Expiration of RSA Encryption Patent Should End Sticker Shock
Written by John J. Xenakis for
CFO.com,
Oct 31, 2000.
Xenakis on Technology will appear each week in CFO.com, covering
technology topics of interest to financial executives. John Xenakis
has been in the computer industry for over 30 years and a technology
journalist for 20 years. From 1992 to March, 2000, he was Technology
Editor of CFO Magazine and wrote the monthly TechWatch column.
Many companies have been shocked at the near six-figure or more
licensing fees they've been forced to pay to incorporate security into
their software to do business over the Internet.
Take Wake Forest University Baptist Medical Center, which is about to
go live with a leading edge system to use e-mail to send patients' lab
test results and admission notices to referring doctors. "We wanted to
make sure that this information is secured, so we're encrypting the
e-mail before it goes out," says Joe Foster, Manager of system
development.
The six-month implementation cost of the Winston-Salem, N.C., based
teaching hospital's entire project is $250,000 and of that amount,
$75,000 is licensing fees for the BSafe software from RSA Security
Inc. (http://www.rsasecurity.com). Related technology from
VeriSign Inc. (http://www.verisign.com) was used as well. There
will be no transaction or royalty fees.
"Although we were pressed for time," says Foster, "we looked at other
vendors, and we decided that RSA and VeriSign were leaders, and we
were comfortable with their products and technology."
What exactly is Encryption?
Encryption is the process of scrambling the bits and bytes of a
message so that no one but the intended recipient can read the
original message. Encryption can be used for other things as well,
including credit card numbers or invoice information in an e-commerce
application. Without encryption, any data transmitted over the
internet is vulnerable to hackers. Click here for a primer on
encryption.
Encryption has come a long way since you used a secret decoder ring to
send scrambled messages to your friends as a kid. Almost any method
that you might think of on your own to scramble your messages, no
matter how clever you think it is, would be almost child's play for
many hackers to crack. Nowadays, uncrackable encryption requires tools
based on the most advanced and sophisticated mathematics, and that's
the problem.
One of the most popular encryption algorithms, used in millions of
software applications around the world today, was patented in 1983.
The name of the algorithm is the RSA encryption algorithm, and the
patent is held by RSA Security.
So if you wanted to do business securely over the Internet, you had to
buy BSafe from RSA Security. And they weren't too easy to do business
with. They'd be happy to license BSafe to you to secure your data, but
they charged you $75,000, $100,000 or more, plus transaction or
royalty fees amounting to a fraction of your income.
That's pretty discouraging--like General Motors selling you a car for
$100K, and then demanding 10% of your income as well, since you need
the car to get to work.
And RSA Security got away with it, too. Although the company and its
clients won't disclose prices, rumors are that some large e-commerce
companies have been paying RSA Security several million dollars per
year. That may be OK for the giants, but even small e-commerce
companies were being charged annual six figure licensing and royalty
fees -- for nothing more than to use the RSA encryption algorithm.
But that's all finally expected to change, now that the patent for the
basic technology, the RSA encryption algorithm, expired in September.
Baltimore Technologies (http://www.baltimore.com) has been selling
its KeyTools product, encryption software including the RSA
algorithm, around the world for five years -- except in North America.
(Because of the newness of software patents in 1983 when RSA Security
Inc. first got its patent, it's never had any patent protection
outside of North America.) Baltimore used to have licensing fees
similarly onerous to those of RSA Security's, but now has dropped
them.
You can license their KeyTools Pro software for $9,000 per
application, per platform, with no transaction fees. And they've even
made a subset version, called KeyTools Light, available to be
downloaded for free on their web site, with no licensing fees
whatsoever.
RSA Security, meantime, isn't going to drop prices at all, according
to Michael Vergara, the company's director of product marketing, who
says that they have the best product. "The number of licensees keeps
growing, even since the patent expiration," he says.
Critical Path (http://www.criticalpath.net), a San Francisco-based
developer of applications for running secure messaging over the
internet, licenses both RSA's BSafe and Baltimore's KeyTools, and has
always simply passed the licensing fees through to its own customers.
They believe that RSA Security will have to cave in and lower prices.
"Our view is that this [patent expiration] is great for the security
market, since you now you can buy RSA products and Baltimore products,
both of which deliver a lot of the same algorithms," says Michael
Sebinis, chief security officer. "Now there's competition, which is
always good for the customer and end user, and that's very positive."
However, David Thompson, an analyst with the Meta Group, believes that
RSA Security will be able to keeps its prices up, at least for a
little while. "The other tool kits don't do all the things that the
RSA tool kits do. There are more bells and whistles that you can
configure and modify - key sizes, different implementations for some
algorithms, things like that," he says. "However, with the patent
expiration, there are going to be a lot more tool kits available from
a lot more companies out there, and overall pricing will be
dropping."
