SAN MATEO (01/31/2000) - One of those poignant moments amid the sound and fury of the RSA 2000 conference (www.rsasecurity.com), held Jan. 16-20 in the heart of Silicon Valley, was a brief interlude on the steps outside of the convention center. We had stopped to talk with a high-ranking member of the IT security division at a large company and asked his impression of the show.
"Evolutionary, but nothing revolutionary," was his somewhat tired reply.
In spite of his view, however, signs of change and innovation were afoot on the conference floor if you looked hard enough. Whether this portends a revolution in security technologies during the coming year, we'll let you judge for yourself. Here are the signs as we saw them.
The first sign occurred before the conference had really gotten under way. On Monday, Jan. 17, Baltimore Technologies Inc. announced that it had signed an agreement to acquire GTE Cybertrust. (See www.baltimore.com/news/press.) The wave of consolidations in the PKI (public key infrastructure) space is just getting rolling. A mere 20-plus days before, Internet "trust services" vendor VeriSign acquired another certificate authority, Thawte Consulting, thus locking up the majority of the browser-based certificate market (www.verisign.com/press).
What does this mean for the growing market acceptance of digital certificates as the backbone of secure e-commerce? Well, it's clear the technology has emerged from the garage to serious financial backing with the Thawte acquisition, but how long will the boom in browser and Web server certificates last in the absence of compelling trust models? After all, it's all about trust, right? Check out www.counterpane.com/pki-risks.html for a hearty dose of vendor-neutral reality on the topic of PKI, and tell us whether this merger activity has changed your plans for integrating PKI into your e-commerce plans.
Another poignant moment during our tour of the show was a brief stop at the booths of Certicom (www.certicom.com) and Cylink (www.cylink.com). As most security geeks are aware, the fundamental security of cryptographic algorithms is based on the difficulty of doing two types of math problems: factoring large prime numbers (used by the RSA family of algorithms), and calculating discrete logarithms (the foundation for a competing set of algorithms, the newest of which is termed the Elliptic Curve Cryptosystem, or ECC).
For those with the inclination (such as the folks at Certicom and Cylink who evangelized us on the subject), factoring large primes is trivial mathematics, whereas the problem proposed by elliptic curve is not currently considered so.
Does the relative complexity and newness of ECC make it more secure than the simplicity of RSA, which has been thoroughly examined over the years?
Furthermore, proponents of ECC say that its lighter resource requirements will make it the cryptosystem of choice for handheld devices such as mobile phones, but we think technological advances will probably make this a nonissue in the next two years. Is the fundamental landscape of cryptography shifting, or is this just more evolutionary change?
Of course, no discussion of RSA would be complete without mention of hot products and technologies on display at the show. We were enticed by network management tool vendor Clicknet's (www.clicknet.com) new identity as a host security software purveyor; its recently announced intrusion-prevention offering, entercept, proves it. The product wraps the Windows NT or Solaris kernel and filters all calls based on a database of known attacks, including buffer overflow, privilege escalation, remote compromise, and other bad things.
By placing a watchdog in the kernel, nothing can escape its watchful eyes.
Another interesting technology was on display at Perfecto Technologies' booth (www.perfectotech.com). Its AppShield product "adaptively reduces" a Web page to its most basic components, and prevents client posts that try to circumvent the basic logic of the page, as many Web hacking techniques attempt. Perfecto is still working on dealing with Java embedded-within pages, but they do a remarkable job of ensuring that the business logic of a Web application is followed securely. Keep your eyes on this one.
Last but not least, you can always tell what's really shaking in security at the parties after the show. IBM has traditionally been the cat's meow at RSA, throwing a formal-attire Cryptographer's gala where the big players gather to rub elbows. This year, however, upstart @Stake may have trumped the Crypto gala with its soiree at the San Jose Museum of Art, where many security bigwigs were spotted in their formal attire wearing sheepish looks. @Stake may just set the world on its ear with its "pure security services play."
Did we miss any signs while on the road in San Jose? Let us know at firstname.lastname@example.org.
Stuart McClure is an independent security consultant at Rampart Security Group.
Joel Scambray is a consultant at Ernst & Young. They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne McGraw-Hill).