October 27, 2006 5:41 PM PDT

At 30, crypto still lacks usability, experts say

MOUNTAIN VIEW, Calif.--Government controls held back cryptography in the past, but today, it's usability that blocks adoption, a panel of experts said Thursday.

At an event here celebrating 30 years of public key cryptography, several top minds in the field gathered for a trip down memory lane. Over the years, public key cryptography has grown from an idea in a paper published by Whitfield Diffie and Martin Hellman, both present at the event, to technology used in everyday transactions on the Web.

Panel

The U.S. government was a major obstacle in advancing cryptography until it lifted export controls in 1996, a panel of experts said. Much of the discussion Thursday evening covered that topic, with Brian Snow, a retired technical director at the National Security Agency, offering some insight into what happened at the government in the 20 years before that.

"This, for us, was a weapon," Snow said. "And this was possible free release of weapons we needed to defend the nation to other nations who could be opponents at times."

As cryptography grew out of the research stage and into actual products, companies such as RSA Security had a tough time establishing themselves. In 1986, Jim Bidzos, then chief executive of RSA, at times, felt his business wouldn't go anywhere.

"There was this big monster in Maryland that I discovered that we had to deal with," Bidzos said. "We found ourselves competing with NSA, especially in the '90s."

One of RSA's first customers was Ray Ozzie. Today, he's chief software architect at Microsoft, but back in 1986, Ozzie was looking to secure what would become Lotus Notes. Security was necessary to prevent eavesdropping on communications, as Ozzie admitted he himself had done in the past.

"I was a student systems programmer, and we used to have lots of fun looking inside of people's e-mail and private discussions," he said, talking about his days in the late 1970s and early 1980s at the University of Illinois, when he worked on Plato, a computer-based education system.

But when it came time to get an export license for Lotus Notes, Ozzie ran into the U.S. government's restrictions. "I had no clue," Ozzie said. "Initially, we had wanted to use hefty keys...We had spent years working on it, and after the third meeting (with the government), I thought we were dead."

But that's all history. The Web hit in 1994, erasing borders and giving rise to the need to secure electronic commerce. In 1996, the government eased export controls, clearing most regulatory obstacles for widespread adoption of cryptography.

"The one thing I fault the (NSA) for is that they were not willing to be open-minded in the discussion," Snow said. "There was a very valid case to be made on the other side."

The government has even made an about-face on encryption. These days, many regulations such as those laid down by HIPAA and the Sarbanes-Oxley Act require encryption, noted Dan Boneh, an associate professor of computer science at Stanford University and co-founder of Voltage Security.

"There has been a complete flip recognizing that encryption is here to help us," Boneh said.

Yet cryptography hasn't become as commonly used as some might have hoped, the panel noted. Web transactions might be encrypted, but a lot of data and communications still are not.

The issue, Snow said, is products. "The remaining issue that is big today on the plate is lack of quality in the products," he said, adding that security products are poorly designed and often not in a secure way.

Other panelists agreed. "I will fix it all," Ozzie said. He said he had built security into Notes and in Groove, a later venture. At Microsoft, he plans to design it into products as well, keeping in mind compliance issues and the realities of enterprise systems, he said.

"In the early years, we as an industry could blame the system for controlling the pace of innovation because the government was throwing up roadblocks," Ozzie said. "At this moment in time, it's laziness on the part of the industry in terms of not embracing architecture and the importance of human interface in design of secure systems."

See more CNET content tagged:
cryptography, Ray Ozzie, RSA Security Inc., NSA, adoption

7 comments

Join the conversation!
Add your comment
Easy Crypto
Found this site today offering a service for two-factor password tokens, looks interesting.

Guess mainstream crypto might just happen.

Its www.mypw.com , seems pretty cheap, but who knows.
Posted by sfrank212 (12 comments )
Reply Link Flag
Some options.
The following comments do NOT address the interface issue of the article. They do suggest some ways to generate encryption software unique for the individual, organization subgroups, and the organization.

The following website briefly (too briefly for a change?) describes the basic concept. Feel free to skip to the few comments on encryption.

