Sun dodges crypto export limits

A Russian firm will ship 128-bit encrypted security software to Sun Microsystems' overseas customers.

2 min read
Pulling an end-run around U.S. limits on exporting strong encryption, Sun Microsystems (SUNW) announced today that advanced security software based on Sun's SKIP (Simple Key Management for the Internet Protocol) encryption and key management protocol will soon be available outside the United States.

The software, created by Russian firm Elvis+, allows non-U.S. customers to use 128-bit encryption. Sun will market Elvis+'s Secure Virtual Private Network software under the name SunScreen SKIP E+. Customers who buy through Sun will have the product shipped directly to any overseas locations from the Russian firm.

Strong encryption is considered a cornerstone for conducting electronic commerce and secure communications over the Internet, but law enforcement and spy agencies worry that terrorists and other criminals could use strong encryption to foil wiretaps.

U.S. software firms argue that the current limits mean overseas customers simply buy encryption elsewhere.

"We are not exporting this cryptology, we are making it available through a third party," said Smita Deshpande, director of marketing for Sun's network security products group.

Officials at the Commerce Department, which oversees encryption exports, could not be reached to comment. Sun officials said they had not informed government officials of their plans to use the Russian supplier's encryption for Sun's overseas customers. Deshpande said Sun had worked closely with attorneys to make sure the company does not violate export laws.

Encryption uses complex mathematical formulas to scramble the contents of messages or documents sent over a network. Unscrambling the message requires that the recipient have a "key" provided by the sender.

Since January, the Clinton administration has allowed exports of 56-bit encryption algorithms, provided that such products have keys stored so law enforcement agents, with a court order, can unlock an encrypted message.

Those rules were recently loosened to allow encryption in financial transaction software to use the strongest algorithms necessary. Longer key lengths make encrypted data harder to crack.

To close loopholes like the one Sun is using, the U.S. government is working to convince other industrial nations to impose similar restrictions on encryption and help create a global key-recovery infrastructure.

SunScreen SKIP E+ software will support 56-bit DES, two- and three-key triple DES, as well as 64- and 128-bit ciphers for traffic and key encryption algorithms. There is no key recovery technology built into the product.

Sun developed SKIP as a data encryption and authentication protocol for computer networks. Sun has made the protocol publicly available for more than two years, and other overseas vendors also are developing products based on SKIP.

Sun said SunScreen SKIP E+ will be available August 15. It is priced from $99 for a single-user Windows 3.x and Windows 95 license, and at $149 for a Windows NT version. Evaluation copies of the software can be downloaded from the Elvis+ Web site.