Forwarded From: phreak moi <hackerelitet_private> http://www.wired.com/news/news/technology/story/15848.html Dial-A-Strength Crypto on a Chip by Chris Jones 4:00 a.m. 27.Oct.98.PST In a development that could break a longstanding deadlock between Silicon Valley and the Clinton administration, Hewlett-Packard and Wave Systems on Tuesday will announce a new hardware system. It's designed to administer encryption policies on PCs anywhere in the world. "This is a significant announcement, because it is the first system that creates a trusted client," said Doug McGowan, head of HP's VerSecure division. The Embassy (short for Embedded Application Security System) for e-commerce is built on a programmable chip that, when added to a computer's motherboard, can be adjusted to match prevailing encryption policies. The companies said it will allow users to encrypt sensitive data and communications to the maximum level that local regulations allow. Embassy is designed to work with many of the existing cryptography schemes that are commonly used by programmers. It will scramble data using varying strengths of encryption, including triple DES, which is stronger than the US Commerce Department's 56-bit limit on exported software. Before the system can be used, it must be registered with a designated local authority. That authority then activates the cryptography application. McGowan said the system is inexpensive and adheres to US export policy by allowing local authorities to control the level of encryption that can be used. Currently, the Commerce Department restricts the export of cryptography products on the grounds that they can be used to conceal the communications between terrorists and hostile nations. The software industry believes these rules create an unfair advantage for overseas crypto developers. "[The Clinton Administration and Commerce Department are] interested in a stronger solution in hardware," McGowan said, since hardware can be controlled more effectively than software. "But 90 percent of countries have no domestic-use policies." An important provision in the Embassy system is that users will have to renew it annually with the local registry to ensure compliance with the latest encryption policies. If a government requires key recovery, the system will then be registered so that law-enforcement officials will have access to scrambled data under certain circumstances. Current encryption policies in France require key recovery, for example. HP and other companies will establish registries in countries around the world. So far, Canada, the United Kingdom, Germany, France, Denmark, Japan, and Australia said they will allow the systems. John Gilmore, co-founder of the Electronic Frontier Foundation, was sharply critical of the new system. Although he had not examined the specifications, he suggested there would be ways to circumvent it. "When you contact the server to turn your crypto on, how does that server know what country you're in?" Gilmore asked. "If these systems do spread, bootleg certificates that turn them on would become popular." The Commerce Department will not issue licenses for the technology until the actual implementations have been tested, McGowan said, but the concept behind the system has been reviewed and approved. Wave Systems will provide chip manufacturers with the blueprints for the system, enabling them to embed the specialized chips in PC motherboards. Since no design modifications are necessary, the companies said it would be easy for any PC manufacturer to incorporate the system. Initially, Embassy will only work on Windows and Unix-based systems. NEC is the first manufacturer to announce that it will ship computers next year with the system included. "This will be a key component of electronic commerce and extends the web of security for all existing applications," said Steven Sprague, president of Wave Systems. "For the first time, Microsoft applications with strong cryptography can be distributed on a worldwide basis." Developers will build applications to take advantage of the Embassy system by using a set of programming interfaces, which will be licensed from HP. The revenues generated from the licensing fees will pay for the system, said McGowan, so that PC manufacturers and consumers would not absorb the costs. E-commerce systems, financial-transaction software, email programs and pay-per-use applications are likely to adopt the technology first. Existing applications could be retrofitted to work with the system, the companies said. HP has received Commerce Department approval to export the VerSecure software in the past. The system allows local encryption policies to be enforced and updated as needed. Gilmore said that HP has previously complied with federal policies and that Tuesday's announcement was no different, since it offers no guarantee of real privacy protection whatsoever. "What other black boxes have they put in this chip? Keystroke monitoring? Recording traffic across the bus?" asked Gilmore. "If they're giving you a black box, who's to say what other capabilities are actually in that chip?" -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:07 PDT