Comment: Newfangled Code Remedies Have to Be Put in Broader Perspective

Attending the RSA Data Security Conference brought back recollections of my first exposure to information protection.

It was through Morse code telegraphy and was based on large bound volumes of code words used in banking, shipping, cotton markets, securities, and all sorts of enterprises.

I was surprised as a young engineer to discover that the private code/data combinations were not much different from my Jack Armstrong All- American Boy super decoding wheel: It was a simple substitution code. It was a rather slow, manual lookup-and-substitution process-but one quite difficult to transfer to a rudimentary computer.

By the late 1960s, when cash dispensers came on the scene needing protection against fraudulent commands, the protection scheme was converted to mathematical substitution and transposition. This was more appropriate to the strengths of the computer.

By the early 1970s, standards were devised for the banking industry to use the DES algorithm, the federal Data Encryption Standard. It was a continuation of the substitution and transposition method, personalized with a "key" very similar to picking one's own combination for a lock.

The encryption scheme was needed to protect the international use of automated teller machine cards, with personal identification numbers for individual authentication.

In ATMs, data encryption served several purposes: protecting PINs, transaction amounts, and transaction decisions. It allowed the exchange of vital information among financial institutions, while allowing each to use its own personalizing keys.

This system has been in successful use for 20 years-and totally transparent to customers. Magnetic stripe cards-despite their insecurity compared to the smart cards that have been proposed as replacements-have fallen to their lowest fraud-loss rates ever.

Why? Because a great deal of attention was paid to the process by which information was protected, communicated and, most important, processed in long and tortuous network journeys.

At the RSA conference, in San Jose, Calif., the ultimate, modern data security techniques were displayed. All sorts of scrambling approaches are available-with a heavy emphasis on private-public key algorithms, with a different key used for scrambling and for decoding secured information.

Many vendors now recognize that the protection process requires a full "system solution.," Besides data scrambling, this includes firewalls to contain exposures.

A group of computer scientists rose to an RSA challenge and decoded a DES-protected message in less than 24 hours. There was widespread acceptance of the need for encryption keys longer than 56 bits.

But few spoke about the need to make the security process invisible to the using public. Such transparent systems have been around for decades, working rather well, for example, in ATM and wire transfer networks. Everything at RSA '99 was about selling the new.

I almost felt compelled to hold up my old Morse code book. But we are destined to learn the new nomenclature and go after the expected new results. There are dozens of vendors ready to help.

I suggest asking them three questions: What problem are you solving? Can it be implemented without the user needing to understand what is happening? To whom have you proved that it really is an effective "total system solution?"

That will bring the conversation about encryption complexities down to earth. xygne gtwne zxwpu-oops, I slipped into the old code mode. I meant to wish you well with what is new. Mr. Svigals is head of Jerome Svigals Inc., Redwood City, Calif.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER