RSA Data Security: Firms cleverly selling strong crypto
But is Sun backing away from Elvis?
While U.S. export law bars U.S. companies from selling strong encryption outside the country, they allow foreign-based subsidiaries of U.S. firms to sell strong encryption but prohibit the U.S. company from offering any help in the development of that technology.
Pioneering the way for U.S. firms is C2Net Software Inc., which has subsidiaries outside the U.S. that develop and sell strong encryption software including proxy products that decrypt weak encryption coming into a Web server or a browser and re-encrypt it as strong encryption.
C2Net's subsidiaries in Australia and England also sell a Web server product called Stronghold that competes with Microsoft Corp.'s Internet Information Server (IIS) and Netscape Communications Corp.'s Enterprise Server but offers stronger encryption, said Doug Barnes, vice president of development at C2Net's Oakland, CA, office. And they offer a crypto engine that allows Windows NT users to replace the crypto engine in IIS with one that offers stronger encryption.
"Outside the U.S. [customers] want to use products like Microsoft or Netscape browsers or servers, but they're stuck with deliberately weakened encryption," he said.
In general, U.S. companies are allowed to export encryption that has ciphers, or keys, up to 56-bits in length. They may get approval to export stronger encryption if they agree to develop products under a key recovery scheme where the government would be able to decrypt the software under certain law enforcement circumstances.
Barnes and a lawyer for the firm acknowledged that the U.S. government may eventually try to disallow U.S. subsidiaries from selling strong encryption outside of the country, which Barnes called a "slippery slope."
In the meantime, C2Net is taking advantage of this window of opportunity to grow their company. "The encryption export laws are not popular with people who use the Internet and the fact that we're working around [the laws] endears us to many people," Barnes said.
Sun unsure of its Elvis plans?
Another firm that has explored alternatives for selling strong encryption worldwide is Sun Microsystems Inc. Last May the company announced that it would resell worldwide SunScreen SKIP E+ from a Russian company in which Sun has a 10 percent interest. The company, Electronic Computer and Information System, whose acronym is Elvis, adds strong encryption to Sun's SunScreen SKIP product and sells it outside the U.S.
However, a Sun spokesman said this week that the firm was rethinking that plan. "We currently do not resell" SunScreen SKIP E+ and the decision "to do so is under review," Chris Tolles, Internet commerce and security marketing manager for Sun.
But a U.S.-based broker for Elvis products said Sun has said that since the U.S. Department of Commerce began looking into Sun's Elvis reseller decision. "We are still expecting it to happen," said Steven Hunziker, CEO of RCR (Remote Communications Resources Inc.) in Los Gatos, CA.
Sun has licensed the technology and products are "sitting on Sun shelves," he said, adding that Sun has exclusive rights to sell Windows 3.11 and Windows 95 versions, which it originally planned to begin selling in August. Elvis maintained exclusive rights for the Windows NT version, Hunziker said in a phone interview.
Tolles would not say why the company is rethinking its resale plans for the Elvis product, and other officials could not be reached for comment. However, other vendors and observers at the conference, as well as Hunziker, speculated that Sun is calculating how it can avoid upsetting one of it's largest customers -- the U.S. government.
Meanwhile, Elvis is not selling its product inside the U.S. "We're waiting for Sun to either fish or cut the bait," said Hunziker. Elvis sells about 10,000 to 20,000 copies in other countries, mostly Russia, he said.
U.S. investments in foreign encryption companies
Many U.S. encryption companies have made investments into non-U.S. encryption companies to enable their customers outside the U.S. to use their products and use strong encryption, according to Peter Davies, program and technical manager of security systems for Racal Data Group in Sunrise, Florida. Racal's parent company is based in England, and there are a handful of sister companies in Australia, Hong Kong, Japan, and Europe.
But Racal didn't create its worldwide family of companies as a result of the U.S. export controls, he said. The company has always sold strong encryption globally and would save money by having one crypto development site, but varying regulations in different countries make that impossible. "It's a misnomer to say there aren't export controls outside the U.S.," Davies said.
"There are plenty of UK companies that complain about UK restrictions," said Paddy Holahan, vice president of Baltimore Technologies Ltd. based in Dublin, Ireland. His firm sells products which enhance existing browsers and email products to provide full strength encryption.
Holahan said Baltimore wasn't born out of the U.S. policy either. "We're not a mediocre software company filling a gap caused by U.S. laws," he said. Despite arguments made by the U.S. software industry, Holahan said, "companies with good crypto would be in business regardless of U.S. policy."
Cylink Corp.'s purchase of Algorithmic Research in Israel is another example of U.S. investment in outside encryption companies. The deal was not done to create a "back door to get around U.S. export" regulations, said Chuck Williams, chief scientist at Cylink.
IBM came up with its alternative about two years ago when it announced a deal with the U.S. government that would enable it to sell a 64-bit encryption version of Lotus Notes outside the U.S. under the condition that the U.S. government can have access to all but 40-bits of the crypto code, said Kathy Kincaid, director of IBM's information technology security programs.
U.S. companies are regularly obtaining approval to export software designed for identification or authentication purposes as is used in key recovery systems which the U.S. government is pushing and which corporations are looking at for internal use.
Litronic Inc. of Irvine, CA, was granted export approval for its NetSign identification and authentication smartcard. Now the company is hoping it will get approval to export its 128-bit NetSign Pro which includes 128-bit encryption for files and remote dial-up.
But Litronic isn't submitting a public key management plan as the U.S. policy requires. Litronic has applied for an export permit "but it doesn't mean we're going to get it," said Chandra Shah, vice president. "It's better to aim higher" at first, she said.
If you have technical problems with this magazine, contact firstname.lastname@example.org