REDMOND, Wash., June 24, 1997 — Microsoft Corp. today announced it has obtained U.S. government approval for the export of powerful 128-bit encryption to banks worldwide for protection of online financial transactions.
The U.S. Department of Commerce license, issued June 10, will permit Microsoft to enable 128-bit encryption security between banks and their customers in products that support the secure sockets layer (SSL) or transport layer security (TLS) protocols. The encryption technology will be incorporated in all domestic and export versions of Microsoft® products dealing with the Internet, beginning with Microsoft Internet Explorer 4.0, Microsoft Money 98 and Microsoft Internet Information Server.
Previously, U.S. export laws limited U.S. software products to no more than 64-bit encryption for financial data. Banks can now build secure online financial systems based on off-the-shelf Microsoft products and rely on comparable security on their customers’ desktops.
“We believe this is a win for everyone – for our bank customers, for consumers, for the government and for the computer industry,” said Mike Dusche, Microsoft’s financial services industry manager. “Microsoft has enabled banks worldwide to access high-strength security easily so they and their customers can securely perform online transactions. Microsoft will not charge banks for using this license, nor will it receive a transaction fee from banks that use this license. Microsoft currently plans to turn the certificate mechanism over to a reliable third-party group at the appropriate time.”
The 128-bit encryption capability is implemented as an extension to the SSL and TLS protocols. TLS is a security protocol overseen by a working group of the Internet Engineering Task Force, an Internet standards body. The extension enables an application to “switch on” 128-bit security when a digital certificate is present on the bank’s system. If there is no certificate, the server and client negotiate the strongest common security available to them.
For example, overseas customers who want to pay bills or transfer funds online could use Microsoft Internet Explorer to connect to their bank’s Web site. After a connection was established, Microsoft Internet Explorer would perform an electronic “handshake” with the bank’s server to determine if a digital certificate was present. If the certificate was located, the session would be protected by 128-bit encryption. If the server did not have a certificate, the transaction would automatically default to an ordinary SSL or TLS session, generally at 40-bit security.
The government’s export approval for 128-bit encryption does not require the use of key escrow – the storage of encryption keys to enable law enforcement officials to recover users’ messages. The export approval continues the current U.S. encryption export control policy permitting favorable treatment for the export of strong encryption products intended for use in conducting financial transactions. It also recognizes that banks and other financial institutions are subject to explicit legal requirements to retain transaction data, and that they have shown a consistent ability to provide appropriate access to transaction information in response to authorized law enforcement requests without the requirement to escrow encryption keys.
“Banks must be able to communicate securely with their customers with mutual assurance of the authenticity, integrity and privacy of those communications, and we believe we now have effective security solutions for both major types of online transactions,” Dusche said. “Our Secure Electronic Transaction solution will appeal to individual PC users who want to conduct online commerce via the Internet, and our 128-bit encryption technology gives banks a powerful solution for direct customer-to-institution transactions.”
Dusche also said that when an announced relaxation of U.S. electronic-commerce export regulations occurs this summer, the Microsoft license will be updated to extend strong security to other financial institutions such as investment, brokerage and insurance firms, and to make available even more secure key lengths.
Founded in 1975, Microsoft (NASDAQ
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.
Microsoft is a registered trademark or trademark of Microsoft Corp. in the United States and/or other countries.
Other product and company names herein may be trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages.