Crypto export approved

Trusted Information Systems became the first company to benefit from the Clinton administration's new encryption policy when the government granted it export licenses for stronger encryption products than could previously have been sent out of the United States.

The government granted a license to let TIS export its Gauntlet Internet Firewall and Cryptographic Service Provider products with up to 112-bit encryption protection. Until now, the strongest encryption product legally exported for international sales was only 64 bits in length, a significantly weaker encryption that is easier for hackers to break.

The catch--as it is for all encryption vendors under the new policy--is that the product's encryption codes must be stored with a government-approved third party so that law enforcement officials with a warrant can read any messages sent using the software.

TIS is ahead of the game, however, because its products already use a "key recovery" system that complies with this requirement. The company stores its decryption keys with a government-approved data center in Oakland, California, that also stores medical records and software source code.

"We've gotten approval based on the fact that we already have key recovery," said TIS president and CEO Stephen Walker.

Many industry players have strongly objected to the new key recovery requirement, arguing that it will limit the commercial viability of their software. The government is still negotiating several of the rules that apply to the new key-recovery policy. The computer industry, led by the Washington lobbying group the Business Software Alliance, has accused the administration of reneging on general guidelines outlined in October.

But because TIS has willingly built key recovery into its products, the company doesn't expect to be affected by any last-minute changes in the rules. The deadline for the implementation of the new encryption policy is January 1.

Other companies who want to export stronger encryption will have to file detailed business and development plans with the government for how they plan to implement key recovery. In return, they'll be granted permission to export encryption up to 56 bits in length, a kind of encryption referred to as DES.

Not surprisingly, TIS is generally supportive of the government's new policy. "They're asking for a good-faith notion that you'll move toward key recovery in exchange for short-term use of DES," said Walker.