Some background info for you. BTW: There is a great book on
encryption and cryptography called "Applied Cryptography" if
you are interested in this topic.
There are two encryption technologies that are widely discussed and
used: the Data Encryption Standard (DES) and Rivest-Shamir-Adelmen (RSA).
DES is a private key encryption technique. This means that the sender
and receiver share a private secret key. If this key is compromised,
all transmissions are compromised.
RSA is a public key encryption technique. The each person has two keys:
one that is publically known and one that is privately known. This
provides the ability for someone to exchange messages with another
person without sharing the that persons secret key. Most of the
interesting work being down with encryption is being done public-key
algoritms (RSA and other ones).
In the US, RSA Technologies holds the patent for the RSA algorithm.
In Europe, encryption algorithms cannot be patented and RSA can be
implemented without royalties. The RSA patent has been licensed
by a large number of companies: HP,IBM,DEC,Apple, Microsoft, etc...
These companies use RSA in different products. However, there has
been limited success in enterprise / Internet wide use.
With the Web and Internet taking off, electronic commerce is being
discussed. However, there still needs to be a infrastructure developed
to facilitate electronic transactions.
One problem is the management and authentication of the public keys.
In brief, if you want to send me a message securely, you need my
public key. However, how do you get my public key and how do you
know it is valid. Some commercial companies are looking into
providing this service and there have been rumbling that the U.S.
Postal service may also try and join the act.
The second problem is what (I believe) SKB is trying to solve. How
do you encrypt the message? Since my private key is known only to me,
I do not want to enter it in any computer system since a rogue program
could save it to disk, pick it out of memory, etc... By having a
hardware token that interfaces with the computer, encryption can be
done securely on the card. My card has all the information that is
needed.
The big risk here is the lack of interface standards at the hardware
level. As far as I know, there is no agreement on what a hardware
token would do and how it interfaces with other computers. The other
components for electronic commerce aren't an issue. RSA is well
understood and widely implemented. The concept of certification
authorities and certificate management is also well understood. Once
the hardware to human interface issues are worked out, it is likely
that progress will occur rapidly. |
