Cryptography and DCSSI
Warning
This guide is not a document from the DCSSI. It is written and given by FSF France.How to apply, step by step
In doubt, phone the DCSSI on 00 33 (0)1 71 75 82 75 for questions about the administrative part and 00 33 (0)1 71 75 82 68 for questions about the technical part or e-mail ( for either, administrative and technical parts ) ssi41@wanadoo.fr. See also a description of the application process in the corresponding decree.
- Determine the method
- The description of the application process enables one to determine if an authorisation, a statement (déclaration) or a simplified statement (declaration simplifiée) is needed for this software and this particular version. The tables characterising the various types of cryptographic softwares are used as reference.
- Obtain the forms
- Authorisation or statement (déclaration):
Simplified statement (déclaration):
- Administrative part (and in PDF).
- Technical part.
- Administrative part (and in PDF). The box "Déclaration simplifiée" should be ticked.
- How to fill the forms
- Take example on the requests written for GnuPG. The technical elements, requiring a strong competence in cryptography are available in english, which facilitates dialogue with a non francophone Free Software author. The technical part is available in english and allows to have an idea of expected answers.
- Collecting the required elements
- Take example on the requests written for GnuPG. In case of Free Software, the only additional elements are the distribution source and the Free Software licence.
It should be noted the in the case of a simplified statement (déclaration), there is no additional element as there is no technical part.
- Covering letter
- It is used to express concerns that do not enter the frame proposed by the formal file. For example:
- Request and justification for a general public qualification (see the covering letter for GnuPG).
- Constitute the application
- The application is constituted of the filled forms and the required elements.
- Send the application
- Send three copies at the following address:
Secrétariat général de la défense nationale DCSSI - Relations industrielles 51, boulevard de Latour-Maubourg 75700 PARIS 07 SP FRANCE- Wait for the receipt
- The DCSSI send a receipt when receiving the application acknowledging the reception of the file.
- Wait for a possible request for additional information
- If the application is not complete, which happens sometimes, the answer is a request for additional information. In the case of Free Software, the availability of the sources allows the DCSSI to circumvent the lacking in the technical fillings and reduces the risks for such request. The DCSSI has one month from the date mentioned on the receipt to request additional information.
Note that, the simplified statement (déclaration) not containing technical elements, the request would only concern the administrative elements.
- Correct the application and resend it
- This stage repeats as often as it is necessary for the application to be complete.
- The application is complete
- From now, the DCSSI has a delay of answer varying according to the nature of the application:
- Authorisation: 4 months
- statement (déclaration): 1 month
- Simplified statement (déclaration): not applicable
- Reception of authorisations
- One or many authorisations are given, for applications for authorisations only. For the statement (déclaration), the DCSSI send a receipt for the statement (déclaration) as soon as it receives the application forms. The DCSSI doesn't send any other document, the applicant can then proceed freely after a month with the operation relating to the statement (déclaration). For the simplified statement (déclaration), one can considerer that the reception of the receipt closes the application.
- The delay is over
- If the DCSSI doesn't reply in the imparted time, the authorisation or the statement (déclaration) is implicitly given.
Spread the authorisations to share the profit
In the case of Free software, it is in the interest of everybody (individuals, governments, organisations, companies) that the profit of authorisations and statements (déclarations) obtained are shared. The authorisations and statements (déclaration) are name specific but theirs effects can propagate if the software is obtained with the owner of the authorisations and registrations. Becoming an intermediate requires no action in the case of Free Software, if ever the owner of the authorisations and the statement (déclaration)s follows the following method. Thus, every physical or moral person has so the right to use, to distribute, to import and export the specific software.
We presume the the software has been qualified general public (statement (déclaration)) and that an authorisation of general supply has been obtained.
- Publication
- Scan the authorisation
- Scan the statement (déclaration)
- Create a download website on the web using resources belonging to the physical or moral person and located on french territory (thereafter referred as site).
- Sign electronically the version source (binary) of the program, the authorisation and the statement (déclaration)
- Install the version source (binary) of the program
- Install the scan of the authorisation
- Install the scan of the statement (déclaration)
- Install signatures
- Allow unconditional access to the site
- Importation
- The physical or moral person who obtained the authorisation for general supply can import the version of the software for which a licence for general supply was obtained from a foreign country. He is the only one to have that right. By placing the program on the site, he allows anyone on french territory to have a copy imported in agreement with the DCSSI.
- Use
- A physical or moral person wishing to use the program can download it from the site. Therefore, there is supplying of a program which had been authorised (authorisation for general supply) by the DCSSI. Hence, the individual who dispose of it has the right to use it.
- Supply
- A physical or moral person wishes to supply the program. He wishes to prove that he can legitimately do that because of the authorisation for general supply. By downloading the program from the site and by distributing it in his turn, he becomes an intermediary and can, as such, benefit from the authorisation of general supply. The signature of the program and of the authorisation allows him to prove a third person that the version of the program is actually the one that was subject to the authorisation and that he acts as an intermediary.
- Exportation
- A physical or moral person wishes to export the program. He wishes to prove that he can legitimately do such from the general public quality of the program. By downloading the program from the site and by exporting it (via internet or on a physical media), he becomes an intermediary and and can, as such, benefit from the classification of the program as general public which implies the possibility of exporting it (without need to ask for an export licence) The signature of the program and letter establishing the general public quality of the program permits to prove a third person that the version of the program is actually the one that has been authorised and that he acts as an intermediary.
Why do you need to apply ?
In France, the cryptology means and services are under governmental control. Suply, use (in cases of keys of more than 128 bits), import and export of cryptologic software is authorised on the express condition that a free application has been made with the DCSSI.
When the application has been successful (Authorisation, statement (déclaration), simplified statement (déclaration)), it entails the permission to act in a certain number of ways with the means ( the software in the case of Free Software) or to supply certain services. What is possible to do depends on the application and on the DCSSI's conclusion. See the synthetic tables covering all the possible cases.
The conclusions from the application with the DCSSI, (authorisations, statement (déclaration)) concern a specific version of the product. Therefore, to apply for GnuPG-1.0.4 doesn't automatically imply that the conclusions apply to GnuPG-1.0.1 or GnuPG-1.0.7.
Authorisations
When an application for an authorisation is accepted by the DCSSI, it delivers one or many authorisations. The delivered authorisations depends partly on the boxes ticked in the application file(of supply for a duration of and of export for a duration of ) see for example the application filled for GnuPG). In fine, it is the DCSSI which determines which authorisations are appropriate for a given application.
The qualification of general public (see Decree no 2001-1192, article 10, 5) and the authorisation for general supply are the most appropriate for Free Software.
- Authorisation for general supply (AFG).
- It concerns french territory. It permits to use, import and supply the product (the software in the case of Free Software)
- Authorisation for exportation.
- It permits the exportation of the product subjet to obtaining an individual or global licence.
- Authorisation for exportation of a large public software.
- The exportation act doesn't require additional forms, the authorisation is self-sufficient.
One tricky point raised in the case of Free Software must be clarified. One necessary condition for the software to be considered general public is that: The cryptologic feature can not be easily modified by the user. (Decree no 2001-1192, article 10, 5 b)).
For proprietary software, the elements of the equation are a physical or moral person, a binary object (the product). For Free Software, the source code comes on the top of that. One can then legitimately wonder about the consequences for the ease for a user to modify the cryptographic feature.
One may have access to the code source or the binary, however, it is always possible to modify, thanks to a text editor, the binary or the source. It's an easy process for every user but there is a general agreement that say that the only result would be to make the software not fonctionel. Even if it is possible to qualify such a modification of easy and that in the case of cryptographic features, it would then apply to every software. It's a absurd case and we are in fact interested by the case of a software that would enable an easy modification of its cryptographic features while remaining fully functionel.
To intend to modify the cryptographic features, the user must first have mathematical notions and a detailed knowledge of the domain of cryotography. Without this theoretical background, he is very likely to try modifications that will render the software not functionel. Not considering the availability of sources or of binary alone, this theoretical background is a prerequisite that makes the task more difficult.
Without the theoretical background, the user may try a modification blindly following the instructions supplied by a third person. In the case of a binary cryptographic software, the instructions may be a little software automating the modifications. There are numerous programs of this kind available on the web. In the case of cryptographic software for which the sources are available, it would be a patch applying on the sources. It is essentially about the same principle. In the case of a patch, however, the user needs to have the technical ability to rebuild a binary version of the cryptographic software, which is a little less easy. As for the case of random modifications returning the software ineffective, the possibility to blindly follow the instructions existing for all cryptographic software (Free Software or not), it can not constitute a criteria to qualify the modification of cryptographic features as easy.
