Free crypto plan could hurt RSA

In a move that could undermine an old rival, Cylink (CYLK) is licensing its security technology free to Phaos Technology for incorporation into Phaos's Java-based security toolkit.

Cylink's nonexclusive pact lets security-software start-up Phaos build Cylink's digital signature and key exchange technology directly into its SSLava toolkit, which developers use to build applications under the Secure Socket Layer (SSL) protocol for secure communications over the Internet.

But the loser in the deal could be crypto firm RSA Data Security, which sells its widely used encryption algorithm for SSL and other security applications. Although Cylink insists it's not competing with RSA, its strategy could cut into RSA's market.

"Cylink was never in the business of making money on the Diffie-Hellman patent [the algorithm it licensed to Phaos]," said Mathew Kovar, an analyst with Yankee Group. "But it's potentially a revenue source for RSA that's no longer there."

RSA and Cylink had been locked in a years-long legal dispute over patents, but in January Cylink's new management team settled the dispute with RSA out of court in a cross-licensing agreement.

But the impact of Cylink's move will be short-lived because the Diffie-Hellman patent expires next month, and a related patent, Hellman-Merkle, expires soon after. Cylink is the commercial licensing agent for Stanford University, where the patents were researched.

Phaos's security SSL toolkit is written in Java, making it appeal to Phaos customers like AT&T and Cisco because it works on different operating systems.

For Phaos customers, the Cylink pact means they can create SSL applications using Diffie-Hellman simply by using SSLava. If they want to use RSA's algorithm, they must license it separately from RSA.

"There is wider acceptance of the RSA key than of Diffie-Hellman, but Diffie-Hellman is still a valid security key," said analyst Kovar.

Because the patent is expiring, Cylink is promoting Diffie-Hellman as an open standard through the American National Standards Institute, or ANSI.

Cylink's director of marketing, Andrew Morbitzer, noted that RSA could be threatened over the long term by elliptic curve cryptography, another encryption algorithm. "Diffie-Hellman public key management lends itself to elliptic curve cryptography," he noted. CertiCom is the chief marketer of elliptic curve cryptography.