At RSA Confab: An Endless Loop of Intrigue

The U2 is a spy plane. U2 is also the name of a rock group from Ireland that in a couple of 1980s songs paid tribute to Martin Luther King Jr. and then got into a public spat with the governor of Arizona for rescinding that state's observance of the King holiday.

Now a national holiday, the King commemoration fell this year on the same day that RSA Data Security Inc. opened its annual conference on data encryption and related technologies. Intelligence gatherers-the people behind the U2, for example-depend on such systems to prevent sensitive information from falling into the wrong hands.

RSA Data Security's president, Jim Bidzos, is an admirer of Martin Luther King Jr., has an eclectic musical taste that runs to U2, and habitually and outspokenly raises suspicions about U.S. intelligence and law-enforcement agencies' attempts to keep a lid on the cryptographic capabilities that companies like RSA want to sell around the world.

Continuing an RSA conference tradition of using popular music to make a point, Mr. Bidzos rewrote the lyrics of U2's "I Still Haven't Found What I'm Looking For." The title itself sounds like a hopeful anthem for those who try to unravel the codes now becoming increasingly ubiquitous- "embedded," as technologists like to say-in all sorts of financial transactions, message transmissions, and computing appliances.

The words did not just attack the politics of encryption, which in recent months have become much more accommodating to Mr. Bidzos and other advocates of strong cryptographic methods. This was more about the frustration of business implementation-an open admission by the leading company in the field that the technology, which holds so much promise for making the Internet safe for commerce and for safeguarding personal privacy, does not yet meet the common requirements of "ease of use."

Where U2 sang "I have scaled these city walls ... only to be with you," the interfaith church choir that serenaded the RSA conference in San Jose, Calif., 11 days ago inserted the words "Crypto products, bought them all, only to be confused."

What "burned like fire, this burning desire" for U2 was, at RSA, the fact that "I've spent millions" on biometrics and smart cards but "don't have a clue."

*

If this is beginning to sound like a cross between MTV and the "Connections" series on public television, with a smattering of History Channel espionage documentary, then that is probably exactly what Mr. Bidzos intended.

One of the keynote speakers happened to be the science journalist James Burke, host of the "Connections" programs that take viewers on fast-paced rides through the history of innovation. In that vein, it has been said that if not for World War II and the need to build machinery to crack enemy codes, there might have been no computer industry as we know it, and that would mean no public key cryptography at today's level of complexity.

We might still be at the level of some of the more elementary methods from history that RSA spotlights on its main conference stage each year, also to make political or educational points. A couple of years ago, it paid tribute to the Navajo nation and its unwritten language, which was employed to shield U.S. military communications in the world wars.

The symbol of RSA '99 was the Rokstenen, a monolith covered with Viking literary inscriptions, many of them encrypted using ancient Scandinavian alphabets. Scholars have concluded that "the Vikings were much more likely to encrypt religious or memorial texts than military ones," said Scott Schnell, senior vice president of marketing for RSA and its parent, Security Dynamics Technologies Inc.

Scholars seeking an explanation for that still haven't found what they're looking for, Mr. Schnell said. There must be a privacy lesson in there somewhere.

*

The various connections and ironies lent special significance to the root word "crypt," which is Greek for "hidden." Mr. Bidzos can conspiracy- theorize with the best of them-usually about the hidden agendas of others, of course.

Besides the U2 send-off, Mr. Bidzos asked his choir to perform something serious in the spirit of the King holiday, a rousing gospel tune, "He's Been Good to Me."

This is the same Mr. Bidzos who last year wrote-and performed-in the rap genre, with guest artists Sugarhill Gang.

This is the same Mr. Bidzos who, according to the December 1996 Wired magazine, was quite taken by the thesis of "Orders to Kill," a book that alleged links between Dr. King's assassin, James Earl Ray, and the Federal Bureau of Investigation. "My respect for (the civil rights leader) has gone up incredibly since reading this," Mr. Bidzos said. "So has my distrust for the government."

This is the same Mr. Bidzos who this year sat in on presentations at his conference by officials from the National Security Agency, for so many years the object of his ire.

*

The RSA conferences began in 1991 in a Redwood City, Calif., hotel, where about 60 people gathered to hear a 90-minute panel discussion among leading cryptographers about a new digital signature standard.

Attendance has about doubled every year since, to about 5,000 last week, with 137 companies exhibiting in the San Jose Convention Center. Electronic commerce topics have overtaken the mathematical and technical, and with that transformation dozens if not hundreds of bank officers, bank regulatory officials, and system providers familiar to them have come to make the pilgrimage.

Societa per i Servizi Bancari, an Italian bank automation company, came to sell its Ellips digital signature system. The company, known as SSB, may not have foreseen the possible confusion with SSE, an Ireland-based digital certification subsidiary of Siemens, or SSH, a Finnish network security provider.

*

The conference is the biggest in the data security field and recognized as such even by competitors of RSA and Security Dynamics.

