Skip to main content

Crypto for data confidentiality


If the item is not publicly available, the next analysis is whether the item is using ‘cryptography for data confidentiality’.

Technical Note 1 under 5A002.a defines what ‘cryptography for data confidentiality’ means:

1.            For the purposes of 5A002.a., 'cryptography for data confidentiality’ means “cryptography” that employs digital techniques and performs any cryptographic function other than any of the following:

a.            "Authentication";

b.            Digital signature;

c.             Data integrity;

d.            Non-repudiation;

e.            Digital rights management, including the execution of copy-protected "software";

f.             Encryption or decryption in support of entertainment, mass commercial broadcasts or medical records management; or

g.            Key management in support of any function described in paragraph a. to f. above.

The use of cryptography limited to a-g listed above, results in a classification of the product NOT in 5A002.a. In that case, you should review other entries in Category 5 Part 2 and other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1). If it is not described in any other Category then it can be classified as EAR99.

“Authentication” is defined as: Verifying the identity of user, process or device, often as a prerequisite to allowing access to resources in an information system. This includes verifying the origin or content of a message or other information, and all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.

Digital signature, data integrity and non-repudiation functions are also not covered by Cat. 5, Part 2. These are means for providing proof of the integrity and origin of data.

Digital Rights Management (DRM), including copyright protection, is encryption that is used to verify that someone has a right to download or use software or view content. Examples include:

  • License key product protection and similar purchase validation
  • Software and hardware design IP protection
  • Piracy and theft prevention for software, music, etc.

Encryption/decryption in support of entertainment, mass commercial broadcast and medical records management in also excluded. Examples include:

  • Games and gaming – devices, runtime software, HDMI and other component interfaces
  • Music movie, tunes/music, digital photos – dedicated players, recorders, and organizers
  • LCD-TV, Blu-ray/ DVD, Video of Demand, cinema, digital video recorders (DVRs)/ personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces
  • Medical/ clinical – including patient scheduling, and medical data records confidentiality.



Primary Learn & Support Topic