Card Technology: Solutions Appear for Sluggish Security Protocol

The urgency to complete the credit card security protocol for Internet payments may be a case of hurrying up just to slow down.

The protocol, known as SET, is what computer ex-perts call CPU- intensive. It re-quires so many calculations by computers' central processing units that transactions could slow to a crawl, a likely turnoff to Internet surfers with anything but the most powerful computing devices.

But solutions are on the horizon. They were the subject of discussions last week at the annual conference sponsored by RSA Data Security Inc. in San Francisco. Any lag in bringing SET-Secure Electronic Transactions-up to speed gives technology vendors time to address the throughput problem.

One answer may lie in a concept known as "hardware acceleration," which lessens the burden on software to crunch the complicated data encryption algorithms that scramble critical transmissions and authenticate the identities of buyers, sellers, and payment processors on the World Wide Web.

Some companies are exploring elliptic curve systems, an alternative to the predominant form of public key cryptography. Its different numerical basis shows promise of providing strong security that is less burdensome on CPUs.

"The principle seems to be equivalent security with shorter key lengths," said Alan Schiffman, chief technical officer of Terisa Systems Inc., referring to elliptic curves. The keys are needed to scramble and unscramble-encrypt and decrypt-critical transmissions.

"Some old-timers" say elliptic curve has not proven itself, said Mr. Schiffman, but "it is appropriate for people to be trying it, and we will be there with them."

Terisa, which is based in Los Altos, Calif., and has played an active role in SET development, said it would incorporate the elliptic curve system in a special version of its SecureWeb tool kit. For that purpose, Terisa licensed Elliptic Curve Cryptosystem from the Toronto-based developer, Certicom Corp.

"Several Certicom customers wanted our products, and we think ECC is interesting to experiment with," Mr. Schiffman said. He said ECC could become "a major building block for electronic payments."

Certicom claimed its ECC "will dramatically improve the performance of electronic payments protocols, reduce Internet server bottlenecks, and ensure compatibility with elliptic-curve-enabled smart cards that are expected to reach the market in the second quarter."

The Canadian company made more headway this week when Tandem Computers Inc.'s Atalla division licensed its Elliptic Curve Tool Kit for the NetArmor security chips that Atalla has developed with VLSI Technologies. Atalla, a leading transaction-processing security vendor, said it is on a mission to maximize both speed and efficiency of secure payments over open networks.

SET, which is largely based on encryption capabilities developed and licensed by RSA Data Security, would be considerably more CPU-intensive than the SSL, or Secure Sockets Layer, protocol familiar to users of current Web browsers.

Rainbow Technologies Inc., which recently introduced an accelerator product called CryptoSwift, issued a paper last week documenting how cryptography can bog down the common 32-bit processors in Internet server computers. Shawn Abbott, chief scientist for the Internet security group of Irvine, Calif.-based Rainbow, said SSL "was designed with performance the primary objective." SET placed a higher premium on security, which is a performance tradeoff.

Rainbow said its server could establish security with a client using "a single RSA operation-a private key decryption." An SET transaction, by contrast, can require dozens of operations per second.

"Performing these (cryptographic) functions in software severely restricts server capacity, even at modest transaction rates," said Rainbow vice chairman Peter Craig. "Hardware acceleration is essential for economical server performance."

A British start-up called nCipher Corp., an affiliate of Newbridge Networks of Kanata, Canada, was also showing hardware accelerator technology at the RSA conference.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER