Sybase crypto OK for export

The Commerce Department approves Sybase's software for export although its encryption doesn't meet the letter of the law.

2 min read
Sybase (SYBS) said today that the Commerce Department has approved for export several of its software products that use the highly secure 56-bit Data Encryption Standard (DES) even though Sybase doesn't provide some key recovery elements the government has insisted on in the past.

Sybase claimed to be the first software company to win such a waiver, and suggested that although the Clinton administration has publicly stuck to its hard-nosed policy on key recovery and key escrow, it's acting otherwise in specific cases.

"I think this shows that the administration is coming to realize what the U.S. software industry and Congress have recognized--the current rules don't work," said Tom Parenty, Sybase's director of data and communications security and the man who crafted the plan.

"I was surprised and very pleased [by the decision], and I hope that it is indicative of the administration coming around. There does seem to be a disconnect between formal policy announcements and how they are implementing the policy," he added.

Parenty said Sybase's plan does not require key recovery for encrypted communications over networks; instead it applies only to stored data. In addition, users of Sybase software may opt not to use key recovery at all.

"We thought that we needed to do something to get beyond the current impasse, this unbridgeable void between industry and government," Parenty said. "The technology to do this is sound; unlike a lot of the third-party key escrow schemes that are talked about. It is something we as an industry know how to do."

Existing U.S. software export regulations only allow export of 56-bit DES with a key recovery plan for both communications and stored data.

The U.S. software industry has criticized those export regulations, but several vendors have won export approval with plans that follow those rules. High-tech industry lobbyists have been active on the issue, and a number of bills are pending in Congress to change the government's position.

Parenty said Sybase created its key recovery mechanism to meet business needs, not government policy. He noted that companies may need access to data encrypted by one employee when that employee is not reachable, and the Sybase plan, which allows an internal key recovery agent inside a company, addresses that issue.

Sybase said its key recovery plan approved by the Commerce Department would allow export of 128-bit encryption for both communications and stored data once Sybase has developed the key recovery mechanism.

The export approval applies to Adaptive Server 11.5, the next generation of Sybase's flagship database product; SQL Server 11.0; and Jaguar CTS (component transaction server) for building Internet business applications.

Parenty said Sybase would share the approach that won approval with others in the industry.