The U.S. Commerce Department has released revised regulations detailing White House policy on exporting strong encryption software technology to overseas countries. The new regulations essentially make 56-bit encryption more freely marketable to overseas businesses in all industry sectors but only after a one-time review of the exporting company's product by regulators.
Previously, the government kept a tighter rein on exporting encryption language that used coding parameters beyond 40 bits. But Sue Hofer, a spokeswoman for the Commerce Department, said the new rules now provide for exporting extended encryption key length technology beyond the 56-bit level for certain companies.
That means network products that use 128-bit encryption like CryptoWatch from ODS Networks Inc., Richardson, TX, are exportable to the Commerce Department's 45 approved countries. It also means some of the most unbreakable encryption key lengths could become more commonplace overseas, but only for the countries specified by the government. Seven nations identified as security risks — Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria — will remain barred from receiving any encryption software.
While the export of encryption technology to the politically sensitive nations hasn't been a sticking point, the requirement that companies include “key recovery features” in their programs for use by law enforcement officials has been. But under the revised rules, the Commerce Department said cryptographic technology — at least for qualifying companies such as healthcare, insurance and financial services providers — won't be legally required to provide or incorporate any kind of key recovery components. However, a close analysis of the report's language indicates that encryption products for industries other than those mentioned still will have to have some kind of key recovery mechanism.
Indeed, the report that was released Dec. 30, states, “a new class of 'recoverable' encryption products can now be exported.” But it also says, “the administration continues to encourage the development and sale of products which enable the recovery of the unscrambled data in an emergency situation.”
With the word “encourage” being the operative turn-of-phrase used in the report's language, it's likely that many developers' initial review by the Commerce Department could easily be turned into an initial denial if a given product doesn't fit into what the government is deeming to be the “new class of recoverable encryption.”
That's a key point developers and industry watchers will notice, said Steve Shall, product manager at ODS Networks. According to Shall, “the government has only relaxed the regulations somewhat.” But he also concedes, “everyone has to keep in mind that the key recovery issue was a difficult problem to solve. It's use made it difficult to claim you had a secure system. The market also had a problem with the FBI. Because, until recently, if they had required access to your system [for a particular violation] based on a court order, it opened all your files to the government.”
In addressing that problem, ODS Networks said its new software will protect privacy because its key recovery processes use expireable “session keys,” which only allow access to specific parts of data streams over time. In theory, this means a plaintiff hitting a user of CryptoWatch with a court order to divulge encrypted data would have to be very specific about what he wanted to access because of the number of potential session keys that the end user could have applied to the data.
Perhaps the long-term challenges of the entire debate will ultimately rest on how judiciously the Commerce Department conducts itself during its upcoming “initial reviews” of all the new encryption products would-be exporters are readying.
ODS received approval from the Commerce Department to export its 128-bit CryptoWatch product last month.