For full versions of the stories below: http://jya.com/kinkey.txt ---------- For two years, the IETF Security Group has labored to hammer out the IP Security (IPSec) protocol, a standard way that businesses can open up an encrypted link to a trading partner's network. The link is encrypted after authentication by means of an X.509 digital certificate at an IPSec-based firewall or gateway. But an unresolved, bitter dispute over the technique for automatically swapping keys over the 'Net - referred to as key management - has resulted in two incompatible schemes in the IPSec specification. In this battle of the acronyms, the debate centers on the Simple Key Management for IP (SKIP), developed by Sun Microsystems, Inc., and the Internet Secure Association Key Management Protocol (ISAKMP), developed by the National Security Agency. ---------- Responding to Sun's announcement that it would license 128-bit encryption algorithms from Elvis+Co., a Russian company, the White House announced that it would look into Sun's actions. "Sun's strategy is another brick from a wall that is coming down," said Jim Bidzos, president and CEO of RSA Data Security. "And it highlights that something is wrong with the U.S. policy." Sun has approximately a 10 percent equity stake in Elvis+, whose product is based on Sun's publicly available protocol, Simple Key Management for IP (SKIP). The 10 percent interest is thought to be key to keeping other companies from licensing and reselling the same technology. The government's resolve, however, may be breaking down. Just last week, Sybase Inc. won approval to export database and server products with 56-bit DES encryption, even though the Emeryville, Calif., company has no model for key recovery. ---------- SKIP, which stands for Simple Key management for Internet Protocols, was submitted by Sun to the Internet Engineering Task Force as an Internet standard. Included in SKIP E+ are algorithms for 56-bit DES, two- and three-key triple DES, and 64- and 128-bit ciphers for encrypting network traffic and keys. The security software was developed by Elvis+, a company of former Soviet space scientists with offices near Moscow. Sun bought a 10 percent interest in the company in 1993, but does not take an active role, said Steven Hunziker, chief operating officer of Russia Communications Research Inc., Los Gatos, Calif. RCR represents Elvis+'s products in the U.S. "RCR is really small - me and an accountant and two lawyers - and they watch the law like hawks," Hunziker said. "Elvis+ has kept a very careful distance from Sun, and those guys don't need anything from Sun to create the technology they're creating. The FBI and the CIA are just lazy, which is why they object." "We've developed key recovery technology and gotten government approval, so we can export without having to resort to what they did," said Ken Mendelson, corporate counsel for Trusted Information Systems Inc., Glenwood, Md. ---------- VeriFone today announced that its Secure Electronic Transaction (SET) -based product suite has received export approval from the US Department of Commerce, marking the first announcement of a SET-based, end-to-end Internet commerce solution containing full strength encryption technology to be approved for international export. VeriFone's vGATE, vPOS and vWALLET software employ the SET encryption protocol for transactions over the Internet, utilizing 1024 bit key size for public key encryption and digital signatures, and 64 bit DES for bulk encryption. This approval enables VeriFone to offer a higher level of end-to-end encryption than was previously available from U.S. corporations to international customers without special permission from the U.S. government. ---------- IBM last week took the first steps to help software vendors comply with federal encryption export rules, with the release into beta of a new security tool kit. ----------