Upstream University
[ English ]

Cryptography and DCSSI

Warning

This guide is not a document from the DCSSI. It is written and given by FSF France.

How to apply, step by step

In doubt, phone the DCSSI on 00 33 (0)1 71 75 82 75 for questions about the administrative part and 00 33 (0)1 71 75 82 68 for questions about the technical part or e-mail ( for either, administrative and technical parts ) ssi41@wanadoo.fr. See also a description of the application process in the corresponding decree.
Determine the method
The description of the application process enables one to determine if an authorisation, a statement (déclaration) or a simplified statement (declaration simplifiée) is needed for this software and this particular version. The tables characterising the various types of cryptographic softwares are used as reference.

Obtain the forms
Authorisation or statement (déclaration): Simplified statement (déclaration):

How to fill the forms
Take example on the requests written for GnuPG. The technical elements, requiring a strong competence in cryptography are available in english, which facilitates dialogue with a non francophone Free Software author. The technical part is available in english and allows to have an idea of expected answers.

Collecting the required elements
Take example on the requests written for GnuPG. In case of Free Software, the only additional elements are the distribution source and the Free Software licence.

It should be noted the in the case of a simplified statement (déclaration), there is no additional element as there is no technical part.

Covering letter
It is used to express concerns that do not enter the frame proposed by the formal file. For example:

Constitute the application
The application is constituted of the filled forms and the required elements.

Send the application
Send three copies at the following address: 
	      Secrétariat général de la défense nationale
	      DCSSI - Relations industrielles
	      51, boulevard de Latour-Maubourg
	      75700 PARIS 07 SP
	      FRANCE

Wait for the receipt
The DCSSI send a receipt when receiving the application acknowledging the reception of the file.

Wait for a possible request for additional information
If the application is not complete, which happens sometimes, the answer is a request for additional information. In the case of Free Software, the availability of the sources allows the DCSSI to circumvent the lacking in the technical fillings and reduces the risks for such request. The DCSSI has one month from the date mentioned on the receipt to request additional information.

Note that, the simplified statement (déclaration) not containing technical elements, the request would only concern the administrative elements.

Correct the application and resend it
This stage repeats as often as it is necessary for the application to be complete.

The application is complete
From now, the DCSSI has a delay of answer varying according to the nature of the application:
  • Authorisation: 4 months
  • statement (déclaration): 1 month
  • Simplified statement (déclaration): not applicable

Reception of authorisations
One or many authorisations are given, for applications for authorisations only. For the statement (déclaration), the DCSSI send a receipt for the statement (déclaration) as soon as it receives the application forms. The DCSSI doesn't send any other document, the applicant can then proceed freely after a month with the operation relating to the statement (déclaration). For the simplified statement (déclaration), one can considerer that the reception of the receipt closes the application.

The delay is over
If the DCSSI doesn't reply in the imparted time, the authorisation or the statement (déclaration) is implicitly given.

Spread the authorisations to share the profit

In the case of Free software, it is in the interest of everybody (individuals, governments, organisations, companies) that the profit of authorisations and statements (déclarations) obtained are shared. The authorisations and statements (déclaration) are name specific but theirs effects can propagate if the software is obtained with the owner of the authorisations and registrations. Becoming an intermediate requires no action in the case of Free Software, if ever the owner of the authorisations and the statement (déclaration)s follows the following method. Thus, every physical or moral person has so the right to use, to distribute, to import and export the specific software.

We presume the the software has been qualified general public (statement (déclaration)) and that an authorisation of general supply has been obtained.

Publication
  • Scan the authorisation
  • Scan the statement (déclaration)
  • Create a download website on the web using resources belonging to the physical or moral person and located on french territory (thereafter referred as site).
  • Sign electronically the version source (binary) of the program, the authorisation and the statement (déclaration)
  • Install the version source (binary) of the program
  • Install the scan of the authorisation
  • Install the scan of the statement (déclaration)
  • Install signatures
  • Allow unconditional access to the site

Importation
The physical or moral person who obtained the authorisation for general supply can import the version of the software for which a licence for general supply was obtained from a foreign country. He is the only one to have that right. By placing the program on the site, he allows anyone on french territory to have a copy imported in agreement with the DCSSI.

Use
A physical or moral person wishing to use the program can download it from the site. Therefore, there is supplying of a program which had been authorised (authorisation for general supply) by the DCSSI. Hence, the individual who dispose of it has the right to use it.

Supply
A physical or moral person wishes to supply the program. He wishes to prove that he can legitimately do that because of the authorisation for general supply. By downloading the program from the site and by distributing it in his turn, he becomes an intermediary and can, as such, benefit from the authorisation of general supply. The signature of the program and of the authorisation allows him to prove a third person that the version of the program is actually the one that was subject to the authorisation and that he acts as an intermediary.