<a class="jive-link-external" href="http://RememberEZ.tripod.com/eat.html" target="_newWindow">http://RememberEZ.tripod.com/eat.html</a>

The basics: Environmental samples (sound, etc.) can provide theoretically infinite enrichment sources for encryption software. Design for a construction set of algorithms, pseudo random selection of specific algorithms, and design of pseudo random number generators can all "feed" on the diversity of environmental samples.

Confirm: Try to get an exact duplicate digital sound sample on two different systems. Add in the most variable components of date and time stamps, and possibly some GPS data, and you'll have what you can not regenerate during any other sampling session.

Enjoy the challenge to make something better for a specific cryptography niche.
Posted by RememberEZ (45 comments )
Reply Link Flag
Re: MYPW.COM Easy Crypto
Hey, it took me about 30 mins but I got MyPW to work.

Looks like they might have something going on here.

I can use the same token at multiple sites.

<a class="jive-link-external" href="http://www.mypw.com" target="_newWindow">http://www.mypw.com</a>
Posted by sfrank212 (12 comments )
Reply Link Flag
WOT
There's a commercial (thawte) provider of that gives away
personal e-mail certificates, and has an extensive worldwide
network of notaries that will help authenticate them.

Here's the web address:
<a class="jive-link-external" href="http://www.thawte.com/secure-email/personal-email-" target="_newWindow">http://www.thawte.com/secure-email/personal-email-</a>
certificates/index.html

I'm running a WOT users group in New Jersey (USA):
<a class="jive-link-external" href="http://thawte-notary.blogspot.com/" target="_newWindow">http://thawte-notary.blogspot.com/</a>
Posted by rbannon (96 comments )
Reply Link Flag
Commercial Grade For Free . . .
There's a commercial (thawte) provider of that gives away
personal e-mail certificates, and has an extensive worldwide
network of notaries that will help authenticate them.

Here's the web address:
<a class="jive-link-external" href="http://www.thawte.com/secure-email/personal-email-" target="_newWindow">http://www.thawte.com/secure-email/personal-email-</a>
certificates/index.html

I'm running a WOT users group in New Jersey (USA):
<a class="jive-link-external" href="http://thawte-notary.blogspot.com/" target="_newWindow">http://thawte-notary.blogspot.com/</a>
Posted by rbannon (96 comments )
Reply Link Flag
Look at Our Information Security System ...
This multi-user system (Crypto Composer) and its companion (Crypto Distributor) are upgraded. Current version (and above) features multi-lingual support. They are parts of a crypto-system based on established asymmetric public key and symmetric key crypto-algorithms (such as RSA and AES). It is the first embodiment of our next generation soft token based declarative cryptographic key, access right and digital source distribution and management technology.

It can be used as a file/message encryptor/decryptor on local computer and in passing through the internet. It allows the public key authentication of the sender of secuured data and intended list of receivers so that a user can build his/her own dynamic virtual private network (VPN) over the public internet easily and automate it using our more advanced products and services.

It contains a personal crypto-gateway server and a (audio) media streaming server that provide modern cryptographic strength protection of a user's identity, privacy, (social) relationship, and rights on the internet.

About CryptoGateway Software Inc.

CryptoGateway do development and research to provide key technologies and systems to handle the ever growing data flow and connections on the internent. Our information architecture is user oriented, context driven, and evolutionary.

The declarative security system of CryptoGateway is a breakthrough in distributed key/certificate exchange and secured global digital ID management technology that is unparallelled by the existing ones. It solves some known problems and eases other hardships in security policy and solution deployment, fine grain and private entity to entity identification that is stateful, remote access control, information security enforcement, and digital right and content management and distribution. The technologies are geared towards making it possible for the systems that are based on them to form independent logic layers above the hardware and software environments that those systems reside.
Posted by CryptoGateway (2 comments )
Reply Link Flag
By the way ..
Our website is <a href="http://www.cryptogateway.com">www.cryptogateway.com</a>.
Posted by CryptoGateway (2 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.