Current State of French Crypto Regulation

7 October 1999

Date: Thu, 7 Oct 1999 09:05:26 +0200 (MET DST)
From: Bruno Gillet - Sun France <bgillet@picto.France.Sun.COM>
Subject: Re: current state of french crypto regulation?
To: eucrypto@fitug.de, roessler@guug.de
Comment: This message comes from the eucrypto mailing list.

> Date: Tue, 5 Oct 1999 14:14:36 +0200
> From: Thomas Roessler <roessler@guug.de>
> To: eucrypto@fitug.de

> What's the current state of the French crypto regulation? Is there
> still a limitation of symmetric key lengths to 128 bits, or has
> crypto use been entirely liberalized?

Hi Thomas,

There is still a difference between import/distribution rights and use rights.

If you want to import/distribute :

- For data ciphering of key length lesser or equal to 40 bits

Just send a letter declaring the use of such ciphering within your product.

Upon receiving your receipt of delivery, you can import/distribute your product. Time of procedure 1 or 2 days.

- For data ciphering of key length between 40+ bits and 128 bits.

You have to fill out a technical file in which you need to indicate the kind of encryption you use, deliver samples (clear+cipher+keys) for each algorithm used, and some other simple stuff.

THERE IS NO MORE SIMPLE STOP TEST.

After receiving deposit of your file, SCSSI has one month to ask you for more details in case you have not have given a complete file, or to refuse the agreement.

In the first case, you have to restart the procedure again. The second case SHOULD NOT happen within that range of strength, it is just from a "law point of view".

If nothing happens during that 1 month delay from receipt date, then your product is validated.

- For data ciphering of key length > 128 bits.

The procedure is longer (three months) and CANNOT give you a generic right for import/distribution. Such files have to be filed on a "per customer" basis, such strength of ciphering being by default associated with dedicated needs.

- Generically: If your software embeds ciphering algorithms that ARE NOT used for user data ciphering. (i.e. Authentication)

You just have to declare it. It's the same 1 or 2 day stuff as with data ciphering < 40 bits in key strength.

For right of use:

Regarding use of such tools (in professional or communicating use by opposition of "personal use by a physical private person") you are free to use ANY TOOL of strength <= 128 bits for as far they have been VALIDATED by the SCSSI through the previously described procedures.

If you need to use stronger crypto, then you have to go through the process described before with the provider of the tool in order to let that provider to obtain the right to import/distribute that tool TO YOU (only) and the right to use it as well. Then a three months' delay is required (with fully completed files : SCSSI has the first month to request for "more details", that will reset the process).

There is no more key escrow in France for that higher range of crypto.

BUT

The law clearly says that a company should be able to give ciphered + clear datas + keys in case of a "law request" for any traffic encrypted in such a way.

All the law texts, the administrative details and the templates for those files are available at the following access points :

Laws & templates:

http://www.scssi.gouv.fr/present/chiffre/lois_fr.html

Base for administrative details, generic presentation of SCSSI, etc... (obviously):

http://www.scssi.gouv.fr/

(All is in French, I am afraid...)

For detailing the law: Look at the old and the new decrets, are precise definitions are done by modifications of the older one. The templates are through some of those decrets.

So, to end with a clear conclusion :

- NO, ciphering is far from being completely free in France.

but

- YES, it is extremly simple and quick now for a company to obtain the right to import ciphering tools in France, as well as legally free for France-based companies to use such tools for in so far as those tools are under 128+ bits key strength, those tools are validated, and... the company purchase licenses for RTU :-).

HTH,

Bruno.

PS: As usual, the disclaimer... this is my own opinion and do not engage my Company's own, etc... etc...

---------------------------------------------------------------------

    /\        :         Bruno   GILLET
   \\ \       :         Consultant Intranet / Securite
\ \\ /      :         Sun Microsystems
/ \/ / /     :         13, av Morane Saulnier
/ /   \//\    :         BP 53
\//\   / /    :         78 142 Velizy Cedex - FRANCE
/ / /\ /     :
/ \\ \      :         e-mail : bgillet@France.sun.com
   \ \\       :         Tel    : 01 30 67 53 01
    \/        :         Fax    : 01 30 67 53 02

---------------------------------------------------------------------