Exportation
A physical or moral person wishes to export the program. He wishes to prove that he can legitimately do such from the general public quality of the program. By downloading the program from the site and by exporting it (via internet or on a physical media), he becomes an intermediary and and can, as such, benefit from the classification of the program as general public which implies the possibility of exporting it (without need to ask for an export licence) The signature of the program and letter establishing the general public quality of the program permits to prove a third person that the version of the program is actually the one that has been authorised and that he acts as an intermediary.

Why do you need to apply ?

In France, the cryptology means and services are under governmental control. Suply, use (in cases of keys of more than 128 bits), import and export of cryptologic software is authorised on the express condition that a free application has been made with the DCSSI.

When the application has been successful (Authorisation, statement (déclaration), simplified statement (déclaration)), it entails the permission to act in a certain number of ways with the means ( the software in the case of Free Software) or to supply certain services. What is possible to do depends on the application and on the DCSSI's conclusion. See the synthetic tables covering all the possible cases.

The conclusions from the application with the DCSSI, (authorisations, statement (déclaration)) concern a specific version of the product. Therefore, to apply for GnuPG-1.0.4 doesn't automatically imply that the conclusions apply to GnuPG-1.0.1 or GnuPG-1.0.7.

Authorisations

When an application for an authorisation is accepted by the DCSSI, it delivers one or many authorisations. The delivered authorisations depends partly on the boxes ticked in the application file(of supply for a duration of and of export for a duration of ) see for example the application filled for GnuPG). In fine, it is the DCSSI which determines which authorisations are appropriate for a given application.

The qualification of general public (see Decree no 2001-1192, article 10, 5) and the authorisation for general supply are the most appropriate for Free Software.

Authorisation for general supply (AFG).
It concerns french territory. It permits to use, import and supply the product (the software in the case of Free Software)

Authorisation for exportation.
It permits the exportation of the product subjet to obtaining an individual or global licence.

Authorisation for exportation of a large public software.
The exportation act doesn't require additional forms, the authorisation is self-sufficient.

One tricky point raised in the case of Free Software must be clarified. One necessary condition for the software to be considered general public is that: The cryptologic feature can not be easily modified by the user. (Decree no 2001-1192, article 10, 5 b)).

For proprietary software, the elements of the equation are a physical or moral person, a binary object (the product). For Free Software, the source code comes on the top of that. One can then legitimately wonder about the consequences for the ease for a user to modify the cryptographic feature.

One may have access to the code source or the binary, however, it is always possible to modify, thanks to a text editor, the binary or the source. It's an easy process for every user but there is a general agreement that say that the only result would be to make the software not fonctionel. Even if it is possible to qualify such a modification of easy and that in the case of cryptographic features, it would then apply to every software. It's a absurd case and we are in fact interested by the case of a software that would enable an easy modification of its cryptographic features while remaining fully functionel.

To intend to modify the cryptographic features, the user must first have mathematical notions and a detailed knowledge of the domain of cryotography. Without this theoretical background, he is very likely to try modifications that will render the software not functionel. Not considering the availability of sources or of binary alone, this theoretical background is a prerequisite that makes the task more difficult.

Without the theoretical background, the user may try a modification blindly following the instructions supplied by a third person. In the case of a binary cryptographic software, the instructions may be a little software automating the modifications. There are numerous programs of this kind available on the web. In the case of cryptographic software for which the sources are available, it would be a patch applying on the sources. It is essentially about the same principle. In the case of a patch, however, the user needs to have the technical ability to rebuild a binary version of the cryptographic software, which is a little less easy. As for the case of random modifications returning the software ineffective, the possibility to blindly follow the instructions existing for all cryptographic software (Free Software or not), it can not constitute a criteria to qualify the modification of cryptographic features as easy.

Let say that an individual has the necessary theoretical background and that he undertakes the modification of the cryptographic features without blindly following the instructions. With a binary only, the individual must have high skills in assembler, recompilation tools and experience of reverse engineering. With the source code, the individu must have high skills in programming language, compilation tools. In short, he must have undergone studies in IT to effectively try a modification. To acquire the necessary IT background, is ,in any case, a difficult process

At last, the product can, by choice of conception, enable an easy modification of cryptographic features. The product may, for example, contain an interface whose object is to allow the user to modify cryptographic features. It may be a graphical interface or a ligne of command and this implies that the software has been specifically conceived to offer this possibility. It is then easy for the user to modify cryptographic features. However, it is the choice of conception that has no link with the availability of the source code of the cryptologic software.

To conclude, the acess to the source code doesn't necessary imply that it is easy for the user to modify the cryptographic features. It is first of all a choice of conception which should be judged case by case, Free software or not. The availability of the source code makes it possible for an individual willing to reach the level of competency required, but certainly not easy for the user to modify the cryptographic features. It is uniquely there that lies the difference.

Broadcasting of the authorisations

The supplied authorisations are not exclusives. Many physical or moral persons can apply for an authorisation for the same version of a same software. Still, they are nomminatives: a person X can not automatically benefit from the authorisation obtained by another person Z, even if the version of the software is identical.

