Computers and Securit- Vol. 17, No. 7

implement the infrastructure, users were stumped over

how they should proceed and what they would use it

for. Overall, the report generally favours the approach

of the Canadian encryption company Entrust, over

California-based VeriSign. The survey, based on inter-

views with the companies’ key customers, suggested

that while VeriSign’s customers enjoyed financial

flexibility because digital certificate rental allowed

them to avoid capital and depreciation costs, they

could pay for that flexibility in the long run. Entrust offers a software product that is bought, installed and

operated by the enterprise, while theVeriSign solution

offers a public key infrastructure service that is

effectively leased or outsourced to VeriSign and

operated by it on the users’ behalf. Giga claimed that

the Entrust users surveyed preferred the benefit of having a security solution that they could completely

control, while VeriSign users preferred having a

‘public trust utility’ which allowed them to outsource

some of their security management. Computer Weekly, September 24, 1998, p. 30.

US finally relaxes encryption policies. In the

United States theVice President has announced a new

federal policy for the encryption and protection of

electronic communication which will dramatically

increase privacy and security without endangering the

countries security. Taking effect immediately, American companies will be able to use encryption

programs of unlimited strength when communicating

between most countries. Health, medical and insurance companies will be able to use far stronger

electronic protection for personal records and

information. Law enforcement agencies will still have

access to criminally related information under strict

and appropriate legal proceduresThe assistant director

of the FBI, Carol Morris said, “We in federal, state and

local law enforcement, are pleased with the adminis-

tration’s support to establish a technical support

centre.This centre will provide federal, state and local law enforcement with the resources and the technical

capabilities we need to fulfil our investigative respon-

sibilities.” She also went on to say that in light of strong, commercially available encryption products that are being proliferated within the United States, and when such products are used in the furtherance of serious criminal activity, this centre becomes very, very

critical to solving the encryption issues that we need

to make cases. With respect to export controls, the

administration is updating its policy in three areas: our

existing policy and some revisions there, an expansion

with respect to certain sectors, and an expansion with

respect to so-called recoverable products. With respect to the existing policy, the US Government has for two

years, ending this December, permitted the export of

56-bit products after an initial one-time review

without further review by the Government. From now on, 56-bit products will be freed from export

controls after a one-time review, in perpetuity, not

ending at the end of this year. The administration is

removing the requirement for key recovery plans or

key recovery commitments to be provided in return

for that change. In addition, they are continuing to

permit the export of key recovery products without restraint worldwide and the regulations relating to

those exports will be simplified. Insurance companies

are to be added to the definition of financial institu-

tions and they will be treated in the same way under

this policy as banks and other financial institutions are

now. In addition, the same kind of treatment for

exports of these encryption products will be given to

the health and medical sector operating in the same set

of countries. Finally, with respect to recovery-capable

or recoverable products, including so-called ‘door-bell’

products, permission has been granted under a presumption of approval and an export licensing

arrangement to a list of 42 countries. Also announced

is the ability to export strong encryption of any bit length, with or without key recovery features, to

subsidiaries of US companies to all destinations in the world with the exception of the seven terrorist

nations. Network Security, October 1998, p. 2.

Slam the spam door, John Fontana. Some IT managers are ignoring a simple ‘set-it-and-forget-it

defence’ against junk E-mail, and the oversight could

be costly.The action any organization can take against junk E-mail is to shut off a feature called relay.This can

be done on any messaging server based on the SMTP

standard. When relay is turned off, it prevents spam- mers from hijacking corporate servers and resources to distribute junk E-mail. By switching off the relay feature, corporate servers cannot be used to relay spam and disguise the origin of messages. An open relay,

615

Abstracts of Articles and Recent Literature

however, gives spammers free use of corporate E-mail

servers and it could expose companies to a loss of

income, time and resources. In the United States, there

are currently three major pieces of spam legislation

moving through Congress. But legislation forces

corporations to fight spammers in costly legal

proceedings. Internet Week, August 17, 1998, p. 1, 45.

This security catches on - slowly, Suruchi Mohan. Public key infrastructure (PKI) is a comprehensive set

of functions for encryption and digital services. Its

components include a directory, a certification author-

ity and certification revocation lists. PKI’s most popu-

lar feature is its two sets of keys - a public key and a

private key - for encryption and digital signatures.

Despite its promise, PKI has been slow to catch on. A

primary reason is the technology’s complexity and the

requirement for a directory services infrastructure.

Computerworld, Aqust 24, 1998, pp. 37-38.

Immunizing your system, Frank Booty. There are

now over 20 000 known viruses and between 500 and

550 appearing every month.The big growth has been

in macro viruses which spread much faster than tradi-

tional viruses because people exchange data much more readily than executable files. Most viruses these

days are spread via E-mail and groupware systems.

Today, it’s nigh on impossible for network administra-

tors to combat the threat of a rapid virus infection

without protecting multiple points of entry. The

widespread adoption of network computing has made

it vital to establish a complete multi-tier virus defence

system. IBMToday,july 1998, pp. 34-35.

Cryptographic accelerators ftice an uncertain future, Christopher Null. Unless you run a busy E-commerce site that does millions of dollars in

business daily, you probably don’t give much thought

to cryptographic acceleration. Although today’s cryp- tography services can be slow and place a considerable burden on your Web servers, the hardware available to speed things up is expensive and can be incompatible with existing hardware.The author started his review of cryptographic accelerators by looking at a prerelease PC1 card, the CryptoSwift II, from Rainbow Technologies Inc. He also looked at nFast 300 KM recently released by nCipher Corp. In

performance, the nFast beats the Rainbow accelerator

by providing up to 300 1024-bit RSA signings per

second.The nFast series of accelerators also supports a

wider range of algorithms compared with the

Rainbow device. Algorithms supported include: DES,

triple-DES, CAST, and SHA-1. Also supported are

S-HHTP and Secure MIME protocols.The real issue

over cryptographic acceleration is this: will quickening

encryption and authentication transactions actually

speed up you Web site or messaging system? In other

words, is encryption really the bottleneck? Also of

concern is the uncertainty of future support for emerging cryptographic standards, such as Private

Communication Technology, Internet Keyed

Payments Protocol and Secure Courier. IANTimes, August 17, 1998, pp. 30-3 1.

Axent’s on security consulting, Rutvell Yasin. Beset by growing complexity and a shortage of skilled

security experts, IT managers are looking for a broad-

er range of security offerings and services from their

suppliers. Axent Technologies becomes the latest to

step up to that challenge by acquiring Secure

Network Consulting Inc. Axent officials hope to give SNCI full reign to offer best-of-class tools. The

challenge facing most organizations is how to link

enterprise security with business operations success- fully. The combination of a “services-based organiza-

tion like SNCI and a company with a

product/methodology base is a good marriage”. The

integration of consultants with defence and military

backgrounds into the commercial sector may pose a

challenge for Axent. Attaining the lofty goal of providing users with a complete security life-cycle

services programme will be more of a challenge. In

addition to Axent other companies have launched

global service organizations or acquired companies to obtain those resources. These companies include:

Check Point Software Technologies, Network Associates, Security Dynamics and VeriSign. InternetWeek, August 24, 1998, pp. 1, 47.

Who goes there? Paul Grant. We hear much about the security threats that occur when companies go online. Cases of hackers breaking into systems and causing untold damage are well documented, often making national or international news. And now, with

616