10 Replies Latest reply on Nov 5, 2011 1:23 AM by reelportal

    Does Cirrus make use of encryption?

    greengnu Level 1

      I create an app for the iPhone and make use of Cirrus.

      During submission to the Appstore, Apple wants to know whether my application uses Encryption. So I'd like to know whether Cirrus uses encryption?

        • 1. Re: Does Cirrus make use of encryption?
          Michael Thornburgh Adobe Employee

          RTMFP is strongly encrypted all the time.  it has no "not encrypted" mode.

           

          communication with the Cirrus service or with peers is over RTMFP.

          • 2. Re: Does Cirrus make use of encryption?
            greengnu Level 1

            thank you for this answer!

             

            during app submission process, they ask several questions regarding my application makes use of encryption including what type of encryption is used and they request:

             

            If your application does use encryption, it may be necessary to submit confirmation of approval by the United States Government. This confirmation could be in the form of either a CCATS review and approval or the Exporter Registration Number (ERN) and reporting authorization.

            If you are unsure how to classify the encryption used in your application in order to obtain the necessary approval, please refer to the Bureau of Industry and Security US Department of Commerce guidance page.

             

            what to answer on these questions if Cirrus is used in the project?

            • 3. Re: Does Cirrus make use of encryption?
              greengnu Level 1

              or if you can answer just this:

              what encryption technology does Cirrus use?

              • 4. Re: Does Cirrus make use of encryption?
                Michael Thornburgh Adobe Employee

                it's inappropriate for me to answer this question in this context.  i can't answer a question if doing so could be construed to be legal advice.

                 

                you could try the forum for the Packager for iOS (which is what i assume you're using).  it's possible that questions regarding cryptography and export control have been raised there already.

                • 5. Re: Does Cirrus make use of encryption?
                  greengnu Level 1

                  thanks, I already asked and searched there, but aparently no one used this combination yet.

                   

                  can you tell me then maybe how I could get this information? Is there any way to contact the cirrus development team directly? I couldn't find any such contact link on the adobe site

                  • 6. Re: Does Cirrus make use of encryption?
                    Michael Thornburgh Adobe Employee

                    i am the "Cirrus development team".  i co-wrote and maintain the "codename Cirrus" service, and i co-created and wrote RTMFP.

                     

                    obviously this issue is a stumbling block to using RTMFP with the Packager for iOS.  i'll open a dialog with the Packager folks this coming work-week to see if we can't figure out how to address this issue.

                     

                    reminder: "codename Cirrus" is the hosted P2P rendezvous service.  "RTMFP" is the encrypted network transport protocol.  your application communicates with the Cirrus service and with peers over RTMFP.

                    • 7. Re: Does Cirrus make use of encryption?
                      greengnu Level 1

                      this is great, thank you!

                      Since ServerSocket is not available on mobile devices, Cirrus seems to be the only available option to send data between clients directly for an iPhone app created with the iphone packager.

                       

                      just in case it meight be helpful, The U.S. government requests the following information about the application under consideration:

                       

                       

                       

                      (c) For review requests for a commodity or software, provide the following information:

                      (1) Description of all the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used, including relevant parameters, inputs and settings. Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chaining mode).


                      (2) State the key management algorithms, including modulus sizes, that are supported.

                      (3) For products with proprietary algorithms, include a textual description and the source code of the algorithm.

                      (4) Describe the pre-processing methods (e.g., data compression or data interleaving) that are applied to the plain text data prior to encryption.

                      (5) Describe the post-processing methods (e.g., packetization, encapsulation) that are applied to the cipher text data after encryption.

                      (6) State all communication protocols (e.g., X.25, Telnet, TCP, IEEE 802.11, IEEE 802.16, SIP ...) and cryptographic protocols and methods (e.g., SSL, TLS, SSH, IPSEC, IKE, SRTP, ECCN, MD5, SHA, X.509,  PKCS standards...) that are supported and describe how they are used.

                      (7) Describe the encryption-related Application Programming Interfaces (APIs) that are implemented and/or supported.  Explain which interfaces are for internal (private) and/or external (public) use.

                      (8)   Describe the cryptographic functionality that is provided by third-party hardware or software encryption components (if any). Identify the manufacturers of the hardware or software components, including specific part numbers and version information as needed to describe the product.  Describe whether the encryption software components (if any) are statically or dynamically linked.

                      (9) For commodities or software using Java byte code, describe the techniques (including obfuscation, private access modifiers or final classes) that are used to protect against decompilation and misuse.

                      (10) State how the product is written to preclude user modification of the encryption algorithms, key management and key space.

                      (11) License Exception ENC 'Restricted' commodities and software described by the criteria in §740.17(b)(2) require licenses to certain “government end-users.” Describe whether the product(s) meet any of the §740.17(b)(2) criteria.  Provide specific data for each of the parameters listed, as applicable (e.g., maximum aggregate encrypted user data  throughput, maximum number of concurrent encrypted channels, and operating range for wireless products). If the §740.17(b)(2) parameters are not applicable to the commodity or
                      software, clearly explain why, (e.g., by providing specific data evaluated against the §740.17(b)(2) thresholds.)


                      (12) For products which incorporate an open cryptographic interface as defined in part 772 of the EAR, describe the Open Cryptographic Interface.
                       
                      (d) For review requests for hardware or software “encryption components” other than source code (i.e., chips, toolkits, executable or linkable modules intended for use in or production of another encryption item) provide the following additional information:
                      (1)  Reference the application for which the components are used in, if known;
                      (2) State if there is a general programming interface to the component;
                      (3) State whether the component is constrained by function; and
                      (4) Identify the encryption component and include the name of the manufacturer, component model number or other identifier.


                      (e) For review requests for “encryption source code” provide the following information:
                      (1) If applicable, reference the executable (object code) product that was previously reviewed;
                      (2) Include whether the source code has been modified, and the technical details on how the source code was modified; and
                      (3) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines and their related calls.

                      • 8. Re: Does Cirrus make use of encryption?
                        greengnu Level 1

                        Is there any update on this matter?

                        • 9. Re: Does Cirrus make use of encryption?
                          Michael Thornburgh Adobe Employee

                          please see the following pages:

                           

                             http://www.adobe.com/support/exportcompliance.html

                             http://www.adobe.com/support/eccnmatrix.html

                           

                          and note, in particular, the entry for "Adobe AIR" on the second page.

                           

                          apparently the AIR SDK isn't listed on the second page, but it is expected to appear on that page in the near future.

                          • 10. Re: Does Cirrus make use of encryption?
                            reelportal Level 1

                            I've read through all of these, but still confused on these legalese stuff.

                             

                            The Adobe links has ECCN and HTSUS numbers, where as Apple requires CCATS form or the Exporter Registration Number (ERN). 

                             

                            So how do you map one to the other?  I would much appreciate any directions.