Securing Global E-Commerce

<p>HP Sees Export of High-Test Encryption as Key to Boosting International Sales</p><h3>International demands are driving the market towards tougher data encryption products.The U.S. now allows the export of products, using 56-bit DES as a floor, without keyrecovery. In the turmoil of this rapidly evolving market HP is exporting VerSecureencryption technology.</h3>

Security has always been a pressing concern for those optimistic about Internet-basedcommunications in general and e-commerce in particular. While domestically strongencryption can be easily obtained, security in foreign countries is another matter.

"Companies need to maintain the integrity of information," says NanetteDiTosto, vice president of CertCo (New York, N.Y.), a company providing HP with thecertificate authority for its VerSecure product. "They need to know who really sentthe data. If someone is buying $100 million of product from you, you're going to want toknow whether that buyer is really authorized to do that."

Securing Cybermarkets

Fearing that sensitive information such as credit card numbers or proprietary businessdata can be intercepted and encryption codes cracked, users will be less likely to use theInternet, especially for e-commerce, effectively choking, or worse, killing thedevelopment of cybermarkets. But developing and exporting longer and stronger encryptionalgorithms to mitigate that problem, creates other kinds of problems for U.S. federal lawenforcement officials.

Namely, that if such longer algorithms are freely exported, it will hamper theirability to detect and prevent criminal activity. HP's VerSecure includes a key recoverycapability that permits the plain-text recovery of encrypted data or communications. Userscan choose from limited to very strong encryption and select whether or not to activatethe key recovery capability.

VerSecure also allows companies to have greater control over what their employeesdownload from the Internet. "With VerSecure, a company can say 'I'm giving you acomputer. You can only use it for company business. I want to know what's on it and thatyou're using it according to corporate rules," says DiTosto.

Export restrictions on encryption technology have eased substantially since December1996. Then the authority for licensing commercial encryption technology was transferredfrom the State Department's munitions list to the Commerce Department's dual-usetechnology list.

The decision to allow VerSecure's use in Japan (in May 1998) is yet another step towardliberalization, says Stewart Baker, a partner at the Washington, D.C. law firm Steptoe& Johnson who provides legal advice to HP about VerSecure. It suggests a new approachby the government to export controls. "Whenever you try to do something new, youstart to run into resistance. In an area as charged as encryption, that resistance can bepretty stiff."

License To Trust

This most recent license gives HP users in Japan access to 128-bit and triple DataEncryption Standard (DES) encryption for a wide range of applications including electronicmail and electronic commerce. VerSecure will be installed and managed by a trustedJapanese company, referred to as a Security Domain Authority (SDA).

The SDA, responsible for making encryption policy that adheres to Japanese law, willdistribute software tokens that activate encryption capabilities that support Japanesepolicy for Japanese companies. It also opens the door to smoother transactions with thelarge international banks based there.

"Allowing VerSecure to be deployed in Japan means that a bank that has tradingpartners in Japan can use the less expensive channel of the Internet to carry on theirbusiness with much higher levels of security," says Scott Smith, an industry analystwith Current Analysis, a competitive intelligence and analysis firm located in SterlingVa.

Indeed, HP hopes to close out 1998 with export licenses for at least 20 countries. Inaddition to Japan, HP previously was granted approval to export VerSecure technology tothe United Kingdom, Germany, France, Denmark and Australia. Ultimately, the availabilityof more improved encryption technology will provide a secure ground for global e-commercewhile encouraging more people around the world to transact e-business.

--Monica Fuertes is a technology writer for the Washington News Bureau.



Under the old system of export controls, U.S. software or hardware companies whose products included encryption capabilities would have to develop two separate products. One with high-test encryption for domestic users and another product with 40-bit encryption for export. Now, these companies can develop a single product with strong encryption, potentially saving large sums of money on development and marketing.

According to Doug McGowan, HP's director of VerSecure, the federal government granted HP an export license for four reasons: VerSecure is hardware-based technology, which he says makes it much harder to hack; the technology is only being exported to a limited number of responsible Japanese companies that follow the laws of that country as end users; HP provides key recovery technology as a user option; and it requires a yearly certificate to validate the technology, which reminds users to remain in compliance with the laws of their country.

To use VerSecure, current applications need an API capable of accessing crypto, such as Crypto API from Microsoft or Intel's CDSA. Another benefit of VerSecure is that it simplifies product development and deployment. Now, producers don't have to manufacture and support two different versions of the same product, one for the U.S. and one for international distribution. "For companies, having to make two versions of their product is expensive -- very expensive. So this architecture is a solution to that plaguing problem," says DiTosto.