Due to the nature of our Java application being deployed outside the
U.S. and running on Glassfish (V2_UR1), my group is being asked to
answer the following detailed encryption questions for Export Control
purposes. Our application does not perform any of its own encryption,
but because it is running on Glassfish, the first basic question is
"Does Glassfish already have an Export Control Classification Number
(ECCN)?"
I know that JDK 1.5.0 is classified as 5D002 for source distribution and
as 5D992.b.1 for binary distribution (see
http://www.sun.com/sales/its/software/software.html#Table_J for more
details).
If anyone has the answers to the following questions regarding Glassfish
or knows of a place where I can find the answers myself, I would
certainly appreciate a reply. I have taken a stab at question 6 based
upon information I found in the Glassfish application. Thank you,
Chad Zezula
Sila Solutions Group
425-241-3174
czezula_at_silasg.com
(1) Description of all the symmetric and asymmetric encryption
algorithms and key lengths and how the algorithms are used. Specify
which encryption modes are supported (e.g., cipher feedback mode or
cipher block chaining mode):
(2) State the key management algorithms, including modulus sizes that
are supported:
(3) For products with proprietary algorithms, include a textual
description and the source code of the algorithm:
(4) Describe the pre-processing methods (e.g., data compression or data
interleaving) that are applied to the plaintext data prior to
encryption:
(5) Describe the post-processing methods (e.g., packetization,
encapsulation) that are applied to the cipher text data after
encryption:
(6) State the communication protocols (e.g., X.25, Telnet or TCP) and
encryption protocols (e.g., SSL, IPSEC or PKCS standards) that are
supported:
* If product supports SSL please identify all supported cipher suites
and how SSL is used. List any other communications or encryption
protocols that are supported.
Glassfish supports the following cipher suites:
Common Cipher Suites:
* SSL RSA WITH RC4 128 MD5
* SSL RSA WITH RC4 128 SHA
* TLS RSA WITH AES 128 CBC SHA
* SSL RSA WITH 3DES EDE CBC SHA
Available Ephemeral Diffie-Hellman Cipher Suites:
* TLS DHE RSA WITH AES 128 CBC SHA
* SSL DHE RSA WITH 3DES EDE CBC SHA
* TLS DHE DSS WITH AES 128 CBC SHA
* SSL DHE DSS WITH 3DES EDE CBC SHA
Available 40 bit and 56 bit Cipher Suites:
* SSL RSA WITH DES CBC SHA
* SSL DHE RSA WITH DES CBC SHA
* SSL DHE DSS WITH DES CBC SHA
* SSL RSA EXPORT WITH RC4 40 MD5
* SSL RSA EXPORT WITH DES40 CBC SHA
* SSL DHE RSA EXPORT WITH DES40 CBC SHA
* SSL DHE DSS EXPORT WITH DES40 CBC SHA
(7) Describe the encryption-related Application Programming Interfaces
(APIs) that are implemented and/or supported. Explain which interfaces
are for internal (private) and/or external (public) use:
(8) Describe the cryptographic functionality that is provided by
third-party hardware or software encryption components (if any).
Identify the manufacturers of the hardware or software components,
including specific part numbers and version information as needed to
describe the product. Describe whether the encryption software
components (if any) are statically or dynamically linked:
(9) For commodities or software using Java byte code, describe the
techniques (including obfuscation, private access modifiers or final
classes) that are used to protect against
decompilation and misuse:
(10) State how the product is written to preclude user modification of
the encryption algorithms, key management and key space.
(11) Does the product provide secure Wide Area Network (WAN),
Metropolitan Area Network (MAN) and Virtual Private Network (VPN)
exceeding any of the following limits?
In addition to identifying the appropriate network, please provide the
maximum data rate and maximum number of concurrent tunnels or channels:
(12) For products which incorporate an open cryptographic interface as
defined in part 772 of
the EAR, describe the Open Cryptographic Interface.
- Describe open cryptographic API's which can be used to insert
any encryption libraries.
- Describe how customer can modify the encryption algorithms,
key management and key space.
If can not modify - describe how the product prevents this.
* "Open cryptographic interface". A mechanism which is designed to
allow a customer or other party to insert cryptographic functionality
without the intervention, help or assistance of the manufacturer or its
agents, e.g., manufacturer's signing of cryptographic code or
proprietary interfaces. If the cryptographic interface implements a
fixed set of cryptographic algorithms, key lengths or key exchange
management systems, that cannot be changed, it will not be considered an
"open" cryptographic interface. All general application programming
interfaces (e.g., those that accept either a cryptographic or
non-cryptographic interface but do not themselves maintain any
cryptographic functionality) will not be considered "open" cryptographic
interfaces.