Verisign Inc. and Lotus Development Corp. said they are teaming up to offer banks and other multinational enterprises the strongest available form of data encryption.
Users of Lotus' popular Domino messaging and collaborative-work systems have gained access to the Verisign Global Server Digital ID, a digital certificate technology for authenticating parties to an on-line transaction.
Communications would be scrambled by an encryption key 128 bits long. That is many times more difficult to decode than the 40-bit systems previously sanctioned for export from the United States, a restriction based on national security and terrorism concerns.
Verisign and Lotus officials said they gained from the Department of Commerce an essentially blanket approval for the higher-level encryption by relying on an existing public key infrastructure that is not seen as a sovereign or military threat.
"In the past, the government approved strong encryption within narrowly defined groups of users, and it needed a specific license," Verisign product manager Ben Golub said in an interview last week.
Mass merchandising on those terms would be difficult because a license would have to be obtained to serve any given buyer. Any connection between the United States and other countries would be limited to 40-bit keys.
The arrangement with Lotus, an International Business Machines Corp. subsidiary, "potentially opens the entire world to commerce with strong encryption," Mr. Golub said. "It meets the business needs of organizations with large customer bases that are not necessarily defined in advance."
Kevin Lynch, Lotus product manager for Domino security, pointed out that his company has a long tradition of concern for security dating back to early versions of its Notes software. That has been carried over to the Internet and related open-network technologies with the Domino products.
Lotus was an early customer of RSA Data Security Inc., the leading commercial encryption vendor. Verisign, based in Mountain View, Calif., was a 1995 spinoff from RSA and did an initial public stock offering this year.
Verisign root keys are embedded in the major World Wide Web browsers, including Microsoft Internet Explorer and Netscape Navigator.
When a personal computer connects to a Lotus Domino server, it will be able to verify that a Verisign Global Server ID has been issued. With this "handshake," the session will take place at the 128-bit level of encryption.
A U.S. corporation with a Domino server or Domino Go Webserver, or a U.S. bank with multiple servers around the world, would no longer be inhibited by the 40-bit rule from doing cross-border transactions.
"A bank in, say, Germany, can get a Lotus Domino server and a server ID from Verisign and deal with strong encryption with customers anywhere in the world using a Microsoft or Lotus browser," Mr. Golub said.
The concern about 40 bits stems from an RSA-sponsored contest in which graduate students from the University of California were able to crack that type of code in eight hours. "That's not a lot of security when you are dealing with high-value transactions between banks," Mr. Golub said.
A 128-bit key at the same computing rate would take longer than the age of the universe to unravel, Mr. Golub said.
Lotus customers can download Global Server IDs from the verisign.com Web site. The price of $695 includes standard digital ID benefits, including 24-hour on-line support and $100,000 of protection against fraud.
u
Sumitomo Bank plans to supply digital certificates to its home banking customers, said Verisign Inc., which will supply the authentication technology to the Japanese bank.
Sumitomo plans to begin distributing the certificates in June under its own brand name, telling customers they will enhance transaction security.
"Internet security is a basic need for superior customer service," said Yoshiaki Izumida, general manager of Sumitomo's electronic commerce banking department. With Verisign's certificates "we can offer a much more advanced Internet service to meet our customers' needs."
Sumitomo obtained a Secure Server ID from Verisign Japan in January 1997. It is installing Verisign OnSite for certificate issuance and will rely on Global Server IDs for secure communications. The latter provide strong 128-bit data encryption free of U.S. export restrictions.
Other industry users of Verisign IDs include the Federal Reserve Bank of New York, BankAmerica Corp., and NationsBank Corp.
