Feds Review Sun's Crypto -- Security experts praise computer giant's plans to skirt encryption export restrictions

Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

29 May 1997, Communications Week:

Feds Review Sun's Crypto -- Security experts praise computer giant's plans to skirt encryption export restrictions

Critics of the government's restrictions on the export of strong encryption last week hailed Sun Microsystems' plan to skirt the policy. But the White House said that it would see just how clever the computer giant really is.

Responding to Sun's announcement that it would license 128-bit encryption algorithms from Elvis+Co., a Russian company (CommWeek, May 19), the White House announced that it would look into Sun's actions.

"We are reviewing our regulatory posture with Sun to ensure that their arrangement with the Russian encryption company is in compliance with U.S. export controls," the statement said. A spokesman at the Department of Commerce, which handles the export regulations, stressed that the administration was reviewing the relationship and not conducting an investigation.

A representative of Sun, which plans to import the Russian technology and then distribute it worldwide, said the Mountain View, Calif., company was not prepared to make a statement on the White House review before press time.

The government's policy forbids export of strong encryption without U.S. approval. Critics say Sun's move helps build the case for wiping out the restrictions altogether. Such a move would allow IS and network managers to deploy highly secure networks and extranets worldwide.

"Sun's strategy is another brick from a wall that is coming down," said Jim Bidzos, president and CEO of RSA Data Security Inc., Redwood City, Calif. "And it highlights that something is wrong with the U.S. policy."

Bidzos, whose own company established a division in Japan to distribute strong encryption, said Sun obviously put a lot of thought into its strategy and apparently believes the government will be hard-pressed to poke holes in it. Sun has said it spent two years working with its legal department on the strategy.

The company licensed an encryption product from Moscow-based Elvis+ that offers 128-bit and two- and three-key triple DES encryption and will resell it worldwide under the name PC Sunscreen SKIP Elvis+

Sun has approximately a 10 percent equity stake in Elvis+, whose product is based on Sun's publicly available protocol, Simple Key Management for IP (SKIP). The 10 percent interest is thought to be key to keeping other companies from licensing and reselling the same technology.

Humphrey Polanen, general manager of Sun's security and electronic-commerce group, was confident the government would find Sun "in full compliance with the letter of the law." He said a major factor was that Sun offered no technical assistance in the development of the software.

The statement from the White House said it had not evaluated the product and could not comment on it.

"This could be the user's manual for breaking the camel's back," said Marc Rotenberg, director of the Washington, D.C.-based Electronic Privacy Information Center. Rotenberg's reference was to the policy that bars the export of encryption over 56 bits without government approval. Companies seeking to export 56-bit products also must have a system in place within two years for key recovery. Sun has neither government approval nor a method to recover keys.

The government's resolve, however, may be breaking down. Just last week, Sybase Inc. won approval to export database and server products with 56-bit DES encryption, even though the Emeryville, Calif., company has no model for key recovery.

The administration wants access to keys in criminal investigations because of concerns that strong encryption products could fall into the hands of terrorists. Such products, however, already are available from nearly 30 foreign companies.

If found in violation of the export controls, Sun and some of its executives might face civil and/or criminal penalties fromthe Department of Justice.