Play encryption game with tokens, keys and a new way to bluff

Government users who want to secure Internet transactions and e-mail have focused
either on the National Security Agency's Capstone technology or on RSA Data Security
Inc.'s encryption products.


Other players deserve a look, especially by agency engineers who work on homegrown
encryption schemes. There's even an alternative security plan that could get around the
laws forbidding export of high-end encryption.


The cryptography industry has gotten a strong push from the rise of smart cards,
handheld computing devices and electronic commerce on Web sites.


RSA of Redwood City, Calif., does top-notch encryption, but its long bit-length
requirement puts a sizable processing load on transaction servers. It also takes up a lot
of room on smart cards.


As secure transactions multiply, many sites are feeling the pinch. They need security
in a smaller envelope.


Elliptic-curve cryptography, touted by Certicom Corp. of Mississauga, Ontario, has very
strong security thanks to its 84-, 56- and 96-bit keys. RSA uses 512- and 1,024-bit keys.


A smart card that incorporates elliptic-curve technology could hold many more keys and
work more flexibly in more transactions. The new PC-attached postal meter builds in
elliptic-curve cryptography for buying postage and printing the stamps electronically.


Shorter keys also would make interaction easier for devices with limited memory, such
as handheld computers and cellular telephones that support e-mail.


If your agency is researching encryption, here's a short list of the major players,
what they offer and why one system might be better than another.


The company makes
products for secure payment, e-mail, instant messaging, certificate management, secure
Java applications and cryptographic development.


The
popular PalmPilot handheld from 3Com Corp. of Santa Clara, Calif., will use Certicom
cryptography.


Cylink products include a network security management
platform, multilayer and multiprotocol security for virtual private and TCP/IP networks,
and specialized products for frame relay, asynchronous transfer mode and other high-end
networks.


To see an outline of how it integrates with various applications, visit
http://www.pgp.com/products/pgp-personal-55-faq.cgi.


C2Net also sells a secure browser
plug-in and a TCP tunnel product for the client side.


Finally, Massachusetts Institute of Technology professor Ron Rivest, who helped develop
RSA's algorithm, has invented a method for secure Internet data exchange that he says lies
outside the scope of current export laws.


Rivest's process, known as chaffing and winnowing, sends messages in a combination of
good and bad packets. The grain is winnowed from the chaff by an authentication code known
only to the sending and receiving parties.


Rivest said this technically isn't encryption so is unaffected by the government's
export restrictions. Details on crypto theories appear at http://theory.lcs.mit.edu/~cis/cis-projects.html.


 


Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for
Cahners Publishing Co. E-mail him at smccarthy@cahners.com.


inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above