Crypto companies regroup

Faced with unpopular restrictions on the export of encryption, an alliance of companies developing "key recovery" storage systems has added 29 new members.

CNET News staff
3 min read
In the face of the Clinton administration's unpopular new encryption policy, 29 companies have joined an alliance of companies developing "key recovery" storage systems, a necessary element in the new government policy that both the government and software companies would like to control.

Key recovery systems store the codes needed to unlock encryption schemes so that encrypted messages or software can be decoded. In return for a liberalization of the export restrictions on encryption, the government insisted on creating key recovery so that law enforcement agencies could decrypt communications involved in criminal investigations.

The key recovery alliance's original 11 members, including IBM, Hewlett-Packard, RSA Data Security, and Apple Computer, tentatively agreed in October to work with the government to create such key recovery systems. The alliance maintains that key recovery is also a necessary tool for businesses which have employees that communicate by way of encrypted messages. If an employee leaves the company, dies, or loses the software key, for example, some method of key recovery is necessary.

"Key recovery is a critical enabling technology for expanding global commerce," said Burt Tregub, vice president of strategic programs at Cylink, a new alliance member.

But the government's latest key recovery rules do not let businesses store their own keys and industry representatives say this could kill the commercial viability of key recovery systems at home and abroad. One official from alliance leader IBM said the industry will defy the rules and that alliance members would press on with development of key recovery systems that would satisfy their customers' needs, not the government's rules.

Big Blue today announced its own SecureWay Framework to provide a technology umbrella under which different encryption systems can interoperate, a necessary condition for large companies that use different encryption schemes of varying strengths in different departments or locations. Hewlett-Packard also has a hardware-based framework that allows for interoperability of ncryption systems.

But these systems conflict with the restrictions spelled out in the latest draft of government encryption regulations.

"The guidelines are not acceptable to our customers," said Brian O'Higgins, director of Nortel's Secure Networks division. Nortel, another new alliance member, makes Entrust, the key management system licensed by IBM for its framework.

The problem is that Entrust lets users store their own keys, O'Higgins said. He added that it would be possible to implement the system so that a trust company independent of both the government and the user would control the storage of the keys, but that such third-party storage wouldn't be very palatable to customers, said O'Higgins.

The government's new rules take effect on January 1. No one sees much room to argue given the short notice and the holidays coming up. Once the new rules take effect, software industry representatives predict customers will look abroad for encryption systems, a possibility of which the Clinton administration is well aware.

President Clinton's November 15 executive order that gave the Commerce Department jurisdiction over crypto export also created the post of encryption czar, an ambassador-at-large that will actively lobby other countries with high-tech industries such as the United Kingdom, Japan, and France to harmonize their laws with U.S. regulations.

Until other countries agree to mirror U.S. regulations, however, multinational companies will take advantage of looser export laws abroad.

"You already see U.S.-based companies export from other parts of the world," said Nortel's O'Higgins. "I'm more fortunate to have the option to ship from Canada and the United Kingdom."

The industry is also angry about other restictions in the administration's policy. For example, any company that wants to export strong cryptography schemes would have to submit a detailed business and marketing plan to the government for approval, according to one Commerce Department draft in circulation.