today unveiled a security framework, endorsed by the State Department
, which is designed to be flexible enough to adapt to shifting rules about how strong encryption can be to still be exported.
HP chairman, CEO, and president Lewis Platt said the International Cryptology Framework (ICF) will remove a significant barrier to conducting electronic commerce on the Internet. It also would allow U.S. software companies to make a single version of their software to be used both domestically and overseas.
With ICF, strong encryption could be built into software and hardware devices but disabled on versions that are exported. When a user switched on software in Europe, for example, the software would check with a clearinghouse to determine what level of encryption could be used. The clearinghouse could detect the user's location and issue appropriate instructions.
ICF does not solve policy debates over what level of encryption can be exported, but it does provide a flexible framework that can accommodate changes as policies evolve.
"We have provided a framework that lets customer have best, strongest encryption available at any point in time," Platt told a Washington, D.C., press conference.
ICF uses Microsoft's Crypto API, an interface for building secure software applications, and Trusted Information Systems' cryptographic key recovery capability.
Intel also said it would manufacture and distribute hardware that will include the ICF technology, which is based on RSA Data Security encryption. Also backing the framework are Netscape Communications, Oracle, Informix, VeriFone, and smart card manufacturer Gemplus.
In addition to preliminary backing by the State Department, HP said the governments of France and England also endorsed ICF.
Among the ICF elements are the following:end user hardware including a PC, smart phone, and network computer.
Policy Activated Token, a smart card or software module downloaded from the Internet, which regulates what kind of encryption may be used based on the user's location and relevant government rules. The PAT token can be updated as government rules on encryption change.
cryptographic unit or system, on the user's system, that does encrypting or decrypting when activated by the PAT.
network security service, a government or government-accredited agency that activates the PAT tokens and adjusts them to national requirements.
A hardware-based system is inherently more secure than software, experts say, because it is harder for hackers to circumvent.
HP will design and license ICF and enable many of its products to support the framework. Products using an ICF cryptography unit can be exported to most locations without restrictions or controls, the company said. HP said the first products based on ICF would become available next year.
HP's Platt said the ICF initiative does not conflict with an IBM-led effort to create a "key recovery" system that would comply with U.S. export regulations.
On Friday, President Clinton issued an executive order liberalizing those export controls if the products include a key that lets government decode messages after receiving a court order or similar authorization. Without a key, strong encryption still cannot be exported.
HP said it will open up its architecture for external review.