Network World, August 26, 1996, Page 1 Key-escrow firewall ready to leave the country by Ellen Messner, Washington D.C. After months of talk about exporting encryption software, there will finally be action. Fulfilling the Clinton Administration's vow to end export restrictions on strong encryption products if they use key-escrow features, the U.S. government this week is expected to permit Trusted Information Systems, Inc. (TIS) to sell its Data Encryption Standard (DES)-equipped Gauntlet firewall overseas. Such exports will allow U.S.-based companies to standardize on an encrypting firewall for all global operations. The Department of Commerce is granting mass-market export status to a specific version of the Gauntlet firewall based on a key-escrow scheme that gives U.S. law enforcement access to a master key for decrypting IP datastreams. The master key for each firewall will reside at Oakland, Calif.-based Source Files, Inc., the third-party private key holder chosen under the government's groundbreaking plan. Vice President Al Gore has supported the Defense Department's view that unbreakable encryption should be controlled because it is a powerful weapon and subject to misuse by criminals and terrorists. However, Gore recently said the government will allow mass export of 64-bit encryption products if they use key escrow. The agreement with TIS is the first evidence that the policy is being put into practice. Until now, few companies other than banks could get the State Department and National Security Agency (NSA) to let them export 56-bit and higher Data Encryption Standard (DES) products. Only 40-bit products, easily broken with available computer resources, were allowed for mass-market export. "We're on the verge of a major shift," said TIS president Steve Walker last week. TIS expects to unveil a raft of other vendors in the network industry that will license the TIS data recovery method for accessing data encrypted with a session key. The government is also considering approving other third- party keyholders in addition to Source File, which has traditionally held source code in escrow on behalf of companies worried about the long-term viability of their suppliers. Just say no Not all are key-escrow converts, however. In fact, it is painfully clear that corporations will continue to balk at the prospect of their encryption keys being held by a third party or the government. Netherlands-based Royal Dutch Petroleum Co., with hundreds of subsidiaries and offices all over the world, is looking to ditch dedicated private lines and send encrypted IP traffic over the Internet instead. The State Department's mass-market license for the Gauntlet means TIS can compete to provide Royal Dutch Petroleum with its encrypting firewall. But Homayoon Tajalli, TIS vice president, acknowledged that the Dutch oil conglomerate is unwilling to hand its encryption keys over to Source File. Hence, as part of negotiations with the U.S. and Dutch governments, Royal Dutch Petroleum agreed to operate its own data recovery center for the Gauntlet master keys. Royal Dutch Petroleum would hand over the master encryption keys to to Dutch law enforcement, which in turn would give the keys to U.S. authorities "if the government shows up with a valid warrant," Tajalli said. TIS went to great lengths to broker the international arrangement, and hopes that not every firewall export will entail such laborious negotiations. Some firewall users are extremely ambiguous about the government's key-escrow plan. "I'm not sure I want the government to have that ability," said Doug Miller, information systems manager at Bluestone Corp. "At all cost, we've got to keep the government out of business operations." [End] Thanks to BC.