Want CNET to notify you of price drops and the latest stories?

Cylink wins approval for strong encryption

The security vendor wins approval from the U.S. Commerce Department to export encryption technology, possibly the strongest available, to European central banks.

3 min read
Security vendor Cylink (CYLK) has won approval from the U.S. Commerce Department to export encryption technology, possibly the strongest available, to European central banks.

The export license is significant because it apparently covers the strongest encryption ever approved for export by the government, and export has been approved despite the lack of a key recovery mechanism. The device uses a 168-bit Triple DES (data encryption standard) algorithm that Cylink developed.

"We are open for business with strong encryption in the European financial community," John Kalb, Cylink's vice president of strategy and business development, said today. "This seems to be a growing requirement for financial institutions in Europe."

The license allows Cylink to sell its "link encryptor" hardware to the European Monetary Institute, a consortium of about 15 central banks. Sales to other customers will require new approvals.

"This approval took four and a half months because it was the first," Kalb said. "Typically, the first one is toughest. My guess is that this will make it easier for others [companies] to do."

The Commerce Department confirmed Cylink's license, but would not say whether it is the strongest encryption now approved for export.

"Approving Cylink's license for this very strong encryption product demonstrates the Clinton Administration's commitment to the growth of secure electronic commerce worldwide," William Reinsch, undersecretary of commerce for export administration, said in a statement to be released tomorrow by the Commerce Department.

Cylink and others--including IBM, Digital Equipment, Netscape, Open Market, Trusted Information Systems, and V-One--had earlier won approval to export 56-bit or 128-bit encryption provided they indicate a willingness to establish a form of "key recovery."

Key recovery means the cryptographic keys used to scramble data are stored so that a law enforcement agency, with court approval, could decrypt the information. Key recovery has been a hot topic because many people don't like the idea that the U.S. government could get access to information they want encrypted.

Many U.S. technology firms object to key recovery because they say it costs them business overseas--products from European and Israeli vendors, for example, compete with Cylink's hardware, which encrypts the transmission of data over a public phone network. The link encryptor costs $5,000 to $10,000, Kalb said.

The government's limits on encryption exports are designed to prevent terrorists and other criminals from scrambling messages so that they cannot be deciphered.

Although the Commerce Department regulates sales of encryption outside the United States and Canada, exports to financial institutions are handled differently than encryption used for other purposes. That's because governments obtain information on encrypted financial transactions using different means than banks, which are highly regulated and required to keep records and make disclosures under court orders.

"The government says there will be considerable leniency for financial applications that allow [government agencies] to recover transactions," said Lauren Hall, chief lobbyist on encryption issues for the Software Publishers Association.

In a May 1997 directive, the government gave special export status to encryption in products by financial institutions, including home banking software.

A Commerce Department spokeswoman said the current policy allows encryption exports without limits on strength for hardware and software used exclusively by financial institutions. Also, if the crypto was in a commercially available product being used by banks, the government allows overseas sales for encryption stronger than 56 bits if the manufacturer has filed a plan to move toward key recovery.

However, regulations implementing that directive have not been issued and remain under discussion among several federal agencies. Whether insurance companies are considered financial institutions and whether stronger encryption can be used in software for employees accessing their 401(k) retirement plans over the Net are just a few of the issues still under scrutiny.