VerSecure gets U.S. approval

The federal government OKs Hewlett-Packard to export its crypto product to nine new countries, bringing the total number to 17.

Jan. 2, 2002 4:43 p.m. PT

2 min read

Hewlett Packard said today it has won U.S. government approval to export its VerSecure encryption technology to nine new countries, raising the total to 17 nations where products with VerSecure built in can be shipped to. Those nations represent more than 80 percent of Internet users world wide, the company said.

The new export approvals are a major coup for HP, which in February 1998 announced approval to ship VerSecure-enabled products to Denmark, the United Kingdom, Germany, France, and Australia. The new approvals are primarily for Western Europe, plus New Zealand. In May 1998, HP added Japan to the approved list for exports.

"This technology allows manufacturers in the United States to ship electronic business-ready products around the world," said Glenn Gramling, marketing manager for HP's VerSecure technology. "It opens new markets to them."

HP's announcement comes as a major security conference opens in San Jose, California, and encryption export policy is always a hot topic at the conference. Later today, another HP unit is scheduled to announce enhancements to its security offerings for large companies.

Manufacturers can build VerSecure into devices such as cell phones, PCs, or handhelds that use encryption or data-scrambling techniques. U.S. law restricts the export of strong encryption by requiring approval from the Commerce Department after a review by the FBI, National Security Agency, and other federal agencies.

VerSecure uses 128-bit Triple-DES encryption, considered fairly strong, but then cripples the encrypting capabilities in devices created for export. When they are shipped to an approved nations, the strong encryption can be turned back on in accordance with that nation's laws.

While the United States limits exports of strong encryption, other countries restrict the use of encrypted products domestically. Others, including France, require manufacturers to use encryption technologies created within their own country.

VerSecure addresses both issues by allowing manufacturers to put encryption back into their products based on rules in the country where the devices will be sold. That process also satisfies the U.S. government.

The latest approvals allow VerSecure-enabled devices to be sent to Belgium, Iceland, Italy, Luxembourg, Netherlands, New Zealand, Norway, Portugal, and Spain.

Major U.S. firms including Microsoft and HP rival IBM back the VerSecure technology, which HP says is unique to the company.

Relatively few products have been announced using VerSecure, however, although in October HP and Wave Systems announced a programmable security chip designed to be built into PCs. NEC> has committed to use the chip in desktop PCs this year, and HP's PC unit is considering the same.

Products that use VerSecure require a review and second approval from the Commerce Department before they can be shipped to approved countries.

While VerSecure, a form of "firmware," is built into hardware devices, it also can benefit software companies that sell overseas. Overseas customers that want strong encryption, which software publishers are restricted from using in their products without approval, can use VerSecure-enabled PCs or other devices for strong encryption, even when running software with weaker ciphers.