Let say that an individual has the necessary theoretical background and that he undertakes the modification of the cryptographic features without blindly following the instructions. With a binary only, the individual must have high skills in assembler, recompilation tools and experience of reverse engineering. With the source code, the individu must have high skills in programming language, compilation tools. In short, he must have undergone studies in IT to effectively try a modification. To acquire the necessary IT background, is ,in any case, a difficult process
At last, the product can, by choice of conception, enable an easy modification of cryptographic features. The product may, for example, contain an interface whose object is to allow the user to modify cryptographic features. It may be a graphical interface or a ligne of command and this implies that the software has been specifically conceived to offer this possibility. It is then easy for the user to modify cryptographic features. However, it is the choice of conception that has no link with the availability of the source code of the cryptologic software.
To conclude, the acess to the source code doesn't necessary imply that it is easy for the user to modify the cryptographic features. It is first of all a choice of conception which should be judged case by case, Free software or not. The availability of the source code makes it possible for an individual willing to reach the level of competency required, but certainly not easy for the user to modify the cryptographic features. It is uniquely there that lies the difference.
Broadcasting of the authorisations
The supplied authorisations are not exclusives. Many physical or moral persons can apply for an authorisation for the same version of a same software. Still, they are nomminatives: a person X can not automatically benefit from the authorisation obtained by another person Z, even if the version of the software is identical.
The emitted authorisations are not always made public. When the appliant gives the express authorisation, a page is added in the list of cryptologics produtcs free of use on the DCSSI website. The information is limited to the product and the name of the physical or moral person having applied. The version of the product or the type of authorisation granted are not specified.
The authorisations may be published entirely if the appliant wishes it, nothing opposes to it.
Controls
There are among 4:
- In the export
- In the supply ( Generally, it is a sale but in the case of Free Software, downloading may be considered as supply)
- In the import (downloading a Free Software from a foreign website can be an import)
- On the use, but once the software has been declared (or authorised) the process is no longer necessary.
Characteristics of the applications
The most complex is the Authorisation. It can be used for all the software that require an application with the DCSSI. But there are lighter applications for software with lower technical specification ( less than 128 bits, signature of documents but no encoding, et...)
See Categorising tables for the various types of cryptographic software and the corresponding application for a complete information.
- Compulsory for software allowing an encoding with a secret key of more than 128 bits.
- Compulsory for software allowing an encoding with a secret key of up to 128 bytes.
The simplified statement (déclaration)
- Compulsory for software allowsing uniquely signature, authentification and check the integrity of the document ( but not encoding)
Accepted applications
- GnuPG
Available on http://fsffrance.org/crypto/.
- 25 Mai 2002: sending of the application http://fsffrance.org/dcssi/gnupg.fr.html by recorded delivery with acknowledgement of receipt
- 3 Juin 2002: RECEIPT OF DEMAND OF APPLICATION FOR GENERAL SUPPLY FOR PUBLIC USE, FOR IMPORT AND FOR EXPORT OF MEANS OF CRYPTOLOGY, Lettre Numéro 000571 (scan small size large size). The file number for GnuPG-1.0.7 and followings is 0205180.
- 15 Juillet 2002: AUTHORISATION FOR GENERAL SUPLLY FOR PUBLIC USE AND FOR IMPORT OF CRYPTOLOGIC MEANS, Numéro 23295 (scan small size large size). Signature of the scan, large size by Loïc Dachary with his key GPG.
- 15 Juillet 2002: Benefits from the regulations foreseen in the article 10 from decree 2001-1192 du 13/12/2002 modifying the decree 99-200 of the 17/03/199, and is exempted from customs formalities of export licence, Lettre Numéro 000713 (scan small size large size). Signature of the scan large size by Loïc Dachary with his key GPG.
- OpenSSL
Available on http://fsffrance.org/crypto/.
- 5 Juin 2002:sending of the application http://fsffrance.org/dcssi/openssl.fr.html by recorded delivery with acknowledgement of receipt
- 13 Juin 2002: RECEIPT OF APPLICATION FOR SUPPLY FOR PUBLIC USE, FOR IMPORT AND FOR EXPORT OF MEANS OF CRYPTOLOGY, Lettre Numéro 000634 (scan small size large size). The file number for OpenSSL-0.9 and followings is 0206199.
