Sun's Delivery Of Russian Crypto Is Delayed

As indicated in the attached article, the effort by Sun Microsystems to bypass U.S. export controls on encryption by distributing software developed by a Russian company, has been delayed and may be in serious trouble.

As you will recall, Sun announced in mid-May that it plans to offer worldwide a software product that includes 128-bit and triple-DES encryption. The product was developed by a Moscow-based company, Elvis+, using a protocol published by Sun two years ago. Sun's plan was to import the product into the U.S. and to ship the product to customers worldwide through distributors located in third countries -- thereby avoiding any export from the U.S.

However, as we previously predicted, since its bold press release about this strategy, Sun has run into several export control problems.

At the time of the announcement, we noted that while this strategy is not patently illegal, it is not without risk. For example, it is possible that the U.S. government could take the position that the publishing of the protocol two years ago constituted "defense services" or an export of controlled "technical data". While it is doubtful that such a position could pass constitutional muster, it is part of a litigation risk for Sun. Additionally, we noted that Sun's strategy requires great discipline on the part of developers to avoid activities that clearly would be considered "technical assistance" under the EAR.

Last month we reported that the NSA asked Sun and Elvis+ to turn over the source code of the product (SunScreen SKIP E+). This delay in shipping the product may suggest that the government's informal investigation of this matter is continuing, and that Sun's export difficulties are not over.

Sun Crypto in Limbo

By John Fontana, CommunicationsWeek

Corporate users betting on 128-bit encryption technology from Sun Microsystems had better not hold their breath.

Earlier this year, Sun launched a frontal assault on the government's encryption export ban - in the form of a 128-bit encryption product that was supposed to ship this week - but since that time has been largely mum. Indeed, the product's status is unclear.

Observers were hoping that a top-tier technology company like Sun could help shatter the Clinton administration's ban on the export of products with strong encryption and open the door to more widespread electronic commerce.

"Strong encryption is key, but the first step is a strong public key infrastructure and public awareness. If Sun gets this product out there, they could have a big hand in this," said Jonathan Stern, a security services associate with a Big Six accounting firm.

The product, SunScreen SKIP E+, which Sun said would be available this week, never materialized. It is unclear if this can be attributed to another blown deadline by a software vendor, pressure the government may be putting on Sun - which holds several major government contracts - or other factors.

Many variables are still being discussed and worked on, though one Sun source declined to elaborate. After promising a formal statement on several occasions this week, Sun ultimately had no official comment on the product's status.

Humphrey Polanen, general manager of Sun's security and electronic commerce group, said nearly three months ago that Sun would provide its corporate customers with a product for global access to end-to-end 128-bit and triple DES encryption over the Internet despite the ban. Sun had found a way around the ban, Polanen said, while remaining in full compliance with the law.

An official for the U.S. Department of Commerce, which handles export regulations, confirmed this week that meetings have been held between William Reinsch, undersecretary for the bureau of export administration and the point man for Clinton's encryption policy, and Polanen.

The Sun source, however, admitted one issue in contention is product testing, which is still taking place at the few beta sites Sun has established. In May, Sun said work was still needed on a management model for the access lists that network and IS managers would need to create a global encryption infrastructure. At the time, Sun said announcements on the progress of that work would follow, but they were never made.

"There was a flurry of activity and discussion when the announcement was made," said Leo Pluswick, cryptography product consortium manager for the National Computer Security Agency in Carlisle, Pa. "No one is saying anything about it now. There was general consensus in the security community that Sun wasn't doing anything illegal."

The only way companies can export strong encryption is to provide a plan for key recovery to the government. Critics have blasted that policy as an invasion of privacy and said the ban prevents U.S. companies from competing in the marketplace, since foreign nations can export strong encryption products to this country.

The Commerce Department has given approval for the export of 56-bit encryption to more than 30 companies, many since the Sun announcement, but those companies must produce a key recovery plan in the next two years. If they comply, they will be given approval to export 128-bit encryption wares.

Sun refused to take the government's designated path with SKIP E+ and did not seek any approval or formulate a plan for key recovery.

"Since the Sun announcement, we have seen cracks in the U.S. policy," said John O'Leary, director of education at the Computer Security Institute in San Francisco. "The announcement may be more significant than the product. If Sun is being held in check, however, it shows the government is ready to challenge. But other developments show that the death of this policy is just a matter of time," he said.

Recently, Sybase and Pretty Good Privacy have gotten approval to export strong encryption products without a key recovery plan.

Sun seemed to be taking a leadership role in challenging the ban when it carefully orchestrated the announcement on SKIP E+ in May, after the completion of a two-year initiative to bring the product to market.

When SKIP E+ was unveiled, Sun said it used a federal law that allows for the import of strong encryption in licensing Secure Virtual Private Network for Windows 3.11 and 95 from Moscow, Russia-based ElvisPlus Co. Sun planned to distribute the product from Europe.

The encryption client software, based on Sun's Simple Key Management for IP (SKIP) encryption and key management technology, was supposed to ship with algorithms for 56-bit and 64-bit DES, 2 and 3 key triple DES, and 128-bit ciphers for both traffic and key encryption.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com