RSA, a licenser of numerous patents and tool kits, encourages all the companies to participate in a flood of product announcements (150 press releases during the week), but the sponsor cannot help but take certain starring privileges for itself.

Mr. Bidzos' musical production opened the show; his boss, Security Dynamics chief executive officer Chuck Stuckey, closed it; and Mr. Schnell and other officers occupied podiums at various other times.

*

As if on cue, a coalition of computer enthusiasts with access to a vast network of processors decoded an encrypted message 22 hours and 15 minutes after RSA posted it on the Internet on Martin Luther King Day.

The winners, led by Electronic Frontier Foundation co-founder John Gilmore and David McNett of Distributed.net, collected a $10,000 prize for the latest demonstration of the vulnerability of 56-bit encryption keys under the federal Data Encryption Standard, or DES.

Mr. Gilmore and his DES Cracker won the last RSA Challenge in July in 56 hours, breaking Distributed.net's 41-day mark earlier in the year.

The hidden message this time: "See you in Rome (second AES Conference, March 22-23, 1999)." The proposed AES-Advanced Encryption Standard-would replace DES with keys at least 128 bits long.

*

RSA also handed out its three annual achievement awards. The one for industry went to Compaq Computer Corp.'s Atalla security products group, largely for its cryptographic innovations in automated teller machines and point of sale networks dating back to the 1970s.

M.M. "John" Atalla, founder of what was Atalla Corp. before a series of acquisitions, did not accept the award on stage. He is now chairman of Tristrata Security in Redwood Shores, Calif., where, he said, he "came out of retirement to do on the Internet the same that we did for ATMs."

A British mathematician, John Pollard, won the RSA mathematics prize. Mr. Gilmore, encryption activist and civil libertarian, got the public policy award.

*

What is a 128-bit key, and how much better is it than 56?

Mr. Bidzos held forth on that subject at the opening session, implying that the message never gets out quite right in the media.

(This is the same Mr. Bidzos who once complained about a reporter's quoting him literally when he said that encryption allows him to "bank while I'm naked without being exposed." It made the point so well that now Mr. Bidzos uses it all the time.)

Encryption keys, those needed to lock and unlock hidden data, are computer bit streams of 1's and 0's. The more bits there are, the harder it is to find the right combination. The 56-bit breaks have been made feasible by speedy processors that can run through all combinations-at the rate of 240 billion keys a second by Mr. Gilmore's team last week.

A 40-bit RSA key is specified in SSL, the Secure Sockets Layer protocol now common in Internet transactions. There are 2 to the 40th power possible keys, 1 trillion-plus. Not much of a challenge for the supercomputer configuration Mr. Gilmore calls Deep Crack, though breaking open an SSL credit card payment would hardly be worth its while.

Each additional bit in the key doubles the possible combinations. They total 72 quadrillion at the 56-bit length and an imponderable number at 128 bits, the encryption level that the government has begun to permit to be exported under certain circumstances.

Mr. Bidzos said the computing power that would search half the "key space" of a 40-bit code in one microsecond would require 9.8 quadrillion years to get to that point in a 128-bit cracking exercise.

To those who still didn't get it, Mr. Bidzos said, if 40 bits is a teaspoon, then 56 bits is a small backyard pool and 128 bits is the entire planet earth. He may have been understating a bit when he said "128 bits is quite secure."

"Companies like Netscape, Microsoft, E-Trade, Wells Fargo, and others deserve credit," he said. "You can't do on-line banking or commerce with breakable encryption, and if your browser doesn't let you into their systems, they tell you how to get a stronger browser."

*

RSA put its math skills to other uses. Mr. Stuckey in his closing remarks said the average attendee walked 6.79 miles and lost three pounds, but gained two back in the consumption over the four days of 4,800 ice cream bars, 10,000 donuts, and 20,000 cookies.

*

The National Security Agency's participation was regarded as a coup for both sides. Mr. Stuckey said he hoped it was "a first step toward government-private sector cooperation in this business."

The NSA, reputedly the world's most advanced cryptography shop, put on a little show of its own in the afternoon it was allotted.

Its ISSO-Information Systems Security Organization-Business Affairs Office promoted various initiatives to share its expertise with the private sector. Under one of those, the Trust Technology Assessment Program, NSA awarded a first set of security certifications to firewall products of Cisco Systems and Lucent Technologies and to an IBM operating system.

The deputy director of information systems security, Michael Jacobs, introduced his program with a goosebump-producing film about the agency's good works. He then sought to demystify an organization that several Hollywood movies have portrayed as "an evil, all-powerful, all-knowing agency run amok." He asked audience members to think about the NSA as "a typical high-tech organization" much like theirs.

After some disarming jokes about encryption politics, Mr. Jacobs good- naturedly presented a Furby toy to Mr. Bidzos, and then lost control of his show.

"I was beginning to buy that 'not all-knowing, not all-powerful' stuff until I saw that you managed to get a Furby," RSA's leader said. "I suppose you want me to put this in my office."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER