Baycorp breaks US encryption barrier

Credit check company Baycorp Holdings is one of the first non-banking organisations in the world to be allowed to import 128-bit encryption software from the US. At the behest of IBM, the US government has granted Baycorp dispensation from its export ban on the high-strength encryption technology.

Credit check company Baycorp Holdings is one of the first non-banking organisations in the world to be allowed to import 128-bit encryption software from the US. At the behest of IBM, the US government has granted Baycorp dispensation from its export ban on the high-strength encryption technology.

Baycorp will use the 128-bit encryption software to protect a service for online credit checks on individuals, something the company did not feel comfortable offering with lesser strength encryption. Until now, customers of Baycorp's Baynet credit checking service have only been able to do credit checks on individuals over the phone.

Baycorp IS manager Garry Wood says the fact that IBM uses Baycorp as a worldwide reference site for its technology played a vital part in securing dispensation from the US government.

"IBM brought a case for us in Washington, DC on the basis that we fit into the financial services sector," says Wood. "They pushed it through the NSA, FBI and US commerce department.

"The software was shipped from the commerce department via IBM Australia, as it has to be shipped via a US-based entity, and then couriered to us from Australia."

Wood says at one stage the courier was ordered to turn around because of the bombing of the US embassy in Nigeria.

"The US government reversed their decision because they didn't want the software being exported while all that was going on," he says.

"IBM even had lawyers hand-delivering documents to commerce department officials to try and hurry the process but the US government won't be hurried."

The process took nine months. The new encryption software has been incorporated into Baycorp's Lotus Domino Web server, which runs on an IBM AS/400, and the US-based certificate authority Verisign has given permission for Baycorp to turn on the ability for browsers accessing the site to transact with 128-bit encryption.

"Even if you're issuing 128-bit encrypted data, you have to ensure browsers are also turned on to receive it otherwise they will try and negotiate at 40 bits."

The 128-bit encrypted site, which has been in beta testing with 30 Baycorp customers, went live on November 1.

Wood says in a further security precaution it has joined IBM's e-MARK "ethical hacking service" whereby IBM employees (who are ex-CIA and ex-FBI) based in labs in Virginia regularly try to hack into Baycorp's Web site.

"If they find any holes they tell us how to plug them," he says.

New Zealand Health Information Service has also applied for permission to import 128-bit encryption.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]