Software and Encryption

Export control regulations enumerated in the ITAR and EAR govern both software and encryption. Both the physical export of software and encryption, as well as the sharing of software and encryption may be highly controlled under export regulations. This applies to software and encryption that is received from another party, as well as software and encryption that is developed at Oklahoma State University.

Export Controls of “Strong” Encryption:

Strong Dual-Use encryption, addressed in Category 5 Part II of EAR’s Commerce Control List (CCL) at 5A002 (encrypted hardware) and 5D002 (encryption software), is defined as:

  • Employing a symmetric algorithm with a key length in excess of 56-bits;
  • Employing an asymmetric algorithm based on:
  • A factorization of integers in excess of 512 bits;
  • Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (i.e., Diffie-Hellman over Z/pZ);
  • Discrete logarithms in a group in excess of 112 bits (i.e. Diffie-Hellman over an elliptic curve);
  • Designed or modified to perform dual-use cryptanalytic functions;
  • Designed or modified to use quantum cryptography;
  • Specially designed or modified to reduce the compromising emanations of information bearing signals beyond that necessary for health, safety, or electromagnetic interference;
  • Using cryptographic techniques to generate the spreading code for dual-use spread spectrum systems including the hopping code for frequency hopping systems;
  • Using cryptographic techniques to generate channelizing codes, scrambling codes or network identification codes for systems using ultra-wideband modulation techniques;
  • Using cryptography in communications cable systems designed or modified to detect surreptitious intrusion using mechanical, electrical or electronic means.

Strong dual-use encryption is NOT:

  • Cryptographic code limited to authentication and digital signature including associated key management functions;
  • Software using fixed data compression or coding techniques;
  • Encryption/decryption code designed to protect libraries, design attributes or associated data for the design semiconductor devices or integrated circuits.

It is important to note that many encryption products contain “strong” encryption.

The sharing, shipping, transmission, or transfer of almost all dual-use encryption software in either source code or object code is subject to EAR. Even most of today’s publicly available dual-use encryption software, which uses “strong” encryption, is captured by the EAR and requires the availability of a License Exception to exit the U.S. If you wish to send or transmit products containing strong encryption to a foreign person, please contact Export Control for assistance.

Publicly available software containing strong encryption:

The release of even publicly available strong encryption software is carefully regulated. While publicly available (i.e. open-source) software is exempt from export control, when that software contains strong encryption export controls may still apply. Before strong dual-use encryptions code is made publicly available via the internet or otherwise place electronically in the public domain, exporters must provide the U.S. Government with either a copy of the strong dual-use encryption code or a one-time notification of the internet location (URL) of the code. This must be completed before making the software publicly available. Notification after transmission or transfer of the software outside the U.S. is an export control violation.

Software Received or Purchased from Another Party:

Before purchasing or receiving non-public software, OSU personnel should determine the export control classification of the software. The classification may be listed on the manufacturer's website, and the manufacturer should be able to provide this information. If the export classification (ECCN or USML#) cannot be obtained on the web or by phone, please contact the Export Control Office for assistance,

Providing access to export-controlled software to a foreign person may constitute an export  violation, even when that access occurs on-campus. In many cases, control is only required around the software source code, and users can access the software interface without restrictions. Export Control Office will work with Oklahoma State University faculty and staff to determine how to make controlled software as accessible as possible. If you know or determine that software is controlled and/or contains strong encryption, please contact Export Control Office before installing the software or providing access to the software.

Software Developed at/ of/ by OSU:

Most software developed at or by OSU is the product of non-proprietary, fundamental research and will be made publicly available. To reinforce this, researchers should upload OSU-generated software onto a publicly available website as soon as possible. Access to the code must not include login requirements or other password or authentication procedures. Prior to uploading software that contains “strong” encryption, please contact Export Control Office for assistance.

Software developed during the course of controlled research (such as proprietary software developed for an industry sponsor) is export controlled and must not be uploaded to a cloud-based system or to a website without approval from Export Control. Export Control will work with faculty and OSU IT to determine appropriate procedures for working with and sharing controlled software.

Finally, U.S. person researchers should also be aware that without U.S. government approval, U.S. persons are prohibited from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of dual-use encryption software or hardware employing strong encryption code. This prohibition does NOT limit OSU personnel from teaching or discussing general information about cryptography software development that arises during OSU fundamental research.

Back To Top
MENUCLOSE