Hewlett-Packard commercial encryption products

HP offers a full range of commercially available products under the Praesidium brand to support the security requirements of e-Commerce, operating as appropriate at all networking layers from the basic transport of individual Internet packets through to application-specific products. The emphasis of most of these products is at the server end, and they are therefore mostly of interest to the corporate, public-body, and ISP market. The products are typically bought on distribution media rather than by download, although trial versions and customer requirements for immediate download can be accommodated.

The products are usually available in two versions relating to cryptographic strength due to US export controls - an "international" version and a "US domestic" version. HP is actively involved in the process of limiting the scope and impact of these export controls, and as they are relaxed HP makes the "US domestic" versions available to the widest appropriate range of customers.

A little further detail on relevant HP products is included in the following paragraphs; further details on all of them and other security-related products is available under http://www.hp.com/security.

IPSEC (Internet standard security at the packet level) is included as part of the core HP-UX operating system in all current and future versions; there is no incremental cost for this functionality. IPSEC is used to secure all incoming and outgoing traffic, and as such can offer protection to any interactive application.

HP offers the industry-standard Raptor firewall product under the e-Firewall name on both HP-UX and Windows NT. This firewall includes an IPSEC-based Virtual Private Network (VPN) capability, and costs between 20 and 150 KD.Kr. depending on configuration. It is suitable for SME and branch office use by larger organisations. For larger installations, HP also offers the Avantail VPN solution under the ExtranetVPN name, costing between 100 and 1800 KD.Kr.

For securing Internet-facing applications such as Web servers and controlled access to an organisationís information resources across the Internet, HP offers Virtual Vault, based on a compartmented-mode secure implementation of HP-UX, which offers protection from the consequences of intrusions at the level of the core operating system. Virtual Vault adds to this underlying protection a variety of application-oriented services for applications such as Web browsing, and in conjunction with the OpenMail-Anywhere email solution, secure access to an organisationís email from ouside its boundaries. Virtual Vault supports not only the HP-UX platform, but Sun, Microsoft, Compaq, IBM, and other enterprise servers. Prices range from 100 to 700 K D.Kr. In the case of Virtual Vault, customers needing access to 128-bit symmetric encryption have the option, as well as using the US domestic version if it is available to them under US

export regulations, of incorporating the third-party Stronghold range of European-sourced encryption capability.

Hardware accelaration and physical security for secret key material for the cryptographic functionality of the above products is available through the Praesidium SpeedCard, whose hardware component is the industry-leading Rainbow FastMAP card. Price is around 30 KD.Kr.

Open-source availability

In addition to the commerical products briefly outlined above, HP platforms running HP-UX, Linux, and Microsoft operating systems run a broad range of open-source, public-domain software. The availability of such software may be of particular interest for the issues raised in the second session of the encryption hearings, since open-source software provides one route by

which doubts about the detailed capabilities or hidden back-doors of commercially available products can be addressed (though it is worth noting that where contractual terms are agreed, HP can provide access to source code for its commerical offerings). The packages listed below are implementations of actual or proposed IETF Internet standards.

FreeS/WAN (www.freeswan.org)

This is an implementation of the IPSEC protocol and the supporting IKE key-management protocol, running on a variety of platforms, under active international development. (It is interesting to note that US citizens are deliberately excluded from participation in this project, since the international team of developers wish the resulting source code to be visible clean of any US "technical assistance" which might render it subject to US export controls.)

OpenSSL (www.openssl.org)

This suite implements the SSL and TLS protocols, widely used for securing

Web traffic and other interactive protocols across the Internet. The libraries which come as part of the distribution implement many widely-used cryptographic algorithms, both symmetric (DES, 3DES, IDEA, RC4, and so on) and asymmetric (RSA, Diffie-Hellman key agreement, etc), and these can be called independently of the higher-level SSL protocol library; there are also some sample applications which use the SSL library and allow "private-label" certificate authorities to be created.

OpenSSH (www.openssh.com)

SSH is widely used as a more secure method for remote login than simple telnet links; the OpenSSH suite implements both the underlying SSH protocol and the SSH client and server, in conformance with the IETF standard. As with the other open-source packages listed here, it can be compiled for HP-UX, for Linux running on HP platforms, and for Microsoft Windows running on those platforms.

GnuPG (www.gnupg.org)

GnuPG is an implementation of an email and host security system closely related to the well-known PGP package, in accordance with the IETF OpenPGP standard (RFC 2440). It differs from PGP in not using any patented algorithms, and is therefore only partially interoperable with PGP, depending on which encryption algorithms the PGP user has used in encrypting an outgoing message. The German Federal Ministry of Economics and Technology has provided funding to enable the further development and commercialisation of GnuPG.