[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Crypto Disputes
For full versions of the stories below:
http://jya.com/kinkey.txt
----------
For two years, the IETF Security Group has labored to
hammer out the IP Security (IPSec) protocol, a standard way
that businesses can open up an encrypted link to a trading
partner's network. The link is encrypted after authentication
by means of an X.509 digital certificate at an IPSec-based
firewall or gateway.
But an unresolved, bitter dispute over the technique for
automatically swapping keys over the 'Net - referred to as
key management - has resulted in two incompatible schemes
in the IPSec specification.
In this battle of the acronyms, the debate centers on the
Simple Key Management for IP (SKIP), developed by Sun
Microsystems, Inc., and the Internet Secure Association Key
Management Protocol (ISAKMP), developed by the National
Security Agency.
----------
Responding to Sun's announcement that it would license
128-bit encryption algorithms from Elvis+Co., a Russian
company, the White House announced that it would look into
Sun's actions.
"Sun's strategy is another brick from a wall that is coming
down," said Jim Bidzos, president and CEO of RSA Data
Security. "And it highlights that something is wrong with the
U.S. policy."
Sun has approximately a 10 percent equity stake in Elvis+,
whose product is based on Sun's publicly available protocol,
Simple Key Management for IP (SKIP). The 10 percent
interest is thought to be key to keeping other companies from
licensing and reselling the same technology.
The government's resolve, however, may be breaking down.
Just last week, Sybase Inc. won approval to export database
and server products with 56-bit DES encryption, even though
the Emeryville, Calif., company has no model for key
recovery.
----------
SKIP, which stands for Simple Key management for Internet
Protocols, was submitted by Sun to the Internet Engineering
Task Force as an Internet standard. Included in SKIP E+ are
algorithms for 56-bit DES, two- and three-key triple DES,
and 64- and 128-bit ciphers for encrypting network traffic
and keys.
The security software was developed by Elvis+, a company
of former Soviet space scientists with offices near Moscow.
Sun bought a 10 percent interest in the company in 1993, but
does not take an active role, said Steven Hunziker, chief
operating officer of Russia Communications Research Inc.,
Los Gatos, Calif. RCR represents Elvis+'s products in the
U.S.
"RCR is really small - me and an accountant and two
lawyers - and they watch the law like hawks," Hunziker said.
"Elvis+ has kept a very careful distance from Sun, and those
guys don't need anything from Sun to create the technology
they're creating. The FBI and the CIA are just lazy, which is
why they object."
"We've developed key recovery technology and gotten
government approval, so we can export without having to
resort to what they did," said Ken Mendelson, corporate
counsel for Trusted Information Systems Inc., Glenwood,
Md.
----------
VeriFone today announced that its Secure Electronic Transaction
(SET) -based product suite has received export approval from the
US Department of Commerce, marking the first announcement
of a SET-based, end-to-end Internet commerce solution
containing full strength encryption technology to be approved
for international export.
VeriFone's vGATE, vPOS and vWALLET software employ
the SET encryption protocol for transactions over the
Internet, utilizing 1024 bit key size for public key encryption
and digital signatures, and 64 bit DES for bulk encryption.
This approval enables VeriFone to offer a higher level of
end-to-end encryption than was previously available from
U.S. corporations to international customers without special
permission from the U.S. government.
----------
IBM last week took the first steps to help software vendors
comply with federal encryption export rules, with the
release into beta of a new security tool kit.
----------