[572] in Best-of-Security
BoS: getting around us crypto rules
daemon@ATHENA.MIT.EDU (James Ray)
Thu Feb 19 03:00:43 1998
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Fri, 23 Jan 1998 11:04:04 +1100 (EST)
From: James Ray <jbray@telstra.com.au>
Reply-To: James Ray <jbray@cyber.com.au>
Old-X-Originally-To: To: Cybersource News Clips <clips@cyber.com.au>
Old-X-Originated-From: From: James Ray <jbray@telstra.com.au>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
http://apcmag.com:8008/apcweb/news.nsf/c1c1057939c26a87ca2564b90004cdec/e2cf008aa9f14e8d4a25658e000c4478?OpenDocument
16/01/98
Australian crypto challenges export laws
Josh Gliddon
Encryption laws are very odd things. The Americans will tell you it's quite OK
to export strong encryption, but you need to be a bank or some other financial
institution to take advantage of it.
You can also get encryption packages from places like Israel or the former
USSR, but their interoperability can be somewhat questionable.
Australia sits in a limbo somewhere in between, with the DSD (Defence Signals
Directorate) getting upset if you try to export or sell strong encryption.
Putting the code on an FTP server in an Australian domain is another matter
altogether, however, one which the government seems to turn a blind eye to.
It's exactly this tack that Eric Young and Tim Hudson, developers of a free
implementation of Netscape's SSL, known as SSLeay, have taken. It's also the
route that the principal commercial vendor of SSLeay products, C2Net in the
United States, has taken to circumvent that country's cryptographic laws.
SSLeay started out as a hobby more than anything else, Young told apcmag.com
today, and snowballed from there. "We thought that it would be of benefit to
the [Internet] community if it was freely available, so we posted it to a Web
site and things developed from there."
SSLeay offers 128-bit encryption, a significant improvement over the 40-bit
keys allowed under US export laws (and Australian acquiescence).
Young and Hudson tried to sell SSLeay in Australia, but ran into obvious legal
difficulties, which is where ex-ISP and now crypto-server company C2Net came
into the picture. C2Net, headed by 22 year old Sameer Parekh, came across the
Hudson/Young technology and offered to commercialise it, as can anyone else
under the terms of the royalty-free licence offered by Hudson and Young.
As you've probably worked out by now, C2Net is based in the US, which poses
some interesting problems if you want to sell strong encryption. To get around
this, Parekh put Hudson and Young on the payroll to do the company's crypto
development work, and then based a transaction server in Antigua, thereby
neatly circumventing the US laws.
Developing outside the US and Europe serves another purpose, too. The RSA
(Rivest-Shamir-Adleman) algorithm and IDEA (International Data Encryption
Algorithm) are patented and copyrighted in those regions, so to incorporate
them into the C2Net product means the payment of a licensing fee and the
prospect of ongoing royalties. But guess what? Those laws don't apply in
Australia . . .
C2Net has scored some wins with its SafePassage Web Proxy and Stronghold
Crypto Engine (both incorporating SSLeay), with the CommerzBank in Germany and
the ANZ Bank in Australia signing on to use the products. Another win was with
the Victorian government through its online government access program, maxi.
This program, developed by maxi multimedia and NEC, offers citizens access to
around 30 government-related transactions, including car registration and bill
payment. Under this scheme, citizens can download a 128-bit client with which
to conduct transactions with the government. Where does this leave Australia's
crypto laws? Maxi multimedia and C2Net are taking a wait-and-see approach, but
the very fact that products like this and PGP are available, under a defacto
government imprimatur, suggests that it won't be long before strong crypto
becomes widely available.
--------------------------------------
Related articles:
Related links:
SSLeay FAQ
Cryptsoft
--------------------------------------
[Previous Main] [Previous] [Next] [Next Main] [Search]
[Post Comments] [View Discussion] [Email Writer]
News View Selector:
(c) 1997 Australian Consolidated Press. All rights reserved.
-------------------------------------------------------------------------
J.B.Ray, <jbray@telstra.com.au> BH: (03) 9632-3454 Fax: (03) 9670-6737
System Administrator - Corporate Electronic Directory, Telstra Corp.
