The approval lets Cylink sell overseas to international banks and financial institutions and to subsidiaries of U.S. multinational firms. The approval, which Cylink claims is the broadest of its kind, follows a limited export license Cylink won in December to sell its technology to a specific customer, a consortium of European central banks.
"This is a market opening for us--the earlier permission was restricted," said John Kalb, Cylink's vice president of strategy and business development. "It's the first broad permission for this level of encryption."
The approval brings the practical realities of getting export licenses for encryption product in line with the policies, which have officially sanctioned overseas sales of strong crypto for banks and U.S. multinationals, he added.
The approval applies to Cylink's "link encryptor" line of hardware devices for encrypting communications over public networks to create virtual private networks (VPN). Cylink's remote access software, PrivateWire, is not covered by the license. Cylink's hardware costs $5,000 to $50,000.
Encryption uses mathematical algorithms to scramble data so it cannot be read with a cryptographic "key" to decrypt the information. Key recovery refers to a system for storing a cryptographic key so a company or government agency with a search warrant can gain access to it to decrypt information.
Triple-DES (data encryption standard) encrypts data using a 56-bit DES key, making the equivalent of 168-bit encryption--millions of times stronger than single DES. The Commerce Department generally does not approve export of encryption keys stronger than 56 bits without key recovery.
However, exports of strong encryption for financial institutions have generally been allowed under Commerce practices because banks retain information on encrypted transactions so law enforcement can recover encrypted data through means other than key escrow.
In February, Hewlett-Packard won a preliminary go-ahead to export technology that offers strong 128-bit and triple-DES encryption for managing and providing crypto services. But HP's product has optional key recovery, and companies that use HP's VerSecure technology will need another government approval to sell overseas.
Citing legal restrictions, the Commerce Department would not confirm Cylink's claim to be the first U.S. firm given such broad approval to export strong encryption products without key recovery.
"I am pleased we were able to approve the license allowing Cylink to export their strongest encryption products to financial institutions and multinational firms around the world. U.S. companies can and should be able to compete in this rapidly growing market," William Reinsch, undersecretary of Commerce for Export Administration, said in a statement.
Under the license, Cylink's triple-DES hardware can be used to protect communications and transactions within a bank or between banks, including teleconferencing. Multinationals can use Cylink hardware to secure proprietary data of subsidiaries.
But Lauren Hall, an encryption lobbyist for the Software Publishers Association, downplayed the significance of the approval.
"This is not inconsistent with positions the Department of Commerce has taken in the past, especially with regard to financial institutions and American subsidiaries," said Hall, whose organization is pushing for an overall loosening of controls on encryption sales overseas.
"If that's going to be a criterion used to grant export licenses in the future, then it should be codified" and not be simply a de facto policy, she added.
Several companies have won export approval for 56-bit or 128-bit encryption products, provided they indicate a willingness to establish a form of key recovery in the future.
In a May 1997 directive, the government gave special export status to encryption in products by financial institutions, including home banking software.