From: John Young <jya@pipeline.com>
Date: Fri, 30 May 1997 07:35:49 +0800
To: cypherpunks@toad.com
Subject: Crypto Disputes
Message-ID: <1.5.4.32.19970529230949.00937498@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


For full versions of the stories below:

   http://jya.com/kinkey.txt

----------

     For two years, the IETF Security Group has labored to
     hammer out the IP Security (IPSec) protocol, a standard way
     that businesses can open up an encrypted link to a trading
     partner's network. The link is encrypted after authentication
     by means of an X.509 digital certificate at an IPSec-based
     firewall or gateway. 

     But an unresolved, bitter dispute over the technique for
     automatically swapping keys over the 'Net - referred to as
     key management - has resulted in two incompatible schemes
     in the IPSec specification.

     In this battle of the acronyms, the debate centers on the
     Simple Key Management for IP (SKIP), developed by Sun
     Microsystems, Inc., and the Internet Secure Association Key
     Management Protocol (ISAKMP), developed by the National
     Security Agency. 

----------

     Responding to Sun's announcement that it would license
     128-bit encryption algorithms from Elvis+Co., a Russian
     company, the White House announced that it would look into 
     Sun's actions. 

     "Sun's strategy is another brick from a wall that is coming
     down," said Jim Bidzos, president and CEO of RSA Data
     Security. "And it highlights that something is wrong with the 
     U.S. policy." 

     Sun has approximately a 10 percent equity stake in Elvis+,
     whose product is based on Sun's publicly available protocol,
     Simple Key Management for IP (SKIP). The 10 percent
     interest is thought to be key to keeping other companies from
     licensing and reselling the same technology. 

     The government's resolve, however, may be breaking down.
     Just last week, Sybase Inc. won approval to export database
     and server products with 56-bit DES encryption, even though
     the Emeryville, Calif., company has no model for key
     recovery. 

----------

     SKIP, which stands for Simple Key management for Internet
     Protocols, was submitted by Sun to the Internet Engineering
     Task Force as an Internet standard. Included in SKIP E+ are
     algorithms for 56-bit DES, two- and three-key triple DES,
     and 64- and 128-bit ciphers for encrypting network traffic
     and keys. 

     The security software was developed by Elvis+, a company
     of former Soviet space scientists with offices near Moscow.
     Sun bought a 10 percent interest in the company in 1993, but
     does not take an active role, said Steven Hunziker, chief
     operating officer of Russia Communications Research Inc.,
     Los Gatos, Calif. RCR represents Elvis+'s products in the
     U.S. 

     "RCR is really small - me and an accountant and two
     lawyers - and they watch the law like hawks," Hunziker said.
     "Elvis+ has kept a very careful distance from Sun, and those
     guys don't need anything from Sun to create the technology
     they're creating. The FBI and the CIA are just lazy, which is
     why they object." 

     "We've developed key recovery technology and gotten
     government approval, so we can export without having to
     resort to what they did," said Ken Mendelson, corporate
     counsel for Trusted Information Systems Inc., Glenwood,
     Md. 

----------

     VeriFone today announced that its Secure Electronic Transaction 
     (SET) -based product suite has received export approval from the 
     US Department of Commerce, marking the first announcement
     of a SET-based, end-to-end Internet commerce solution
     containing full strength encryption technology to be approved
     for international export. 

     VeriFone's vGATE, vPOS and vWALLET software employ
     the SET encryption protocol for transactions over the
     Internet, utilizing 1024 bit key size for public key encryption
     and digital signatures, and 64 bit DES for bulk encryption.
     This approval enables VeriFone to offer a higher level of
     end-to-end encryption than was previously available from
     U.S. corporations to international customers without special
     permission from the U.S. government. 

----------

     IBM last week took the first steps to help software vendors 
     comply with federal encryption export rules, with the 
     release into beta of a new security tool kit. 

----------