|
At an event here celebrating 30 years of
public key cryptography, several top minds in the field
gathered for a trip down memory lane. Over the years, public
key cryptography has grown from an idea in a paper published
by Whitfield Diffie and Martin Hellman, both present at the
event, to technology used in everyday transactions on the
Web.
The U.S. government was a major obstacle in advancing
cryptography until it lifted export controls in 1996, a
panel of experts said. Much of the discussion Thursday
evening covered that topic, with Brian Snow, a retired
technical director at the National Security Agency, offering
some insight into what happened at the government in the 20
years before that.
"This, for us, was a weapon," Snow said. "And this was
possible free release of weapons we needed to defend the
nation to other nations who could be opponents at times."
As cryptography grew out of the research stage and into
actual products, companies such as RSA Security had a tough
time establishing themselves. In 1986, Jim Bidzos, then
chief executive of RSA, at times, felt his business wouldn't
go anywhere.
"There was this big monster in Maryland that I discovered
that we had to deal with," Bidzos said. "We found ourselves
competing with NSA, especially in the '90s."
One of RSA's first customers was Ray Ozzie. Today, he's
chief software architect at Microsoft, but back in 1986,
Ozzie was looking to secure what would become Lotus Notes.
Security was necessary to prevent eavesdropping on
communications, as Ozzie admitted he himself had done in the
past.
"I was a student systems programmer, and we used to have
lots of fun looking inside of people's e-mail and private
discussions," he said, talking about his days in the late
1970s and early 1980s at the University of Illinois, when he
worked on Plato, a computer-based education system.
But when it came time to get an export license for Lotus
Notes, Ozzie ran into the U.S. government's restrictions. "I
had no clue," Ozzie said. "Initially, we had wanted to use
hefty keys...We had spent years working on it, and after the
third meeting (with the government), I thought we were
dead."
But that's all history. The Web hit in 1994, erasing borders
and giving rise to the need to secure electronic commerce.
In 1996, the government eased export controls, clearing most
regulatory obstacles for widespread adoption of
cryptography.
"The one thing I fault the (NSA) for is that they were not
willing to be open-minded in the discussion," Snow said.
"There was a very valid case to be made on the other side."
The government has even made an about-face on encryption.
These days, many regulations such as those laid down by
HIPAA and the Sarbanes-Oxley Act require encryption, noted
Dan Boneh, an associate professor of computer science at
Stanford University and co-founder of Voltage Security.
"There has been a complete flip recognizing that encryption
is here to help us," Boneh said.
Yet cryptography hasn't become as commonly used as some
might have hoped, the panel noted. Web transactions might be
encrypted, but a lot of data and communications still are
not.
The issue, Snow said, is products. "The remaining issue that
is big today on the plate is lack of quality in the
products," he said, adding that security products are poorly
designed and often not in a secure way.
Other panelists agreed. "I will fix it all," Ozzie said. He
said he had built security into Notes and in Groove, a later
venture. At Microsoft, he plans to design it into products
as well, keeping in mind compliance issues and the realities
of enterprise systems, he said.
"In the early years, we as an industry could blame the
system for controlling the pace of innovation because the
government was throwing up roadblocks," Ozzie said. "At this
moment in time, it's laziness on the part of the industry in
terms of not embracing architecture and the importance of
human interface in design of secure systems."
|
