HP secures crypto export

At a press conference held at the National Press Club in Washington, HP officials said the company has been given U.S. government permission to export its VerSecure encryption services package. With VerSecure, HP can export software using the 128-bit Triple DES (Data Encryption Standard), which is thought to be unbreakable.

HP, of Palo Alto, Calif., received approval to export to the United Kingdom, Germany, France, Denmark and Australia.

Gaining export approval is no easy task, requiring a long evaluation process with the U.S. Department of Commerce. At the moment, only products using encryption keys that are 40 bits or less are allowed to be exported without restrictions. Key lengths of 56 bits can also be exported, provided that the company promises to build a key-recovery mechanism into its products. Unfortunately, both key lengths can be broken by hackers-the former in a matter of minutes and the latter through a processor-intensive and time-consuming attack.

Encryption used in authentication mechanisms such as digital certificates and in financial transactions is also customarily exempt from restrictions.

HP Chairman, President and CEO Lewis Platt said the export approval for VerSecure, formerly called the International Cryptography Framework, means that "the creation of a secure global infrastructure has taken a huge step forward." Because of its compatibility with security products from a number of major vendors, its impact will be significant, Platt added.

VerSecure works with products from IBM, Microsoft Corp. and RSA Data Security Inc. In the past year, Netscape Communications Corp. and Security Dynamics Technologies Inc. have been among a handful of well-known vendors to gain limited export approval for strong encryption.

The hardware-based VerSecure encryption technology allows users to choose from different levels of encryption, depending on their needs. Using VerSecure, a company can also establish a key-recovery mechanism that creates a back door to encrypted documents. Law enforcement agencies have insisted they need that back door to get access to encrypted documents.

In connection with the export announcement, HP and IBM said they intend to collaborate on future development of VerSecure and IBM's KeyWorks cryptography management technology. The companies said they plan to include elements of both in their future applications.