James F. Chen knows a lot but can't tell all.
As president and chief executive officer of V-One Corp., which is in the thick of the battle to build security backbones for business on the Internet, Mr. Chen can see the future. Many of the financial institutions and systems companies intent on roles in electronic commerce rely on V-One- supplied encryption, authentication, and firewall techniques.
Mr. Chen expects sophisticated methods of verifying computer users' identities to move quickly toward implementation, often with smart cards as the repository for secure keys and certificates.
But he is under a gag order.
Most of his customers-they include several top commercial banks-have chosen not to disclose their association with V-One. Either they don't want to tip their hands about products and programs in preparation, or they just don't want to call attention to the fact that network security can be a problem.
SmartGate, his company's flagship product for securing data and access to it, is "in top-10 money-center banks," said Mr. Chen, 46. "But they are not making pronouncements about how they use it because of sensitivity to hackers."
A few of V-One's connections-it has a strategic and sales alliance with MCI Communications Corp. and a longtime, loyal customer in GE Information Services-are very public and suggest strongly that if Internet commerce lives up to any sizable fraction of its expectations, the Rockville, Md., company that Mr. Chen started four years ago could profit handsomely.
Though still in the money-losing stage after its October 1996 initial public offering, V-One is tapping into the much-vaunted growth of the electronic commerce market. Its first-quarter revenue of $2.4 million was up from $1 million a year earlier and was about equal to the total for the first six months of 1996.
The quarterly loss narrowed to $871,000 from $995,000.
The IPO prospectus named some of the customer names Mr. Chen feels constrained about repeating: Banc One Corp., BayBanks Inc., Bear, Stearns & Co., Fuji Capital Markets Corp., Svenska Handelsbank of Sweden, and Visa International.
It is easy to put two and two together. For example, Banc One and BayBanks, since merged into BankBoston Corp., are aggressively developing Internet services that need what V-One offers.
Word got out a couple of years ago that Citibank had turned to V-One for security in its home banking systems, a fact that didn't make it into the IPO documentation.
When it announced the latest SmartGate release, version 2.2, in January, V-One disclosed it was in use by Utah, which is developing a smart-card- based driver's license, and by Jefferies & Co. for Internet brokerage transactions.
V-One and Mr. Chen can handle the cloak-and-dagger. The company had its first successes as a government contractor and the prospectus' customer list includes the Air Force, Bureau of Land Management, and National Security Agency. Mr. Chen, who has electrical engineering and computer science degrees from Georgia Tech and George Washington University, previously worked for the satellite organization Intelsat.
But customer reticence puts a crimp on V-One's publicity and thus contributes to an impression that corporations may be moving more slowly than they are toward the Internet.
Then again, patience may be a virtue. Mr. Chen pointed out in a recent interview that Wells Fargo Bank's well-earned "bleeding edge" reputation in Internet banking got it an early "bloody nose" when questions were raised about Internet browser security.
"It's good to have pioneers, but the banks we deal with are more cautious. Their approach is correct," Mr. Chen said, not mentioning Citibank, which has been conspicuously slow to embrace Internet delivery. "We are very patient and making good money-the selling cycle that had been three to four months is coming down fast."
"The technology works fine and clients are happy," said Bill Wilson, corporate vice president, who joined V-One-originally Virtual Open Network Environment Corp.-in 1994 after working for it as a consultant.
"I'm not sure what is holding back wide-scale deployment," he said. "It's other people's business plans."
Back in the more public realm, V-One in January took to a new level its marketing and distribution relationship with MCI, a major factor in the Internet market that can open a lot of doors in the financial services community. Vint Cerf, the MCI senior vice president known as a creator of the Internet and advocate of new on-line business models, said V-One has the tools "to make this vision a reality for our customers."
MCI had a hand in the development of Florida State University's Internet administration and electronic payment system, with smart cards at its center, and V-One's SmartGate was there too.
In April, V-One won Department of Commerce approval to export SmartGate, overcoming the historical restrictions on strong forms of data encryption. In a new twist it called "trusted first party," V-One customers would not have to leave decryption keys on deposit with third-party escrow agents-a controversial sticking point in the U.S. government's moves to liberalize the export policy.
Mr. Chen said, "This was the news large multinational organizations that do business across international boundaries have been waiting for." Now, he said, they can deploy a single, seamless communications and security architecture worldwide, a capability "MCI and other global organizations didn't have."
James Bidzos, president of RSA Data Security Inc., from which V-One licenses its all-important cryptographic algorithms, hailed "trusted first party" as "the best compromise" and "the best balance of commercial and government concerns."
Also in April, V-One disclosed its participation in Intelidata Technology Corp.'s MoneyClip, a system that links smart cards with the Internet through a modified diskette in personal computers, and in a "virtual shopping mall" developed by Sweden Post.
MoneyClip only just began to be marketed, but the Swedish shopping service, Torget, has more than 100 merchants and 100,000 registered buyers with either "virtual cards" or smart cards with readers connected to PCs. Sweden Post installed SmartGate last October, and the response-2.5 millon "hits" a day and 2,000 new customers a week-augurs well for the on-line card transactions that MasterCard and Visa hope to stimulate with their Secure Electronic Transactions standard known as SET.
Mr. Chen called Torget a "first-of-its-kind venture" and "a perfect example of how SmartGate is making networks safe for business."
"I foresee strong deployment of smart cards when SET is deployed," he said, adding that he saw the need for a smart card-SET connection back when the bank card groups were focused on chip cards merely as stored-value cash devices.
SmartGate, built for the increasingly prevalent client/server computing approaches, "is positioned for both home banking and stored value," Mr. Chen said.
"The public key has to be really protected-it needs strong, hardware- based security," Mr. Chen said. That puts him on the "security token" bandwagon with RSA and many of its other licensees. A portable token, like MoneyClip, can ensure cardholder authenticity at any on-line card-reading device, not just at the "home" hard drive for which SET was originally contemplated.
V-One would be far from the only advocate or seller of a token-based security system. Security Dynamics Technologies Inc., for example, which acquired RSA a year ago, is a leader in security tokens and two-factor authentication, which effectively can put V-One in competition with an ally.
Mr. Chen wants to set V-One apart not just with expertise and intellectual property-he included in his brain trust, as chief scientist, Marcus Ranum, originator of the firewall concept-but also philosophically.
Mr. Chen argues against two of the widely deployed security protocols, known as SSL and S/HTTP, saying practical problems and performance limitations make them unsuited to full-scale on-line banking and commerce. V-One inserts its solution at what it calls the application layer, so a change in service need not require major work on the security aspects.
"We produce the oil and grease for electronic commerce applications," the V-One CEO said. "We make sure you don't have to replace the grease when you change the machinery."
In his vision, security becomes an integrated package of tokens, firewalls, encryption, key management, and so on. "The ultimate solution has to put all the ingredients together in one pot," Mr. Chen said.
''Only SmartGate works with any firewall," Mr. Wilson said. "Nothing competes with us in that application security space."
Recalling initial reactions to SmartGate in 1995, Mr. Wilson said, "People told us they could do the same thing with SSL. We said SSL was O.K. for privacy but not for authenticating the identity of the individual." Time passed and "those people came back."
