Strategic Commodities Control System Website Trade and Industry Department | The Government of the Hong Kong Special Administrative Region
GovHK TEXT ONLY TRADITIONAL CHINESE SIMPLIFIED CHINESE image SEARCH
Brand Hong Kong - Asia's world city
SEARCH GRAPHIC SITE MAP CONTACT US
image
Check Products
Strategic Commodities Control List of HKSAR
Control Status of Common Dual-Use products
Pre-Classification Service
Login Your E-Account
Quick Check of Application Status
Check Licence by Carriers
image
Home Print Version Open Menu
Check Products
Category 5 (Part 2) - Information Security

CATEGORY 5-TELECOMMUNICATIONS AND "INFORMATION SECURITY"

Go to:

 

Part 2-"Information Security"

Notes:

1.     The control status of "information security" equipment, "software", systems, application specific "electronic assemblies", modules, integrated circuits, components or functions is determined in Category 5, Part 2 even if they are components or "electronic assemblies" of other equipment.  (L.N. 226 of 2009)

2.      Category 5-Part 2 does not control products when accompanying their user for the user's personal use.

3.      Cryptography Note:

5A002 and 5D002 do not control items that meet all of the following:

(a)  Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

(1)   Over-the-counter transactions;

(2)   Mail order transaction;

(3)   Electronic transactions; or

(4)   Telephone call transactions;

(b)   The cryptographic functionality cannot easily be changed by the user;

(c)    Designed for installation by the user without further substantial support by the supplier; and  (L.N. 132 of 2001)

(d)    Deleted;  (L.N. 132 of 2001)

(e)    When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) to (c) above.  (L.N. 132 of 2001)

Technical Note:

In Category 5-Part 2, parity bits are not included in the key length.

 

5A2  SYSTEMS, EQUIPMENT AND COMPONENTS

 

5A002     (a)   Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", as follows, and other specially designed components therefor:

 

N.B.:

 

For the control of global navigation satellite systems receiving equipment containing or employing decryption (i.e. GPS or GLONASS), see 7A005.

 

(1)    Designed or modified to use "cryptography" employing digital techniques performing any cryptographic function other than authentication or digital signature having any of the following:

 

Technical Notes:

 

1.      Authentication and digital signature functions include their associated key management function.

 

2.      Authentication includes all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.

 

3.      "Cryptography" does not include "fixed" data compression or coding techniques.

 

Note:

 

5A002(a)(1) includes equipment designed or modified to use "cryptography" employing analogue principles when implemented with digital techniques.

 

(a)    A "symmetric algorithm" employing a key length in excess of 56 bits; or

 

(b)    An "asymmetric algorithm" where the security of the algorithm is based on any of the following:

 

(1)    Factorization of integers in excess of 512 bits (e.g., RSA);

 

(2)    Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or

 

(3)    Discrete logarithms in a group other than mentioned in 5A002(a)(1)(b)(2) in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve);

 

(2)    Designed or modified to perform cryptanalytic functions;

 

(3)    Deleted;

 

(4)    Specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety or electromagnetic interference standards;

 

(5)    Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" systems not controlled by 5A002(a)(6), including the hopping code for "frequency hopping" systems;  (L.N. 132 of 2001; L.N. 95 of 2006)

 

(6)    Designed or modified to use cryptographic techniques to generate channelizing codes, scrambling codes or network identification codes, for systems using ultra-wideband modulation techniques, and having any of the following characteristics:

 

(a)    A bandwidth exceeding 500 MHz; or

 

(b)    A "fractional bandwidth" of 20% or more;  (L.N. 95 of 2006)

 

(7)   Non-cryptographic information and communications technology (ICT) security systems and devices evaluated to an assurance level exceeding class EAL-6 (evaluation assurance level) of the Common Criteria (CC) or equivalent;  (L.N. 226 of 2009)

 

(8)    Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion;  (L.N. 65 of 2004)

 

(9)    Designed or modified to use "quantum cryptography";

 

Technical Note:

 

"Quantum cryptography" is also known as quantum key distribution (QKD).  (L.N. 95 of 2006)

 

Note:

 

5A002 does not include any of the following:  (L.N. 254 of 2008)

 

(a)    "Personalized smart cards":

 

(1)    Where the cryptographic capability is restricted for use in equipment or systems excluded from 5A002 Notes (b) to (g); or  (L.N. 254 of 2008)

 

(2)    For general public-use applications where the cryptographic capability is not user-accessible and it is specially designed and limited to allow protection of personal data stored within;

 

N.B.:

 

         If a "personalized smart card" has multiple functions, the control status of each function is assessed individually.  (L.N. 65 of 2004)

 

(b)    Receiving equipment for radio broadcast, pay television or similar restricted audience broadcast of the consumer type, without digital encryption except that exclusively used for sending the billing or programme-related information back to the broadcast providers;  (L.N. 132 of 2001)

 

(c)    Equipment where the cryptographic capability is not user-accessible and which is specially designed and limited to allow any of the following:

 

(1)    Execution of copy-protected software;

 

(2)    Access to any of the following:

 

(a)    Copy-protected contents stored on read-only media; or  (L.N. 132 of 2001)

 

(b)    Information stored in encrypted form on media (e.g., in connection with the protection of intellectual property rights) when the media is offered for sale in identical sets to the public;  (L.N. 95 of 2006)

 

(3)    Copying control of copyright protected audio/video data; or  (L.N. 65 of 2004; L.N. 95 of 2006)

 

(4)    Encryption or decryption or both for protection of libraries, design attributes, or associated data for the design of semiconductor devices or integrated circuits;  (L.N. 95 of 2006)

 

(d)    Cryptographic equipment specially designed and limited for banking use or money transactions;

 

Technical Note:

 

"Money transactions" in 5A002 Note (d) includes the collection and settlement of fares or credit functions.

 

(e)    Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radiocommunications systems) that are not capable of transmitting encrypted data directly to another radiotelephone or equipment (other than Radio Access Network (RAN) equipment), nor of passing encrypted data through RAN equipment (e.g., Radio Network Controller (RNC) or Base Station Controller (BSC));  (L.N. 254 of 2008)

 

(f)     Cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (i.e. a single, unrelayed hop between terminal and home basestation) is less than 400 metres according to the manufacturer's specifications;  (L.N. 254 of 2008)

 

(g)    Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti-piracy functions, which may be non-published) and also meet the provisions of paragraphs (b) to (e) of the Cryptography Note (Note 3 in Category 5, Part 2), that have been customized for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customized devices;  (L.N. 254 of 2008; L.N. 226 of 2009)

 

(h)    Equipment specially designed for the servicing of portable or mobile radiotelephones and similar client wireless devices that meet all the provisions of the Cryptography Note (Note 3 in Category 5, Part 2), where the servicing equipment meets all of the following:

 

(1)    The cryptographic functionality of the servicing equipment cannot easily be changed by the user of the equipment;

 

(2)    The servicing equipment is designed for installation without further substantial support by the supplier;

 

(3)    The servicing equipment cannot change the cryptographic functionality of the device being serviced;  (L.N. 226 of 2009)

 

(i)     Wireless "personal area network" equipment that implement only published or commercial cryptographic standards, where the cryptographic capability is limited to a nominal operating range not exceeding 30 metres according to the manufacturer's specifications.  (L.N. 226 of 2009)

go back
back to top
image
 image image
 
  
2003 copyright logo| Important notices | Privacy policy

Last revision date: 10 March 2010