by John Boyd

Thousands of pioneering cyber-consumers use the Internet daily to make online purchases as varied as books and bonsai. That number could quickly swell into the millions, if ordinary PC users and corporations were convinced that buying online was as safe as shopping in a department store. But persuading them to trust underlying protective technologies that appear convoluted and esoteric - and which are a target of bureaucratic regulations - is an uphill struggle.

At the heart of the matter, says Koji Nagatsuna, an electronic commerce analyst with the Gartner Group Japan, "is FUD: Fear, Uncertainty, and Doubt. 'Is someone reading my e-mail?' 'Can I be sure the message really came from the person whose name is on the document?' Or, 'what if the purchase order is a forgery?' The FUD factor is strong despite - or perhaps because of - a surfeit of technologies all claiming to make electronic commerce secure: encryption, passwords, firewalls, digital signatures, Certificate Authority services, electronic watermarks, et al. So it shouldn't come as a surprise when James LaLonde, director, sales & operations, Asia Pacific, for network security company McAfee Japan, admits that, "The concept [of computer security] is hard to understand; the issues involved are not well understood. "And, he adds, "Customers need a lot of hand-holding."

A brief history of electronic cryptography

Following the development of computer security's enabling technology, encryption - the art of scrambling electronic data so that it's unreadable to prying eyes - will help delineate the issue. In the early years of computer networks (and still, to some extent), governments and businesses depended on classical encryption methods like the Data Encryption Standard (DES). DES users exchange a secret key (algorithm) to encrypt and decrypt data.

Methods like DES work well over small networks, where only a few trusted parties are given prior access to a secret key. But as networks grow, and the number of people juggling different keys multiplies, DES becomes unwieldy and easily compromised.

Things looked up in 1976 when Stanford professors Whitfield Diffie and Martin Hellman announced their breakthrough Public Key encryption. The Diffie-Hellman scheme circumvents the impracticality of the DES method by using a matching pair of keys to do the encrypting and decrypting. One key of the pair is made "public" (open to anyone), while the other is kept "private" (secret). Send someone a message encrypted with their public key, and you know that only the authorized recipient will be able to decode it. Conversely, when you send out a message encrypted with your own private key, those recipients who have your public key for decryption will know that only you (and no one else) could have sent the message.

While the idea of an easy means of sending unbreakable messages excited some, it frightened others. In the latter group stand government organizations like the US FBI, National Security Agency, and CIA (of which, more later). Among those excited were three Massachusetts Institute of Technology academics, inventors of the RSA Public Key Cryptosystem; they decided to make a business out of the idea, and in 1982 established RSA Data Security in Redwood City, California.

RSA caught the eye of PC users when first Lotus Development, then Netscape, chose the technology to add security to their (Lotus Notes and Netscape Navigator) products. When Microsoft added RSA technology to its Windows API (application programming interface) architecture, RSA could legitimately claim it had become an industry de facto standard. The company's literature prominently quotes Microsoft's vice president of advanced technology, Nathan Myhrvold, as saying, "Microsoft, Apple, IBM, and DEC don't agree on much, but all agree RSA is the way to go."

Continue article

Back to the table of contents