Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 May 1997 12:26:56 -0700
From:      "Jordan K. Hubbard" <jkh@time.cdrom.com>
To:        security@freebsd.org
Subject:   Just FYI..
Message-ID:  <29218.864934016@time.cdrom.com>

next in thread | raw e-mail | index | archive | help
Subject: Sun Crypto Skirts Feds

Forwarded-by: Keith Bostic <bostic@bostic.com>
Forwarded-by: Jeff Reed <jreed@BSDI.COM>

Sun Crypto Skirts Feds
 By John Fontana, Communications Week

  Menlo Park, Calif. -- Sun Microsystems is prepared to take on the federal
government this week when it discloses plans to offer a product from Russia
that provides 128-bit and triple DES encryption over the Internet.

 The software, which Sun will offer worldwide, could help ignite electronic
commerce over the Internet. It could also lead to an all-out brawl between
Sun and the Feds.

 It is now illegal for a U.S. company to export encryption software that
exceeds 56-bit encoding. But it is legal to import such technology from
abroad, presuming the domestic vendor had no role in its development.

 "The government will try to link Sun to the development of this product
and go after them, or this will open the floodgates on strong encryption,"
said John O'Leary, the director of education at the Computer Security
Institute in San Francisco.

 "The government will find that we are in full compliance with the letter
of the law," maintained Humphrey Polanen, general manager of Sun's security
and electronic-commerce group. "We took great pains to stay within the
legal requirements." Polanen said a key factor was that Sun offered no
technical assistance in the development of the software, although it is
based on a protocol the company published publicly nearly two years ago.

 The product Sun will OEM is Secure Virtual Private Network for Windows.
Developed by Moscow-based ElvisPlus Co., the product will be sold through
Sun channels under the name PC SunScreen SKIP E+. The software is based on
Sun's Simple Key Management for IP (SKIP) encryption and key management
technology. It will ship with algorithms for 56- and 64-bit DES, two- and
three-key triple DES and 128-bit ciphers for both traffic and key
encryption.

 SKIP, a published specification, had been submitted to the Internet
Engineering Task Force for standardization, but the draft proposals have
expired, a source said.

 The software manages keys for exchanging encrypted data and can sit on any
machine, including desktops, servers and routers. Because it operates at
the network level, it can work with any IP transmission and does not
require any modification to existing applications.

 Sun's plan to import the Russian technology neatly sidesteps current U.S.
restrictions. To export encryption software using a key code in excess of
40 bits, a U.S. business must first get government approval.

 Furthermore, the would-be exporter must have a plan in place to supply a
key recovery model within a two-year time frame before receiving approval.
SKIP E+ does not include a model for key recovery, and Sun did not seek
government approval for the product, but the computer maker expects to
provide the software to the global offices of its U.S.-based customers and
others through third-party distributors.

 Sun's newly formed Security Group--and before that its Internet Commerce
Group--has worked for two years with the company's legal and
export-compliant government regulatory departments laying the groundwork
that led to the OEM deal, and this will be the first time a major U.S.
computer company has offered U.S.-based corporations 128-bit and triple DES
encryption for global use. Given President Clinton's lack of support for
current efforts to lift encryption export restrictions, Sun is anticipating
a major backlash from the Clinton administration. A White House
spokesperson declined comment.

 But a source familiar with the administration's handling of encryption
policy was doubtful that the White House would wage a full-scale attack on
Sun.

 "What Sun had to go through to release a product like this points up the
folly of the current policy," commented Rep. Bob Goodlatte (R-Va.), who
authored a bill that would prohibit mandatory key recovery.

 Last week, Goodlatte's bill, the Security and Freedom through Encryption
(SAFE) Act, was approved by the House Judiciary Committee, marking the
first time any encryption legislation had made it out of committee. It
could take another eight to 12 months, however, before it moves through the
full House and Senate and on to the president.

 The computer industry and retail and banking groups are vehemently opposed
to the export restrictions and have been trying to find ways around them.

 Hewlett-Packard, IBM, Trusted Information Systems and others have formed a
Key Recovery Alliance as a way to work within the current law pending
relaxation of the restrictions. And RSA Data Security Inc. has bought a
Japanese software vendor, now called Nihon-RSA.

 But Sun believes it will be some time before other software companies can
match its efforts.

 Several products incorporate the SKIP protocol, including Sun's own line
of SunScreen security products, Firewall-1 from Check Point Software
Technologies Ltd. and SmartGate from VOne Corp. Sun says it is also
negotiating with two leading router vendors.

 SKIP E+ provides encryption and authentication of any IP-based
communication, including Telnet, HTTP, SQL requests and SMTP, while it
manages encryption keys, negotiates data transfers and controls access to
data through a three-tiered approval process.

 Sun says work still remains to create a management model for the access
lists network administrators would need to create for a global system.

 "You'll see some announcements in a month or two that take care of the
overall management headache for this," said Chris Tolles, product manager
for the network security products group. "We're moving forward with
solutions that get to the large-scale access control list distribution
problem. It's a key issue for wide-scale deployment."

 SKIP E+ will be available Aug. 15 and will run on Windows 3.11, Windows 95
and Windows NT. It is compatible with most commercial TCP/IP stacks for
Windows 3.x, Windows 95, NT 3.5 and NT 4.0. ElvisPlus plans to make
evaluation copies available on its Web site. 

  Related articles from:
   
 Search TechWire & CMP Archives 

Copyright (c) CMP Media, 1996.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29218.864934016>