[ISN] Crypto holes slow export adoption

From: mea culpa (jerichoat_private)
Date: Mon Jun 01 1998 - 12:04:33 PDT

  • Next message: mea culpa: "[ISN] ISS Expands Trusted Security Advisor Focus"

    Forwarded From: Kjell Wooding <kwoodingat_private>
    Crypto holes slow export adoption
    Arbitrary rulings confuse ISVs, users
    By Jim Kerstetter, PC Week Online 
    Confusion over the exportability of software that allows strong encryption
    to be added by third-party vendors has corporations with international
    ties slowing their adoption of encryption technology. 
    Call it the "crypto with a hole" conundrum. The phrase refers to hardware
    or software that lacks encryption at the time of export but features a
    "hole" that can be easily loaded with encryption components at a later
    date. Today, according to U.S. encryption export laws, such software is
    However, large vendors such as Microsoft Corp., which was allowed to
    export its CAPI (CryptoAPI), are finding ways of getting around such laws. 
    The Redmond, Wash., company offers CAPI in a service provider model into
    which Microsoft or any third-party developer can plug encryption, said
    Karan Khanna, security product manager at Microsoft. In order for a CSP
    (cryptographic service provider) to work with CAPI and be recognized by
    the operating system, the CSP must be digitally signed by Microsoft. The
    operating system validates the signature periodically to ensure that the
    CSP's work has not been tampered with. 
    Without such a signature requirement, there is no way for Microsoft to
    guarantee a CSP is staying within export guidelines. Because unrestricted
    access to CAPI would make Windows ineligible for export, the signature
    requirement limits CAPI access to vendors that agree to implement in
    conformity to U.S. law.
    However, export experts say, no matter how it's sliced, CAPI is still
    "crypto with a hole." Such exceptions to the export rule are baffling to
    "It's hard to make recommendations when you don't know what the bar is,"
    said Lauren Hall, chief technologist at the Software Publishers
    Association, in Washington.
    Microsoft got the go-ahead from the federal government to export CAPI after
    spending months negotiating with the U.S. Department of Commerce and the
    National Security Agency.
    Nevertheless, many point to CAPI export as yet another example of the
    arbitrary nature of U.S. encryption export laws.
    "There has not been a consistent policy coming out of [the Commerce
    Department] on what can and cannot be exported, and that has caused a great
    deal of consternation in the industry," said Hall. For users, it further
    muddles the purchasing of security products and pushes them toward bigger
    "We can work with the government, but it's aggravating to have to worry
    about getting in hot water with the NSA," said Tom Arnone, an IT manager at
    an international financial corporation. "So ... we're in no rush."
    The National Center for Supercomputing Applications was advised about two
    years ago that "crypto with a hole" or any sort of crypto hooks was illegal
    to export. The Apache Group, acting on this information, removed all of its
    cryptography hooks so it could get its Web server exported. Other companies
    did the same.
    "If you have enough money and if you are patient enough, you can get just
    about anything exported," said Bruce Schneier, president of Counterpane
    Systems Inc., in Minneapolis.
                           Understanding 'crypto with a hole'
           What it is: Software equipped with a set of APIs through which a
    third-party software developer can plug its particular encryption
           Benefits to corporations: Flexibility to add encryption technology
    of their choice Legality: The National Security Agency expressly forbids
    the "crypto with a hole"  concept, but large software vendors are still
    finding ways to export such software
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:55 PDT