InfoWorld: What level of encryption does Gauntlet 4.0 provide for international use?

Walker: We offer 56-bit DES without key recovery. We also offer DES encryption with key recovery because there are companies that want key recovery in order to recover their communications if they ever need to. Our customer Royal Dutch Shell, for example, wants encryption because it has to protect its stuff from everybody else but cannot afford to have an employee encrypt something and have no way to get it back.

We also have approval to offer on Gauntlet triple-DES or 128-bit encryption with key recovery. In addition, we have built a crypto-service provider that is compatible with the Microsoft cryptographic API [thereby enabling companies to add encryption capabilities to Windows applications and establish internal key recovery systems].

In March, we got approval from the Commerce Department to ship 128- bit encryption or triple-DES encryption with key recovery in our crypto service provider. We are testing it with a European commission pilot project in five countries right now.

InfoWorld: What level of encryption do you believe is needed to provide rock-solid security?

Walker: If you're building a system that's going to be around for a long time -- between four and 15 years -- you'd better use triple-DES or 128-bit encryption today. But if you're just protecting e-mail that isn't going to matter two weeks or a year from now, 56-bit DES is perfectly fine.

In June, when an ad hoc team exhaustively checked the DES keys, it took some 14,000 computers four months to find the key after checking only 25 percent of the key space. On average you will find it after 50 percent of the key space. If you have 14,000 computers and you'd go after them for eight months, you'll be able to recover one message. If somebody really wants to do that, more power to them. I think that actually shows the strength of DES, not the weakness of it.

InfoWorld: What was your stance in the July Congressional hearing on the Security and Freedom Through Encryption Act? [The act, sponsored by Virginia Congressman Bob Goodlatte, would free companies to export stronger than 40-bit encryption.]

Walker: My position was we don't need to remove export controls completely. In effect, the government has allowed 56-bit DES to be exportable supposedly for a two-year interim period, but once the genie is out of the bottle I don't know how they're going to get it back in, so I think DES is exportable for all time from here on.

As I said, 56-bit DES is fine for people who are not building systems that they expect to be around necessarily for 10 or 15 years. But for people who want something stronger, the administration is allowing the export of any encryption as long as it has a key recovery mechanism. Well, encryption is a two-edge sword. It protects you from your enemies but if you lose the key for some reason -- an employee quitting or getting hit by a truck, for instance -- you lose intellectual property contained in the encrypted information.

We are finding a solution to this whole issue, which has been around for as long as I can remember, and we don't need to abolish export control unilaterally, which is what the Goodlatte bill proposes, or link key recovery with some government-approved public key infrastructure, which is the administration's position.

What I suggested, and the congressmen seemed to be very interested in, was let's let the solution that we're working on play out.

There are 60 companies in the key recovery alliance that we and IBM started. It's not a political group, they're not going to take a stand and issue press releases, but we're actively working on finding solutions that involve key recovery that will result in very strong crypto being exportable to any honest person anywhere in the world.

For instance, we have now installed more than a dozen key recovery centers in seven or eight countries around the world, and companies are running their own key recovery centers for their own purposes. From a law enforcement point-of-view, it's good enough for them to know if, for instance, that should they ever suspect that someone in Royal Dutch Shell is doing something illegal, the U.S. government can go to the Netherlands government, which will go to Shell and Shell will cooperate in any investigation.

InfoWorld: IS managers say they want a single point of administration for all of their security products. What will make this possible and when?

Walker: The need for this is so apparent that I would hope in the next two years we're going to see a massive movement toward integrating these pieces. It is certainly our intention to be at the forefront of making that happen.

Now don't come back to me in two years and say, "But it didn't happen yet." It may be five years. Recognize that three years ago people didn't think security mattered at all. And it's just in the evolution of the firewalls and in the evolution of anti-virus and intrusion detection that people have in the last few years realized, "Oh God, this is a problem. What am I going to do?"

InfoWorld: Should users be skittish about letting Java and ActiveX applets through their firewalls?

Walker: In general, yes. If you accept Java or ActiveX applets from anyone, you are going to get some from people you don't want. A strength of these applets is that they allow you to do things locally that make it much more efficient to operate. But doing things locally if something hostile is in there can do immense damage.

The answer to this is not to ban Java but to know where applets are coming from. If I know they're coming from a source that I trust and a source that I can yell at if something goes wrong, then I'm OK.

Also, it is important to be able to check digitally signed applets at the firewall -- before they're allowed into the system -- then check them at the workstation again. You can check the applets' digital signatures at the workstation but it's very difficult to ensure all workstations are properly configured to do that. By checking applets at the firewall, it's much less likely that a hostile one will get workstation access because you will have gotten rid of most of them before they reach your internal network.