Forwarded From: Kjell Wooding <kwoodingat_private> http://www.zdnet.com/pcweek/news/0601/01crypto.html Crypto holes slow export adoption Arbitrary rulings confuse ISVs, users By Jim Kerstetter, PC Week Online 06.01.98 Confusion over the exportability of software that allows strong encryption to be added by third-party vendors has corporations with international ties slowing their adoption of encryption technology. Call it the "crypto with a hole" conundrum. The phrase refers to hardware or software that lacks encryption at the time of export but features a "hole" that can be easily loaded with encryption components at a later date. Today, according to U.S. encryption export laws, such software is illegal. However, large vendors such as Microsoft Corp., which was allowed to export its CAPI (CryptoAPI), are finding ways of getting around such laws. The Redmond, Wash., company offers CAPI in a service provider model into which Microsoft or any third-party developer can plug encryption, said Karan Khanna, security product manager at Microsoft. In order for a CSP (cryptographic service provider) to work with CAPI and be recognized by the operating system, the CSP must be digitally signed by Microsoft. The operating system validates the signature periodically to ensure that the CSP's work has not been tampered with. Without such a signature requirement, there is no way for Microsoft to guarantee a CSP is staying within export guidelines. Because unrestricted access to CAPI would make Windows ineligible for export, the signature requirement limits CAPI access to vendors that agree to implement in conformity to U.S. law. However, export experts say, no matter how it's sliced, CAPI is still "crypto with a hole." Such exceptions to the export rule are baffling to developers. "It's hard to make recommendations when you don't know what the bar is," said Lauren Hall, chief technologist at the Software Publishers Association, in Washington. Microsoft got the go-ahead from the federal government to export CAPI after spending months negotiating with the U.S. Department of Commerce and the National Security Agency. Nevertheless, many point to CAPI export as yet another example of the arbitrary nature of U.S. encryption export laws. "There has not been a consistent policy coming out of [the Commerce Department] on what can and cannot be exported, and that has caused a great deal of consternation in the industry," said Hall. For users, it further muddles the purchasing of security products and pushes them toward bigger vendors. "We can work with the government, but it's aggravating to have to worry about getting in hot water with the NSA," said Tom Arnone, an IT manager at an international financial corporation. "So ... we're in no rush." The National Center for Supercomputing Applications was advised about two years ago that "crypto with a hole" or any sort of crypto hooks was illegal to export. The Apache Group, acting on this information, removed all of its cryptography hooks so it could get its Web server exported. Other companies did the same. "If you have enough money and if you are patient enough, you can get just about anything exported," said Bruce Schneier, president of Counterpane Systems Inc., in Minneapolis. [SIDEBAR:] Understanding 'crypto with a hole' What it is: Software equipped with a set of APIs through which a third-party software developer can plug its particular encryption technology Benefits to corporations: Flexibility to add encryption technology of their choice Legality: The National Security Agency expressly forbids the "crypto with a hole" concept, but large software vendors are still finding ways to export such software -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:55 PDT