RSA Data Security Inc. may have one less thing to complain about next week when it plays host to its annual conference of data encryption science and business.

After years of leading a high-technology industry chorus against U.S. government restrictions on exports of complex data-scrambling algorithms, San Mateo, Calif.-based RSA has declared itself open for business overseas.

It took months of negotiations with the Department of Commerce, and RSA had to set up shop in Australia to get around certain legal technicalities, hiring two noted cryptographers in that country in the process.

The deal, including the establishment of RSA Data Security Australia in Brisbane, was announced last week, a stroke of good timing with the annual RSA Data Security Conference due to begin Monday in San Jose, Calif.

The RSA '99 conference, which will attract thousands and will be more focused on financial services and electronic commerce than ever before, has traditionally served as an effective soapbox for critics of the U.S. export rules. Jim Bidzos, president of RSA and proud producer of the successful events, has been so intent on airing everything out and getting his messages across that he goes to great lengths to invite speakers of the opposing point of view.

One track of seminars this year will be devoted to the National Security Agency and its encryption initiatives, a constituency and a subject matter that have not been entirely unfriendly to Mr. Bidzos and his allies.

The politics-essentially revolving around the Commerce Department's gradual modification of the old rule that encryption codes for export could be no more than 40 computer bits in length-can make for lively and entertaining discussions. But at bottom it is all business for RSA, for the widening circle of companies that license and use its patented formulas, and for a further cadre of RSA critics and competitors with alternative products and technological ideas of their own.

Bankers are both in and above the fray. They are major users of data encryption systems and, because of the national-security interest in safeguarding the monetary system, they have been largely exempt from the 40-bit export limit, which was meant to keep unbreakable codes from falling into enemy hands.

More than the politics, it is the potential for electronic commerce that piques bankers' interest in an event like RSA '99.

Enough bankers were going to San Jose that Kawika Daguio, the American Bankers Association's encryption expert, had thought about organizing a pre-conference reception for them. (He is not going ahead for personal reasons, but this may be a year when financial institutions and their searching for attractive business propositions in digital certificates and crypto-protocols like SET, the Secure Electronic Transaction specification, take center stage.)

"Global electronic commerce is exploding," Mr. Bidzos said last week. "Consumers and merchants have made it clear that privacy for e-commerce is paramount, creating strong demand worldwide for the RSA-based SSL standard," the Secure Sockets Layer protocol that MasterCard, Visa, and several payment software vendors would prefer to override with SET, which also has RSA technology at its heart.

Mr. Bidzos said RSA, "through its headquarters and its international development center (in Brisbane), will fill that demand" for electronic commerce. "The Australian organization will focus on international opportunities to do so."

The pioneering encryption company, a subsidiary of Security Dynamics Technologies Inc. of Bedford, Mass., introduced the BSAFE SSL-C tool kit, the first RSA product available outside the United States that supports key lengths of any size.

The cryptography is based on SSLeay, an implementation of Secure Sockets Layer by Eric Young and Tim Hudson, now chief technical officer and technical director of development, respectively, of RSA Australia.

To comply with federal rules, the internationally available products cannot have domestic U.S. technology or be worked on by U.S. employees. But the good news for RSA is that it can sell systems without getting special licenses and without regard to key lengths, competing directly against unconstrained vendors from other countries.

Software developers "have worldwide security requirements, and RSA is committed to providing the solutions they need for a worldwide market," said Scott Schnell, senior vice president for marketing of RSA and Security Dynamics. With the international packaging of BSAFE, "RSA is helping customers participate safely and securely in the global marketplace."

To be sure, all uncertainties have not been washed away. But RSA and strong-encryption advocates have come a long way in the last year.

In December, the Commerce Department made formal a liberalization announced by Vice President Al Gore in September. It included the ability to export keys of any length to U.S. companies' overseas subsidiaries. Strong encryption would also be readily available for Internet commerce, banking, insurance and other financial applications, and health and medical organizations in 44 countries.

Meanwhile, there is the Wassenaar Arrangement, a multilateral defense- export protocol that recently had encryption provisions added.

"This move appears designed to strike a balance between industry and governments," Mr. Bidzos said. "It puts government-desired limits on encryption while leveling the playing field internationally.

"However, implementation is left up to the individual governments involved, and this new policy must be uniformly implemented and enforced if it is to have any effect."


Security Dynamics Technologies Inc. and International Business Machines Corp. have announced a market trial of a program to simplify the introduction of higher levels of data security into the IBM Global Network.

Security Dynamics' SecurID technology, known as two-factor authentication method because it combines passwords with a randomly generated unique code number for each transaction, would be used to ensure secure network access from remote locations.

Also incorporated in the offering would be Security Dynamics' ACE/Server system.

"Implementation of strong authentication for remote access has been a complex challenge for many organizations," said Bruce Jackson, vice president for network services at IBM, which is in the process of selling the global network to AT&T Corp. "We are pleased to be able to simplify ... using SecurID software tokens with our remote-access virtual private network capabilities."

For participants in the trial, "SecurID will be instantly available at the desktop, providing strong authentication with little change to current log-on procedures," said Scott Schnell, marketing chief of Security Dynamics and its subsidiary, RSA Data Security.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.