The emitted authorisations are not always made public. When the appliant gives the express authorisation, a page is added in the list of cryptologics produtcs free of use on the DCSSI website. The information is limited to the product and the name of the physical or moral person having applied. The version of the product or the type of authorisation granted are not specified.

The authorisations may be published entirely if the appliant wishes it, nothing opposes to it.

Controls

There are among 4:

  • In the export
  • In the supply ( Generally, it is a sale but in the case of Free Software, downloading may be considered as supply)
  • In the import (downloading a Free Software from a foreign website can be an import)
  • On the use, but once the software has been declared (or authorised) the process is no longer necessary.

Characteristics of the applications

The most complex is the Authorisation. It can be used for all the software that require an application with the DCSSI. But there are lighter applications for software with lower technical specification ( less than 128 bits, signature of documents but no encoding, et...)

See Categorising tables for the various types of cryptographic software and the corresponding application for a complete information.

Accepted applications

GnuPG

Available on http://fsffrance.org/crypto/.

OpenSSL

Available on http://fsffrance.org/crypto/.

References

Application for Authorisation, statement (déclaration) and simplified statement (déclaration)
The same application file must be filled for an Authorisation, a statement (déclaration) or a simplified statement (déclaration). Administrative part (in PDF). Technical part (Technical elements available in english as well as the technical part of GnuPG). For references, see also Constitution d'un dossier on the DCSSI website, that contains information.

Examples of applications for Authorisation
For GnuPG: http://fsffrance.org/dcssi/gnupg.fr.html (technical part in english http://fsffrance.org/dcssi/gnupg.en.html)

For OpenSSL: http://fsffrance.org/dcssi/openssl.fr.html (technical part in english http://fsffrance.org/dcssi/openssl.en.html)

Address where to send applications for Authorisation, statement (déclaration) and simplified statement (déclaration)
	      Secrétariat général de la défense nationale
	      DCSSI - Relations industrielles
	      51, boulevard de Latour-Maubourg
	      75700 PARIS 07 SP
	      FRANCE

	      Téléphone : 01 71 75 82 65 (Secrétariat Général)
	      Téléphone : 01 71 75 82 75 (partie administrative)
	      Téléphone : 01 71 75 82 68 (partie technique)
	      E-mail: ssi41@wanadoo.fr
	      Web: http://www.ssi.gouv.fr/

GnuPG
The GNU Privacy Guard http://www.gnupg.org/

OpenSSL
http://www.openssl.org/

Kerberos
http://web.mit.edu/kerberos/www/index.html

lsh
http://www.net.lut.ac.uk/psst/

Mcrypt
http://mcrypt.hellug.gr/

GnuTLS
http://www.gnu.org/software/gnutls/

loop-AES
http://loop-aes.sourceforge.net/

Non exhaustive list of products with an authorisation
http://www.ssi.gouv.fr/fr/reglementation/liste_cat/index.html

Guide on regulation on cryptology
http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html

FAQ Infrastructures for key management
http://www.ssi.gouv.fr/fr/faq/faq_igc.html

FAQ Decree on elctronical signature
http://www.ssi.gouv.fr/fr/faq/faq_sigelec.html

Decree of the 17th of march 1999
Defining the form and the content of the application file concerning the statement (déclaration)s or authorisations relating to the cryptologic means and services. http://fsffrance.org/dcssi/arrete-17-mars-1999.fr.html

Decret no 2001-1192 of the 13th of december 2001 relating to controls for export,import and trasnfers of goods and technologies with double use
The order 10, 5 in particular, http://admi.net/jo/20011215/ECOX0100059D.html

Decree 28 from the law n°90-1170 of the 29th december 1990 (as modified by the law of the 26th of july 1996 on telecommunications)
http://www.ssi.gouv.fr/fr/reglementation/lois/lois_fr4.html

Decree n°98-101 of the 24th of february 1998
Defining the conditions in which are subscribed the statement (déclaration) and given the authorisations relating to the cryptologic means and services. http://www.internet.gouv.fr/francais/textesref/cryptodecret98101.htm

Decree n°99-199 of the 17th of march 1999
Defining the cryptologic means and services categories for which the process of preliminary statement (déclaration) is substituted to the authorisation process. http://www.internet.gouv.fr/francais/textesref/cryptodecret99199.htm

Decree n°99-200 of the 17th of march 1999
Defining the cryptologic means and services categories exempted from any form of preliminary statement (déclaration) http://www.internet.gouv.fr/francais/textesref/cryptodecret99200.htm

Magali Julin, Loïc Dachary

 
Sections
Home
News
Donations
Speakers
About
Technical guides
Contact
Projects
Gna!
GCC farm
Contracts
Links
April
FSF
   bonjour@fsffrance.org
Copyright (C) 2003-2011, FSF France, 12 boulevard Magenta, 75010 Paris, France
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. 		 
Updated: $Date: 2003-03-05 12:45:33 +0100 (Wed, 05 Mar 2003) $ $Author: mad $