Categories of cryptographic means

From IFCG Encyclopedia

What are encryption (cryptographic) means?

Encryption (cryptographic) means (hereafter – ECM) are hardware and software tools, devices and systems that utilize algorithms of cryptographic transformation of information and are intended for protection of information against unauthorized access during its transmission, processing or storage.

Categories of ECM

Cryptographic means are listed in the article 2.19 of annex 2 to the Decision of the Board of the Customs Union Commission No 30 of April 21, 2015. However, according to the Regulation notification can only be registered for those pertinent to one (or some) of the twelve categories. These categories are listed and explained in the table below.


Number of category Description Comments
1 Products that include encryption (cryptographic) means that contain any of the following:
1) symmetric cryptographic algorithm using cryptographic key not longer than 56 bits;
2) asymmetric cryptographic algorithm based on any of the following methods:
  • factorization of integers not longer than 512 bits;
  • calculation of discrete logarithms in multiplicative group of the finite field with elements no longer than 512 bits;
  • discrete logarithm in the group of the finite field different from those mentioned in the third paragraph of this clause with elements no longer than 112 bits.
Notes:
1. Key length does not include parity bits.
2. The term “cryptography” does not refer to the fixed data compression or encoding methods.
EMC falls into this category if the length of the cryptographic key is short (56 bits).

Using short cryptographic key is easier to implement but insecure.


Examples: in general, any device or software may use outdated algorithms or modern algorithms with short keys. One of the obvious examples is Wi-Fi in WEP mode that uses 40 bits long cryptographic key.

2 Products that include encryption (cryptographic) means and have the following restricted functions:
1) authentication, comprising all the aspects of access control without the encryption of files and texts except for the encryption directly related to protection of passwords, personal identification numbers and other similar data from unauthorized access;
2) digital signature (e-signature).
Note.
Authentication and digital signature (e-signature) functions include related key distribution function.
Password-protected, key or token protected products.

Authentication implies confirmation of identity of entered password or other key data to the information stored in the device’s memory.


Examples:

1) devices that require password or token to access certain (or all) functions: gateways, routers, laptops, smartphones, etc.;
2) digital signature creation software/hardware, e-signature software, key storage devices.
3 Encryption (cryptographic) means included in software operating systems, cryptographic functions of which cannot be altered by users, designed to be installed by users themselves without significant further manufacturer’s support and technical specification (description of cryptographic transformation algorithms, interaction protocols, declarations of interfaces, etc.) for which is freely available to the users. This category includes software operating systems and products using them.


Examples: Windows OS, Android OS, Linux OS, smartphones, PCs and laptops, terminals.

4 Personal smart cards:
1) with cryptographic capabilities restricted to use in product categories from clauses 5-8 of this List;
2) generally available for use, with cryptographic capabilities inaccessible to user and that are specially designed to have limited stored data protection abilities.
Note. If the personal smart card supports several functions, control status of each one is defined separately.
Personal smart cards are plastic cards with a microchip embedded. Most smart cards have a microprocessor and an operational system that controls the device and access to the data stored in the device’s memory.


Examples: cell operators’ SIM-cards, bank cards with chips (microprocessors), smart identification cards for various purposes (e.g. transport tickets).

5 Receivers for radio broadcasting, commercial TV or similar commercial equipment for broadcasting to limited audience without encryption of the digital signal, with exception of encryption being used only for video and audio channels management, delivery of invoices or sending the information related to the program back to the broadcast provider. This category includes radio, TV and IPTV signal receiving products that are also intended for providing access to pay TV and radio channels.


Examples: TV-tuners, TV signal receivers, satellite TV receivers.

6 Equipment with cryptographic capabilities inaccessible to user that is purposely designed and restricted for use in any of the following ways:
1) copy protected software;
2) access to any of the following:
  • Copy protected content stored on read-only electronic data storage device;
  • Encrypted information stored on electronic data storage devices publicly sold in identical complete sets;
3) copy control of copyright protected audio and video information.
Any device or storage media capable of cryptographic copy protection or digital rights management (DRM).


Examples: video games consoles, video game CD, software, etc.

7 Encryption (cryptographic) equipment purposely designed for and restricted to use for banking or financial operations.

Note. Financial operations include transport fees and credit.

Examples: cash machines (ATMs), points-of-sale, terminals, etc.

Note: bank cards fall into category No 4.

8 Portable or mobile civil radio-electronic devices (for example, designed for use in civil commercial cellular radio communication) not capable of end-to-end encryption (user-to-user). This category includes cellphones (and other cellular devices, e.g. tables, some laptops, modes etc.) that use GSM, GPRS, EDGE, UMTS, LTE and other cellular standards, as well as certain radio sets.

The main requirement is lack of end-to-end encryption capacity, so that communication between users is possible only through a retransmitting device that decrypts (and re-encrypts) the data.


Examples: cellphones, tables, laptops, etc.

9 Wireless radio-electronic equipment encrypting information only in radio channel with maximum range of wireless coverage less than 400m without amplification and retransmission according to manufacturer’s specifications. This category includes radio-electronic devices with short range of wireless coverage that use encryption to protect the transmitted information.

Namely, these wireless technologies fall into this category: Wi-Fi, Bluetooth, NFC. It is worth noting that cellular standards (GSM, etc.) fall into category No 8.


Examples: routers, cellphones, tables, laptops, wireless headsets, wireless mice/keyboards, etc.

10 Encryption (cryptographic) means used for protection of technological channels of information and telecommunication systems and communication networks. This category includes special network devices that perform certain management and service functions. These devices may use encryption to securely receive network administrator commands and protect provided information about network state and configuration.


Examples: servers, LAN switches, routers.

11 Products with cryptographic functions blocked by the manufacturer. Any product may be included in this category provided that some (or all) cryptographic capabilities are permanently disabled by the manufacturer and are not accessible to the end user.
12 Other products that contain encryption (cryptographic) means different from those described in clauses 1-11 of this list that:
1) are available at public retail sale points for purchase without restrictions under the law of Eurasian economic union member-state by:
  • cash;
  • order by mail;
  • electronic transactions;
  • order by phone;
2) have encryption (cryptographic) functions that cannot be easily altered by users;
3) are designed for installation by end users without significant further manufacturer’s support;
4) technical documentation confirming that the products meet the requirements listed in paragraphs 1-3 of this clause is freely available and can be provided to the approving authority by the manufacturer (the person authorized by the manufacturer) upon request.
Products with cryptographic function not listed above.

Requirements of this category must be met and be verifiable, e.g.:

  • for requirement 1) products should be sold in shops or be buyable from manufacturer’s website
  • 2) and 3) should be clearly stated in the product’s documentation (or on manufacturer’s website)
  • documentation mentioned in 4) should be available and downloadable (FSS may request such documentation from manufacturer if it is not publicly available)

FSS performs thorough check of the product and its documentation and usually prolongates registration period to do that.

See also