2001: An Encryption Odyssey?/ Follow-up: Who's Watching Who?

Windows 2000 (Win2K) is ready to go. The new OS, which Microsoft released to manufacturing (RTM) in December, will soon be in the hands of early adopters across the globe and will undoubtedly be the center of attention for some time. The only other event in 2000 that will have as much of an effect on computing is the simple expiration of a patent.

In September of this year, the patent on RSA encryption technology expires. Developers Rivest, Shamir, and Adelman created RSA in the 70s, and the technology has become one of the most widely used algorithms on the planet. You'll find RSA technology in such popular products as pretty good privacy (PGP). Why will the patent expiration have such a big effect on computing? Money.

In the past, developers paid hefty license fees to use RSA technology. When the RSA patent expires this September, developers will have free and unrestricted access to RSA encryption algorithms. No more hefty license fees and strict licensing guidelines. In a nutshell, the patent expiration means that we'll see new products that use strong encryption, and we'll see current products that now use lesser encryption technology begin to use the stronger RSA technology. You'll enjoy stronger VPNs, safer mail clients, more secure disk drives, and more.

The September patent expiration leaves 3 months before the end of the year for developers to use the newly available technology. Because of the timing, little will happen regarding new RSA developments in 2000. Instead, I think we'll see most of the new activity in encryption occurring in 2001. By the summer of 2001, not only will RSA technology be available for free, but other encryption technologies will also have come to fruition—namely CIPHERUNICORN and the Advanced Encryption Standard (AES). Where today the cornerstone of network security seems to be sophisticated session authentication and various forms of obscurity, tomorrow the cornerstone will be super strong encryption. The future is clear and the future is encryption galore.

Follow-up: Who's Watching Who?
In my editorial last week, I talked about the danger of conducting purchases online using credit cards. Several readers wrote to disagree with my stance or to inform me of protection systems that credit card companies use specifically for making online purchases. For example, according to one reader, some companies now offer special credit cards designed specifically to protect the holder from Internet-based fraud by minimizing a buyer's liability.

Of those readers who disagreed with my stance, most accused me of practicing and spreading unwarranted paranoia. Readers sent me numerous every day examples that compare online buying to other forms of credit care purchases, such as buying a meal at a restaurant or paying for new sneakers at a local shoe store. The assertion was that these type of retail credit card purchases are no different than online purchases because we must still hand over our card number to a stranger. For the most part, I agree, but differences do exist that make buying online more of a risk.

The differences between buying online and buying in your neighborhood are distinct, and they all boil down to trust—either we trust a vendor or we don't. When you physically visit a store, you get a first-hand view of that establishment and its personnel. You develop an overall impression of the business and its employees, with whom you must trust your credit card information. With the Internet, you lose that advantage. You can't inspect a business on the Internet, so the vendor-customer experience is limited to flashy graphics and extensive catalogs. If you’re lucky, you might be able to talk to someone at the company on the phone. The bottom line is that anybody with a computer and HTML editor can put an alleged business online, complete with credit card acceptance, so the risk of placing trust in online merchants is higher than when making a physical purchase.

Even if the online vendor is reputable, how do we know the vendor is handling our information securely? To trust a business and its employees is one thing, but to trust its computer network is entirely different. When we buy at a physical business location, that business probably does not enter our credit card information into computer systems that connect to open public networks such as the Internet. But when you buy online, that's not the case. You voluntarily deliver your credit card information over a publicly available network to a publicly available computer system. So the question quickly becomes, "Is that system secure?"

The point of my editorial last week was to raise the question of who is watching all these allegedly secure online merchants to ensure they are, in fact, secure? By what standard do we weigh the claim of secure e-commerce? The answer is that, to date, no standard gauge is in widespread use, so the risk of buying online remains high. Until next time, have a great week.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.