Hewlett-Packard Co has at last got government approval to export the cryptography part of its Praesidium security product line, which it used to call International Cryptography Framework (ICF) but now goes under the name of VerSecure. The US government has given HP a license to export the VerSecure technology to the UK, Germany, France, Denmark and Australia for now. HP can export encryption technology using keys up to 128 bits long and use triple-DES encryption, with or without the use of key recovery – the practice of storing the key with a trusted third party in case it needs to be recovered by law enforcement agencies for deciphering purposes later. For use within the US only, VerSecure offers encryption with keys up to 1,024-bits long. HP also announced a partnership with IBM Corp whereby the two companies will incorporate parts of IBM’s Secure Way hardware and key recovery software. They are also going to work on integrating some of IBM’s KeyWorks in the VerSecure cryptography hardware. However, there were no further product details or a timetable available from either company. VerSecure hasn’t changed technically from the ICF product that HP had ready to go in November 1996, but HP thought the winning of the export license was sufficiently important to drag chief executive Lew Platt over to Washington DC Friday to lead the charge. The HP cryptography is hardwired onto a chip, which is on a board that can be plugged into personal computers. HP feels this is the best way to ensure the crytography is secure but it also says it is flexible enough to adapt to changes in government encryption policies. HP includes the key recovery option because some countries require its use in order to permit the technology to be imported. The US currently imposes no restrictions on the power of encryption for domestic use, but prohibits the export of encryption using keys greater than 56-bits long without a special license. HP anticipates other countries accepting the technology in the coming months. It is unlikely that users will take advantage of the key recovery technology unless it is not required in their respective countries, as is the case in France. The cryptographic algorithms are issued by recognized government- approved Security Domain Authorities (SDA) and are valid for just one year, to guard against obsolescence, says HP. The VerSecure technology provides a mechanism for the SDAs to update the algorithms. HP also sells a servers for SDAs, which it announced recently. Government approval was given to HP on December 24, after two years of consultations. The company was granted export approval for encryption using 64-bit keys to the UK and France back in November 1996. Other items in the Praesidium product line includes Authorization Server, ImagineCard smart cards, VirtualVault and electronic payment systems.
