Both Netscape Communications (NSCP) and Microsoft (MSFT) said today that they received permission from the Commerce Department to export 128-bit encryption in their Internet software, including Netscape's Communicator suite and Microsoft's Internet Explorer, but only banks and their online customers will be able to take advantage of the full security in the browsers.
The announcements come amid a flurry of export licenses granted under new U.S. encryption regulations. Under the rules, which went into effect January 1, any encryption software using 56 bits or more cannot be exported unless the users store their keys, or access codes, so that law enforcement agents can intercept and decrypt suspicious electronic communications quickly and without the user's knowledge. Last week, a team of computer scientists linked thousands of PCs over the Internet to crack a 56-bit code as part of a crypto company contest.
However, an exemption to the regulations allows a software firm to bypass the key recovery condition if the government is convinced the product has narrow financial applications. Such an exemption was granted earlier this year to Open Market.
The Communicator approval, along with the green light to export 128-bit versions of Netscape's SuiteSpot server software to financial institutions, means that foreign banks can securely connect their employees and their customers using Netscape software without participating in key recovery. Anyone can download the 128-bit version of Communicator, but the 128-bit protection doesn't kick in unless the user is connected to a SuiteSpot server that uses the same level of encryption, Netscape said.
"This is different than someone encrypting a credit card number and sending it over the Net," said Netscape chief scientist Taher Elgamal. "This is an entire connection encrypted with strong encryption. It's based on the fact that the bank is a trusted entity."
For now, banks and their customers will be the only users of strongly encrypted Communicator and SuiteSpot, but the products themselves are the standard issue, company representatives said.
Meanwhile, Microsoft said it will build 128-bit encryption into both domestic and export versions of Internet Explorer 4.0, Money 98, and Internet Information Server. As with Netscape's license agreement, Microsoft's 128-bit encryption will only work for banks and other financial institutions.
To ensure such narrow usage, Netscape is using VeriSign's digital certificate technology to allow strong, secure connections between a bank using the SuiteSpot server and a client using the Navigator 4.0 browser within Communicator. Digital certificates are like ID tags that verify the integrity of transmitted data and the identity of the sender.
The approved version of SuiteSpot incorporates a 128-bit extension to the X.509 certificate. When Communicator contacts the server, it reads the server's certificate, verifies the tag, and the two pieces of software establish a private channel of communication protected by 128-bit encryption.
Clients using Communicator will only be able to get such a connection with SuiteSpot servers, but there's nothing technical preventing other server makers from providing the same service, according to VeriSign product line manager Greg Smirin.
"If other companies decide to follow Netscape's lead, there's no technical reason the same solution wouldn't work," Smirin said. "The big issue is the [government's] approval process."
Microsoft software will also use digital certificates to establish 128-bit encrypted connections between banks and clients, but the company did not say which certificate authority will handle the distribution of certificates. It is unclear if the Microsoft and Netscape certificate schemes will be interoperable.
Even while it has granted more room for export of encryption without key recovery, the Clinton administration is pushing Senate legislation that aims to establish mandatory key recovery in certain domestic situations. It's a paradox that has at least one opponent of the government policy scratching his head.
"Between Congress and the export decisions of the last few months, it's hard to get a handle on the administration's policy," said David Sobel, legal counsel for the Electronic Privacy Information Center. "It's pretty clear that the administration is driving the McCain-Kerrey bill, which is a hard-line approach. But on the other hand, they're seeking to create the impression that there's a liberalization of export policy."
In other encryption news, Trusted Information Systems announced that it will ship its RecoverKey CSP desktop encryption software in August. RecoverKey CSP installs on Windows 95 and NT desktops and allows users to encrypt files on the fly.
It also will encrypt files of any Windows application that supports Microsoft's CryptoAPI specifications. Domestic versions of the product will not need key recovery, but international versions will require users of strong encryption to give recovery agents access to their keys.