From owner-freebsd-security Thu May 29 12:34:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA04349 for security-outgoing; Thu, 29 May 1997 12:34:38 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA04336 for ; Thu, 29 May 1997 12:34:34 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id MAA29222 for ; Thu, 29 May 1997 12:26:56 -0700 (PDT) To: security@freebsd.org Subject: Just FYI.. Date: Thu, 29 May 1997 12:26:56 -0700 Message-ID: <29218.864934016@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Subject: Sun Crypto Skirts Feds Forwarded-by: Keith Bostic Forwarded-by: Jeff Reed Sun Crypto Skirts Feds By John Fontana, Communications Week Menlo Park, Calif. -- Sun Microsystems is prepared to take on the federal government this week when it discloses plans to offer a product from Russia that provides 128-bit and triple DES encryption over the Internet. The software, which Sun will offer worldwide, could help ignite electronic commerce over the Internet. It could also lead to an all-out brawl between Sun and the Feds. It is now illegal for a U.S. company to export encryption software that exceeds 56-bit encoding. But it is legal to import such technology from abroad, presuming the domestic vendor had no role in its development. "The government will try to link Sun to the development of this product and go after them, or this will open the floodgates on strong encryption," said John O'Leary, the director of education at the Computer Security Institute in San Francisco. "The government will find that we are in full compliance with the letter of the law," maintained Humphrey Polanen, general manager of Sun's security and electronic-commerce group. "We took great pains to stay within the legal requirements." Polanen said a key factor was that Sun offered no technical assistance in the development of the software, although it is based on a protocol the company published publicly nearly two years ago. The product Sun will OEM is Secure Virtual Private Network for Windows. Developed by Moscow-based ElvisPlus Co., the product will be sold through Sun channels under the name PC SunScreen SKIP E+. The software is based on Sun's Simple Key Management for IP (SKIP) encryption and key management technology. It will ship with algorithms for 56- and 64-bit DES, two- and three-key triple DES and 128-bit ciphers for both traffic and key encryption. SKIP, a published specification, had been submitted to the Internet Engineering Task Force for standardization, but the draft proposals have expired, a source said. The software manages keys for exchanging encrypted data and can sit on any machine, including desktops, servers and routers. Because it operates at the network level, it can work with any IP transmission and does not require any modification to existing applications. Sun's plan to import the Russian technology neatly sidesteps current U.S. restrictions. To export encryption software using a key code in excess of 40 bits, a U.S. business must first get government approval. Furthermore, the would-be exporter must have a plan in place to supply a key recovery model within a two-year time frame before receiving approval. SKIP E+ does not include a model for key recovery, and Sun did not seek government approval for the product, but the computer maker expects to provide the software to the global offices of its U.S.-based customers and others through third-party distributors. Sun's newly formed Security Group--and before that its Internet Commerce Group--has worked for two years with the company's legal and export-compliant government regulatory departments laying the groundwork that led to the OEM deal, and this will be the first time a major U.S. computer company has offered U.S.-based corporations 128-bit and triple DES encryption for global use. Given President Clinton's lack of support for current efforts to lift encryption export restrictions, Sun is anticipating a major backlash from the Clinton administration. A White House spokesperson declined comment. But a source familiar with the administration's handling of encryption policy was doubtful that the White House would wage a full-scale attack on Sun. "What Sun had to go through to release a product like this points up the folly of the current policy," commented Rep. Bob Goodlatte (R-Va.), who authored a bill that would prohibit mandatory key recovery. Last week, Goodlatte's bill, the Security and Freedom through Encryption (SAFE) Act, was approved by the House Judiciary Committee, marking the first time any encryption legislation had made it out of committee. It could take another eight to 12 months, however, before it moves through the full House and Senate and on to the president. The computer industry and retail and banking groups are vehemently opposed to the export restrictions and have been trying to find ways around them. Hewlett-Packard, IBM, Trusted Information Systems and others have formed a Key Recovery Alliance as a way to work within the current law pending relaxation of the restrictions. And RSA Data Security Inc. has bought a Japanese software vendor, now called Nihon-RSA. But Sun believes it will be some time before other software companies can match its efforts. Several products incorporate the SKIP protocol, including Sun's own line of SunScreen security products, Firewall-1 from Check Point Software Technologies Ltd. and SmartGate from VOne Corp. Sun says it is also negotiating with two leading router vendors. SKIP E+ provides encryption and authentication of any IP-based communication, including Telnet, HTTP, SQL requests and SMTP, while it manages encryption keys, negotiates data transfers and controls access to data through a three-tiered approval process. Sun says work still remains to create a management model for the access lists network administrators would need to create for a global system. "You'll see some announcements in a month or two that take care of the overall management headache for this," said Chris Tolles, product manager for the network security products group. "We're moving forward with solutions that get to the large-scale access control list distribution problem. It's a key issue for wide-scale deployment." SKIP E+ will be available Aug. 15 and will run on Windows 3.11, Windows 95 and Windows NT. It is compatible with most commercial TCP/IP stacks for Windows 3.x, Windows 95, NT 3.5 and NT 4.0. ElvisPlus plans to make evaluation copies available on its Web site. Related articles from: Search TechWire & CMP Archives Copyright (c) CMP Media, 1996.