Amdahl leaving the mainframe business
Amdahl Corp., a unit of Fujitsu, is announcing this week that it's
discontinuing its IBM compatible mainframe product line.
This is the second such defection, since Hitachi Data Systems also
announced a pullout early this year. Neither company wanted to make
the huge investment necessary to match IBM's new 64 bit technology
that's coming in a couple of years. That means that the only major
remaining company making IBM compatible System/390 mainframes is,
well, IBM.
When I spoke to Carol Stone, Amdahl's VP of server marketing, she
wanted to be sure that I told everyone that Amdahl wasn't abandoning
its existing customers. "We'll be making 32- bit machines until March,
2002, and servicing and supporting them for four or five more years,"
she says.
Will IBM feel free to jack up prices, now that there is no more
competition? Almost certainly not, according to Gartner Group analyst
John Phelps.
"IBM has battled Amdahl for over 20 years, but now that they've won
they may not have won," says Phelps. "IBM has really believed for the
past few years that their main competitor was not Amdahl or Hitachi,
but Sun and HP."
Both Sun Microsystems Inc. (http://www.sun.com) and
Hewlett-Packard (http://www.hp.com) sell high-end systems that
begin to approach the power of a mainframe and can run either Unix or
Windows NT operating systems. Legacy application software was often
written in a way that was dependent on IBM's proprietary MVS mainframe
operating, but in recent years, much new application software has been
designed to run on either mainframe or Unix platforms.
This means that IBM could charge different prices to different users,
according to Phelps. "We believe that there is a potential for there
to be a price differential for people looking to buy cheap legacy MIPS
[mainframe computing power], where competition is disappearing, and
people looking for new application areas, where Sun and HP compete,
since if there is no competition, then the potential exists for the
local teams to not give the best discounts."
SIDEBAR: So What Exactly is Encryption?
Descrambling this mysterious technology
These are exciting times in the encryption field, not only because of
the RSA patent expiration, but also because the U.S. government has
just announced a new encryption standard called Rijndael to be adopted
by the entire government. An encryption key is like the password or
PIN that you use to log onto your computer network or to access your
bank account, except that the keys used internally by most commercial
applications are numbers and are substantially longer than the keys
used by ordinary human beings.
Encryption programs use a key to take an e- mail message or a packet
of data and scramble the data so that a hacker can't read it while
it's being sent over the Internet. Once it reaches the target
computer, a decryption program uses a key to descramble the bits. Both
encryption and decryption use very advanced mathematical algorithms,
though there are several different algorithms in use.
There are two major kinds of commercial encryption, depending on
whether or not the decryption key is identical to the encryption key.
In "shared key" or "symmetric key" encryption, the encryption and
decryption keys are identical.
The best-known symmetric key algorithm is the Data Encryption
Standard (DES), so-called because it's been the standard encryption
method used by the U.S. government since the 1970s. DES is still
widely used, even though it was "cracked" in the 1990s -- a determined
hacker can decrypt a DES-encrypted message in a few hours of
computation on a powerful computer.
That's why those who still use DES today actually use "triple DES," or
3DES, which encrypts and decrypts the data three times, using three
separate keys.
Because DES was cracked, the National Institute for Standards and
Technology (NIST) announced in 1997 a worldwide competition to select
a new Advanced Encryption Standard (AES) to replace DES. On October 2,
2000, NIST announced a winner: Rijndael (pronounced "RHINE doll"),
named after its Belgian creators, Joan Daemen and Vincent Rijmen.
Unlike DES, AES will never be cracked -- even if the entire universe
were turned into a giant computer, it would still take trillions of
years to crack Rijndael. Information on Rijndael can be found at
<#stdurl http://www.nist.gov/aes. Symmetric key encryption is easy to implement and manage when there are only two or three computers communicating over the internet, though even in that case you have the problem of how to transport the shared key securely from one computer to another. However, once you have numerous computers exchanging data over the Internet, and in particular once you have e-commerce applications involving thousands of computers, symmetric key encryption becomes unmanageable. Dual key encryption uses different keys for encryption and decryption, one of which is known as a "public key," and one of which is a "private key." The public key can be made freely known, and anyone can use it to encrypt a message. The private key is owned by an individual or a computer, and only that entity knows the private key and can decrypt the message encrypted with the public key. The de facto worldwide standard is the patented RSA algorithm, named after its inventors, Ronald Rivest, Adi Shamir and Leonard Adleman, all of MIT. The idea is that each person doing business over the Internet will get his own public/private key pair. Assigning these pairs is a job of a Certificate Authority (CA), such as VeriSign Inc. (This is a modified version of an article that originally appeared on Oct 31, 2000 on CFO.com at this location. ) |