- 15 Juillet 2002: AUTHORISATION FOR GENERAL SUPLLY FOR PUBLIC USE AND FOR IMPORT OF CRYPTOLOGIC MEANS, Numéro 23299 (scan small size large size). Signature of the scan large size by Loïc Dachary with his key GPG.
- 15 Juillet 2002: Benefits from the regulations foreseen in the article 10 from decree 2001-1192 du 13/12/2002 modifying the decree 99-200 of the 17/03/199, and is exempted from customs formalities for export licence, Lettre Numéro 000721 (scan small size large size). Signature of the scan large size by Loïc Dachary with his key GPG.
References
Magali Julin, Loïc Dachary
- Application for Authorisation, statement (déclaration) and simplified statement (déclaration)
- The same application file must be filled for an Authorisation, a statement (déclaration) or a simplified statement (déclaration). Administrative part (in PDF). Technical part (Technical elements available in english as well as the technical part of GnuPG). For references, see also Constitution d'un dossier on the DCSSI website, that contains information.
- Examples of applications for Authorisation
- For GnuPG: http://fsffrance.org/dcssi/gnupg.fr.html (technical part in english http://fsffrance.org/dcssi/gnupg.en.html) For OpenSSL: http://fsffrance.org/dcssi/openssl.fr.html (technical part in english http://fsffrance.org/dcssi/openssl.en.html)
- Address where to send applications for Authorisation, statement (déclaration) and simplified statement (déclaration)
Secrétariat général de la défense nationale DCSSI - Relations industrielles 51, boulevard de Latour-Maubourg 75700 PARIS 07 SP FRANCE Téléphone : 01 71 75 82 65 (Secrétariat Général) Téléphone : 01 71 75 82 75 (partie administrative) Téléphone : 01 71 75 82 68 (partie technique) E-mail: ssi41@wanadoo.fr Web: http://www.ssi.gouv.fr/- GnuPG
- The GNU Privacy Guard http://www.gnupg.org/
- OpenSSL
- http://www.openssl.org/
- Kerberos
- http://web.mit.edu/kerberos/www/index.html
- lsh
- http://www.net.lut.ac.uk/psst/
- Mcrypt
- http://mcrypt.hellug.gr/
- GnuTLS
- http://www.gnu.org/software/gnutls/
- loop-AES
- http://loop-aes.sourceforge.net/
- Non exhaustive list of products with an authorisation
- http://www.ssi.gouv.fr/fr/reglementation/liste_cat/index.html
- Guide on regulation on cryptology
- http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html
- FAQ Infrastructures for key management
- http://www.ssi.gouv.fr/fr/faq/faq_igc.html
- FAQ Decree on elctronical signature
- http://www.ssi.gouv.fr/fr/faq/faq_sigelec.html
- Decree of the 17th of march 1999
- Defining the form and the content of the application file concerning the statement (déclaration)s or authorisations relating to the cryptologic means and services. http://fsffrance.org/dcssi/arrete-17-mars-1999.fr.html
- Decret no 2001-1192 of the 13th of december 2001 relating to controls for export,import and trasnfers of goods and technologies with double use
- The order 10, 5 in particular, http://admi.net/jo/20011215/ECOX0100059D.html
- Decree 28 from the law n°90-1170 of the 29th december 1990 (as modified by the law of the 26th of july 1996 on telecommunications)
- http://www.ssi.gouv.fr/fr/reglementation/lois/lois_fr4.html
- Decree n°98-101 of the 24th of february 1998
- Defining the conditions in which are subscribed the statement (déclaration) and given the authorisations relating to the cryptologic means and services. http://www.internet.gouv.fr/francais/textesref/cryptodecret98101.htm
- Decree n°99-199 of the 17th of march 1999
- Defining the cryptologic means and services categories for which the process of preliminary statement (déclaration) is substituted to the authorisation process. http://www.internet.gouv.fr/francais/textesref/cryptodecret99199.htm
- Decree n°99-200 of the 17th of march 1999
- Defining the cryptologic means and services categories exempted from any form of preliminary statement (déclaration) http://www.internet.gouv.fr/francais/textesref/cryptodecret99200.htm