NSA blocks Sun from exporting secure Java toolkit

A special secured version of Java is all dressed up with nowhere to ship.

Sun has added security features to Java Developers Toolkit (JDK) 1.1, which is intended to help users build applets that can be encrypted and authenticated.

The problem is that Sun's JavaSoft division cannot ship it because the National Security Agency (NSA) will not approve the technology for export. The rub? The agency still controls encryption the same way it does munitions.

Sun ardently wants Java to be accepted globally -- not just domestically -- and is now pleading with the NSA and the Commerce Department to let Java ship.

"All the technology is ready to ship, but we don't want to deliver a US-only Java Developers Toolkit," says Alan Baratz, president of JavaSoft. "The new JDK will include all the APIs and a library of Java crypto."

Such security is crucial as Java has faced criticism over "hostile applets" wreaking havoc in computer systems.

Because it is wrangling with the government over security for controlling applets, JavaSoft has no clear deadline for when it will get the product out the door. If talks break down, JavaSoft may have to issue a domestic version of the Java kit with security and an international version with watered-down security or none at all, Baratz says. Sun officials hope to get some version out by the third quarter.

The problems that Sun is facing with government spymasters were alluded to only briefly during the boisterous and upbeat JavaOne conference here early this week, which was attended by thousands of software developers from around the world. Instead, more arcane matters of object-oriented programming took centre stage.

JavaSoft unveiled the Java Beans project, a long-term effort to create a set of component APIs written in Java that would let applets work with component architectures such as HTML, Component Object Model, OpenDoc and Live Connect.

Borland, IBM, Lotus, Netscape, Oracle and Symantec all say they will support the cross-platform development effort, which is not likely to yield fruit until mid-1997. Microsoft was noticeably missing from the list of endorsers.

Sun will also be adding so-called servlets to Java that will support the dynamic loading of software on to the server from the Java client. Currently, Java clients can only download server applets. Unfortunately, new tools such as servlets are dependent upon the release of the developer kit.

The prospect of Java servlets being loaded into Web servers to interact with other servlets makes the need for a security scheme to control them more acute.

Servlets should only be allowed to interact with other servlets if they are digitally signed so the applet's originator can be identified, says staff engineer Marianne Mueller.

The US government is unlikely to block export of digital signatures, but JavaSoft's entire suite of crypto APIs, of which signing is one, is under scrutiny by the NSA because some of the APIs enable plug-and-play encryption.

The hope is well get export approval for exportable applications with this API, says Benjamin Renaud, a JavaSoft staff engineer.

Though security was not discussed much at JavaOne, the frustration at Sun over government export restrictions spilled over occasionally during the presentations made by James Gosling, Java's inventor and Sun vice-president.

"The technology is easy," says Gosling, who gave the keynote address to a hall overflowing with developers.

"Getting the congress and the NSA to be happy is where the challenge is," he says. Everyone should write a letter to their congressman. What the NSA is doing is sad and silly."

Gosling later said adding encryption to Java was "fraught with legal peril".

"The question is, how do you do it without being arrested for being arms trafficers," Gosling says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments