[ISN] Dial a Strength Crypto on a Chip

From: mea culpa (jerichot_private)
Date: Tue Oct 27 1998 - 16:33:41 PST

  • Next message: mea culpa: "[ISN] The Golden Age of Hacktivism"

    Forwarded From: phreak moi <hackerelitet_private>
    
    http://www.wired.com/news/news/technology/story/15848.html
    Dial-A-Strength Crypto on a Chip
    by Chris Jones
    4:00 a.m.  27.Oct.98.PST
    
    In a development that could break a longstanding deadlock between Silicon
    Valley and the Clinton administration, Hewlett-Packard and Wave Systems on
    Tuesday will announce a new hardware system. It's designed to administer
    encryption policies on PCs anywhere in the world. 
    
    "This is a significant announcement, because it is the first system that
    creates a trusted client," said Doug McGowan, head of HP's VerSecure
    division. 
    
    The Embassy (short for Embedded Application Security System) for
    e-commerce is built on a programmable chip that, when added to a
    computer's motherboard, can be adjusted to match prevailing encryption
    policies. The companies said it will allow users to encrypt sensitive data
    and communications to the maximum level that local regulations allow. 
    
    Embassy is designed to work with many of the existing cryptography schemes
    that are commonly used by programmers.  It will scramble data using
    varying strengths of encryption, including triple DES, which is stronger
    than the US Commerce Department's 56-bit limit on exported software. 
    
    Before the system can be used, it must be registered with a designated
    local authority. That authority then activates the cryptography
    application. 
    
    McGowan said the system is inexpensive and adheres to US export policy by
    allowing local authorities to control the level of encryption that can be
    used. 
    
    Currently, the Commerce Department restricts the export of cryptography
    products on the grounds that they can be used to conceal the
    communications between terrorists and hostile nations.  The software
    industry believes these rules create an unfair advantage for overseas
    crypto developers. 
    
    "[The Clinton Administration and Commerce Department are] interested in a
    stronger solution in hardware,"  McGowan said, since hardware can be
    controlled more effectively than software.  "But 90 percent of countries
    have no domestic-use policies." 
    
    An important provision in the Embassy system is that users will have to
    renew it annually with the local registry to ensure compliance with the
    latest encryption policies. 
    
    If a government requires key recovery, the system will then be registered
    so that law-enforcement officials will have access to scrambled data under
    certain circumstances. Current encryption policies in France require key
    recovery, for example. HP and other companies will establish registries in
    countries around the world. So far, Canada, the United Kingdom, Germany,
    France, Denmark, Japan, and Australia said they will allow the systems. 
    
    John Gilmore, co-founder of the Electronic Frontier Foundation, was
    sharply critical of the new system. Although he had not examined the
    specifications, he suggested there would be ways to circumvent it. 
    
    "When you contact the server to turn your crypto on, how does that server
    know what country you're in?" Gilmore asked. "If these systems do spread,
    bootleg certificates that turn them on would become popular." 
    
    The Commerce Department will not issue licenses for the technology until
    the actual implementations have been tested, McGowan said, but the concept
    behind the system has been reviewed and approved. 
    
    Wave Systems will provide chip manufacturers with the blueprints for the
    system, enabling them to embed the specialized chips in PC motherboards. 
    Since no design modifications are necessary, the companies said it would
    be easy for any PC manufacturer to incorporate the system. 
    
    Initially, Embassy will only work on Windows and Unix-based systems. NEC
    is the first manufacturer to announce that it will ship computers next
    year with the system included. 
    
    "This will be a key component of electronic commerce and extends the web
    of security for all existing applications," said Steven Sprague, president
    of Wave Systems. "For the first time, Microsoft applications with strong
    cryptography can be distributed on a worldwide basis." 
    
    Developers will build applications to take advantage of the Embassy system
    by using a set of programming interfaces, which will be licensed from HP.
    The revenues generated from the licensing fees will pay for the system,
    said McGowan, so that PC manufacturers and consumers would not absorb the
    costs. 
    
    E-commerce systems, financial-transaction software, email programs and
    pay-per-use applications are likely to adopt the technology first. 
    Existing applications could be retrofitted to work with the system, the
    companies said. 
    
    HP has received Commerce Department approval to export the VerSecure
    software in the past. The system allows local encryption policies to be
    enforced and updated as needed. 
    
    Gilmore said that HP has previously complied with federal policies and
    that Tuesday's announcement was no different, since it offers no guarantee
    of real privacy protection whatsoever. 
    
    "What other black boxes have they put in this chip? Keystroke monitoring? 
    Recording traffic across the bus?" asked Gilmore. "If they're giving you a
    black box, who's to say what other capabilities are actually in that
    chip?" 
    
    
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:07 PDT