Mass Market Encryption Classification Request
Letter of Explanation with Supplement No. 6 to Part 742 Responses
ACN Reference: Zxxxxxx SNAP-R Reference: <REF YOU CHOSE ON SNAP-R>

Company Contact: <CONTACT>

To whom it may concern,

We're requesting that <PROGRAMNAME> be reviewed and classified as a Mass Market Encryption product. <PROGRAMNAME> is an iPhone application that will be sold through Apple Inc.'s iTunes App Store.

The following points provide the information requested under Supplement No. 6 to Part 742.

(1) State the name(s) of each product being submitted for review and provide a brief non-technical description of the type of product (e.g., routers, disk drives, cell phones, chips, etc.) being submitted.

<PROGRAMNAME> is <DESCRIPTION> that synchronizes sensitive personal data like <DESCRIPTION> via a HTTPS connection with a server.

(2) Indicate whether there have been any prior reviews of the product(s), if such reviews are applicable to the current submission. For products with minor changes in encryption functionality, you must include a cover sheet with complete reference to the previous review (Commodity Classification Automated Tracking System (CCATS) number, Application Control Number (ACN), Export Control Classification Number (ECCN), authorization paragraph) along with a clear description of the changes.

There have been no prior reviews of the product.

(3) Describe how encryption is used in the product and the categories of encrypted data (e.g., stored data, communications, management data, internal data, etc.).

Encryption is used to secure the transfer of personal communication (<KIND OF DATA>) and authentication information (<KIND OF DATA>) between the iPhone App and a server used for processing and synchronizing.

(4) For mass market review requests, describe specifically to whom and how the product is being marketed and state how this method of marketing and other relevant information (e.g., cost of product and volume of sales) are described by the Cryptography Note (Note 3 to Category 5, Part 2).

The product is being marketed through the iTunes App Store and therefore generally available to the public. There will be a marketing website at <WEBSITE> that gives further information and support for end users. This marketing website also links to the iTunes App Store where the App can be purchased. Cryptography Note’s List of Controlled Items (g) applies.

(5) Is any “encryption source code” being provided (shipped or bundled) as part of this offering? If yes, is this source code publicly available source code, unchanged from the code obtained from an open source web site, or is it proprietary “encryption source code?”

No encryption source code is being provided.

(b) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator.

A duplicate copy has been sent to the ENC.

(c) For review requests for a commodity or software, provide the following information:

(1) Description of all the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used, including relevant parameters, inputs and settings. Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chainingmode).

The encryption algorithms used in <PROGRAMNAME> are those provided by the iPhone OS, namely a HTTPS connection that is created via the public API NSURLConnection class implemented by iPhone OS. The iPhone OS HTTPS connection establishes a 128-bit AES encrypted connection.

(2) State the key management algorithms, including modulus sizes, that are supported.

N/A

(3) For products with proprietary algorithms, include a textual description and the source code of the algorithm.

N/A

(4) Describe the pre-processing methods (e.g., data compression or data interleaving) that are applied to the plaintext data prior to encryption.

The HTTP response bodies are GZIP compressed.

(5) Describe the post-processing methods (e.g., packetization, encapsulation) that are applied to the cipher text data after encryption.

The cipher stream is packetized into TCP packages.

(6) State all communication protocols (e.g., X.25, Telnet, TCP, IEEE 802.11, IEEE 802.16, SIP ...) and cryptographic protocols and methods (e.g., SSL, TLS, SSH, IPSEC, IKE, SRTP, ECC, MD5, SHA, X.509, PKCS standards...) that are supported and describe how they are used.

<PROGRAMNAME> connects to the server via HTTP 1.1 over TCP, the data is encrypted using TLS 1.0.

(7) Describe the encryption-related Application Programming Interfaces (APIs) that are implemented and/or supported. Explain which interfaces are for internal (private) and/or external (public) use.

No encryption-related APIs are implemented and/or supported.

(8) Describe the cryptographic functionality that is provided by third-party hardware or software encryption components (if any). Identify the manufacturers of the hardware or software components, including specific part numbers and version information as needed to describe the product. Describe whether the encryption software components (if any) are statically or dynamically linked.

The Apple iPhone OS 3.0 or later is used to establish the HTTPS connection. Its NSURLConnection class is dynamically linked to in <PROGRAMNAME>.

(9) For commodities or software using Java byte code, describe the techniques (including obfuscation, private access modifiers or final classes) that are used to protect against decompilation and misuse.

N/A

(10) State how the product is written to preclude user modification of the encryption algorithms, key management and key space.

The product uses Apple’s iPhone OS public API for encryption. iPhone OS does not allow user modification of algorithms, key management and key space. <PROGRAMNAME> does not provide any proprietary modification or management functions related to encryption.

(11) License Exception ENC 'Restricted' commodities and software described by the criteria in §740.17(b)(2) require licenses to certain “government end-users.” Describe whether the product(s) meet any of the §740.17(b)(2) criteria. Provide specific data for each of the parameters listed, as applicable (e.g., maximum aggregate encrypted user data throughput, maximum number of concurrent encrypted channels, and operating range for wireless products). If the §740.17(b)(2) parameters are not applicable to the commodity or software, clearly explain why, (e.g., by providing specific data evaluated against the §740.17(b)(2) thresholds.)

N/A

(12) For products which incorporate an open cryptographic interface as defined in part 772 of the EAR, describe the Open Cryptographic Interface.

N/A

(d) For review requests for hardware or software “encryption components” other than source code (i.e., chips, toolkits, executable or linkable modules intended for use in or production of another encryption item) provide the following additional information:

N/A

(e) For review requests for “encryption source code” provide the following information:

N/A

Thank you for your consideration.