Hewlett-Packard (HP) has been allowed by the US government to export strong encryption, but at a price.
The 128-bit security architecture has been crippled, so that companies using it will have to apply to a third-party organisation for a "token" to activate its most powerful capabilities.
HP has been granted approval to export its VerSecure technology (formerly known as the International Cryptography Framework) to the UK, France, Germany, Denmark and Australia.
The hardware-based technology works with security products from several vendors and provides configurable levels of security, with up to 128-bit Triple DES encryption. Such encoding is considered unbreakable using current technology, and this is the first time this level of encryption has been allowed outside the US.
The licence granted to HP specifies third parties, called Security Domain Authorities (SDAs), which issue Policy Activation Tokens that enable a level of security on the user's system compliant with the local government's policy. The tokens are only valid for a limited time and have to be renewed, usually on a yearly basis.
But Jolanta Pilecka, HP's Internet marketing manager, admits that "one could hack into the system - there is a possibility (that the user could bypass the Policy Activation Token)".
Even more worrying is the fact that the Triple DES standard was created by the US government, and there is a "lingering suspicion" that it may not be as strong as it should be, according to Heather Stark, principal consultant at Ovum. "There's a good chance that there's a back door in DES," she said.
HP is teaming up with partners including IBM and Microsoft to establish the technology as the standard architecture for Internet transactions.
The company is touting VerSecure as having configurable security levels, claiming "users can choose from limited to very strong cryptography and select whether or not to activate a key recovery capability."
Companies in the UK are not currently required to implement key recovery, or "key escrow", a method by which law enforcement or government authorities can gain access to encrypted data. However, a change in government policy could mean that companies would be obliged to reduce the level of security, and provide a key recovery mechanism.
Vendors should focus on the benefits of strong security, rather than the fear and uncertainty from not having it
Yeah, sorry about all that, simpers Zuckerberg
Vivaldi promotes DuckDuckGo search engine over Google over privacy concerns
Scientists say that strontium titanate could transform electronics