The Scoop on Security

by Forest Linton

Securing the Net is considered by many to be the only thing standing in the way of unbridled electronic commerce. New developments in encryption and authentication technologies are hitting the market almost daily, but there is a lot of uncertainty sur rounding US-based encryption technology and the ability to export it to other countries. Cryptography tools and software are classified by the US Department of State as "munitions" and are typically barred from export.

There is a provision that allows for the export of weaker-than-standard encryption, but that forces companies to develop alternative versions of their products -- an expensive proposition.

For example, Netscape utilizes 128-bit key lengths in the domestic version of its Navigator client software, but only 40-bit key lengths in versions for all other countries. Technically, downloading (or allowing the download) of the 128-bit key versio n outside of the US is a punishable offense.

But the US Government is not consistent in its interpretation of the export laws. Some companies have been able to successfully export "strong" encryption (greater than the aforementioned 512/40 specification) after a lengthy approval and inspection process by the State Department. Select Japanese corporations like NTT, BUG, and Mitsubishi have thus negotiated to license RSA encryption for use in Japan. And Cybercash, an electronic commerce enabler, has received permission to distribute its 768-bit encrypted client worldwide -- but other client and server software companies have been unable to do so. It all adds up to confusion for end users, companies, and software developers alike.

Breaking the US encryption lock-out

How does this news affect the burgeoning global security industry? Since it was not developed in the United States, the chip and its encryption technology will be legal for sale anywhere in the world, including the US. And because Japanese law prohibits wiretaps, there will be no "government backdoor" or escrowed key system as the Clinton administration is proposing with the Clipper chip. But most importantly, Japan is now solidly on the map regarding cryptography and Internet security technology and looks to become a large provider of these technologies in the future.

Nihon RSA has already announced plans to distribute the chips in the US, and this fact alone may be the proverbial straw that breaks the camel's back. Conceivably, the US could lift its export limitations on encryption before fall. Unfortunately, this won't create an entirely free global marketplace overnight; encryption is strictly regulated or banned for use in, for example, France, Iran, Iraq, Russia, and China.

RSA Data Security

RSA Data Security Inc. is arguably the most important company in the encryption industry. It was founded in 1982 by three former MIT professors who invented the RSA Public Key Cryptosystem. This remains its flagship product, with over 75 million copie s in use around the world.

In the past couple of years, RSA has been very active in enabling security technology for commerce on the Internet. In early 1995, VeriSign was founded as a spin-off of RSA Data to market and support digital certificates and authentication systems; in vestors include Ameritech, Mitsubishi, Security Dynamics, and VISA International. In February 1996, VeriSign, with the support of three NTT group companies, formed VeriSign Japan KK to support the exploding Japanese market.

In April 1996, RSA was purchased by Security Dynamics Technologies Inc., in a stock swap worth $200 million. Security Dynamics is a market leader in "smart cards" and token-based network verification schemes. Wall Street had been hoping that in the midst of the Internet IPO hype, RSA would also go public, so it greeted news of the purchase favorably, with Security Dynamics stock nearly doubling in the weeks following.

RSA's home page on the Web is at http://www.rsa.com/, and Security Dynamics can be found at http://www.securid.com/.

Forest Linton, living, learning, and working hard (at Koyosha Graphics) in Tokyo. Visit The Japan Web Guide at www.gol.com/jguide/ or The Digital Forest at www.twics.com/~forest/.

IBM's Internet service

In my June column, I reviewed Japan's major Internet service providers (ISPs). At that time, I failed to include IBM, quite a major ISP indeed. IBM has been offering Internet access in Japan since February 1995 and currently serves 15 cities in Japan with high-speed modem access. With local access numbers in over 540 cities worldwide, it is perfect for the traveling businessperson.

IBM offers personal dial-up accounts and corporate leased lines, and plans are reportedly in place for personal dial-up ISDN as well. For more information, contact IBM toll free at 0120-041992. The IBM Japan WWW server is at http://www.ibm.co.jp/.