Did Sun Skirt U.S. Encryption Law? -- Sun's Elvis link creates ruckus

Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

29 May 1997, Computer Reseller News:

Did Sun Skirt U.S. Encryption Law? -- Sun's Elvis link creates ruckus

Menlo Park, Calif. -- Blame it on Elvis.

Elvis+, the Russian encryption company, that is. Sun Microsystems Inc. plans to sell Elvis+'s technology outside the United States, as well as to import it into this country. But that means sidestepping U.S. encryption laws, a move that has raised a red flag in Washington.

The hubbub started last week when news of the plan slipped out without the approval of Sun Chairman and Chief Executive Scott McNealy, said sources inside and outside Sun.

"Sun made this announcement, and the subtext is we're defying the government," one source said. "We're watching very carefully."

Starting Aug. 15, Sun's international channels will resell SunScreen SKIP E+, software that creates Virtual Private Networks on Windows desktops connected to SKIP-enabled devices.

SKIP, which stands for Simple Key management for Internet Protocols, was submitted by Sun to the Internet Engineering Task Force as an Internet standard. Included in SKIP E+ are algorithms for 56-bit DES, two- and three-key triple DES, and 64- and 128-bit ciphers for encrypting network traffic and keys.

"We're doing this not to politicize encryption but to fulfill market demand," said Humphrey Polanen, general manager of Sun's Network Security Products Group. "We will work with the government so they understand that what we did is fully compliant with the letter and spirit of their rules. Their rules prohibit export, and we are not exporting anything."

The security software was developed by Elvis+, a company of former Soviet space scientists with offices near Moscow. Sun bought a 10 percent interest in the company in 1993, but does not take an active role, said Steven Hunziker, chief operating officer of Russia Communications Research Inc., Los Gatos, Calif. RCR represents Elvis+'s products in the U.S.

"RCR is really small-me and an accountant and two lawyers-and they watch the law like hawks," Hunziker said. "Elvis+ has kept a very careful distance from Sun, and those guys don't need anything from Sun to create the technology they're creating. The FBI and the CIA are just lazy, which is why they object."

The administration is "reviewing our regulatory posture with Sun" to ensure that its relationship with Elvis+ is in compliance with U.S. law, said a U.S. Department of Commerce spokeswoman. She said the matter could take days or weeks, and stressed the importance of including key recovery in encryption products.

Sun did not include key recovery, both because the software encrypts a message in transmission and because Sun is not exporting the software, a spokeswoman said.

Strong encryption is widely available over the Internet, and Polanen said both he and John Gage, director of Sun's science office, demonstrated that fact to the U.S. House of Representatives two weeks ago.

One encryption vendor, however, took a dim view of Sun's plan.

"We've developed key recovery technology and gotten government approval, so we can export without having to resort to what they did," said Ken Mendelson, corporate counsel for Trusted Information Systems Inc., Glenwood, Md.

"We think they're doing crypto-in-the-hole, and I imagine the government is going to evaluate it quite closely," Mendelson said. "Besides, what company is going to feel comfortable entrusting their sensitive information to cryptography developed by a company named Elvis+ in Russia?"

Michael Kanellos contributed to this story.