Anyone in business who does not know what PKI means, and has any interest in keeping the contents of computer files and emails a private matter, is about to learn all about that three-letter acronym in 1999.
That, at any rate, would seem to be the case judging by the buzz at the RSA Data Security Conference in San Jose last week, at which specialists in encryption - the mathematical encoding of data - met to discuss politics, new technologies, new products, and what the hackers are up to. The event, which attracts everyone from FBI and CIA operatives to longhaired mathematics geeks, hackers and middle managers trying to keep up with it all, has evolved from a small San Francisco geek-fest to a fully-fledged exhibition and conference in San Jose.
PKI, or public-key infrastructure, is the method of the moment for securing that data. Public-key encryption is a technology which uses complex mathematical "keys" to encode and decode data, making it nearly impossible to decode information kept in computers or sent over the Internet. PKI is the term for the overall network of public-key technology products, users, and certification authorities, which will verify the identity of encryption users.
The RSA conference's spectacular growth this past year - numbers rose from 3,000 in 1998 to just more than 5,000 last week - attests to the growing demand for encryption technologies, not from secret agents and the military complex but from ordinary, everyday computer users and in particular, the corporate world. As more individuals and companies send data across the Net's insecure lines, they want that information protected.
"We've said that public-key cryptography is a solution in search of a problem, and e-commerce is that problem," said Mr Jim Bidzos, the president of RSA, the company which sponsors the conference and holds the rights to some of the main algorithms used for encryption.
For years, the US government in particular, joined by allies such as France and Britain, had vociferously argued for restrictions in the use of so-called "strong" encryption, programs which use larger and therefore infinitely more uncrackable keys.
In some cases (as in France), governments have refused to let their own citizens use the products; in others (US), strong encryption is available to anyone within the country (although the government would still like some way of ensuring it can gain access to a user's keys if it feels this is necessary). However, it cannot be used, except in carefully defined situations, to encode information sent outside US borders.
Governments argue criminals and terrorists will elude them if strong encryption is generally available, without controls. Encryption advocates retort that criminals have always been caught using other methods and that encryption is now a free speech, privacy and business issue.
The Republic along with many other states around the globe, has chosen to make the use of strong encryption products a right (although important elements, such as whether a third party, such as the Garda, should be given a way of accessing a user's encryption keys have not been clarified).
Legislation is currently being drafted. Until now, the increasingly acrimonious encryption debate has been a bit of technological esoterica ignored by most computer users. But, with the advent of the Internet, commercial pressures may resolve the politically-loaded question of who is allowed to encrypt information, and how invincible the programs used for this purpose can be.
Business pressure clearly succeeds where privacy rights organisations have made little headway. Although they have managed to keep the issue alive and explain its complexities, it is the concerns of business, expressed through newer groups like the right-wing, Republican-supported Americans for Computer Privacy which are needling the US government.
And as news came in that France would allow its citizens to use "strong" encryption products, in a sudden turnaround announced last week by French Prime Minister Mr Lionel Jospin, many RSA delegates attributed the change to the lure of e-commerce revenue.
But as some session presenters pointed out, encryption is really only one element of the overall systems security picture. "Strong encryption is often like steel doors on a grass hut," argued Mr David Safford, of IBM's global security analysis lab. He said he wasn't aware of a single instance in which hackers had broken into a system by cracking strong encryption defences.
Instead, most hackers utilise weaknesses in computer system structure or in applications. "The idea that crypto is the solution to the problem is terribly misguided," noted Mr Peter Neumann, author of Computer-Related Risks and moderator of the popular Risks Forum Internet discussion list. "In a system that's not reliable, that's not robust, cryptography is essentially useless."
Encryption experts also argued all week long that US government-approved encryption now may be useless anyway. For years, it has designated an IBM-developed algorithm known as DES, or data encryption standard, to be the allowable format for non-classified information. Critics have long suspected the US secretly weakened DES to enable surveillance teams to crack messages easily.
To underline the weakness of DES, RSA has sponsored contests with cash prizes for people who can successfully crack a message they have encoded using the standard. Dramatically, the latest contest, launched during the conference, lasted less than one day when a team composed of privacy advocates, the Electronic Frontier Foundation and a group called Distributed.net broke the code in under 23 hours.
The search is now under way this year for a tougher, new algorithm, which will be called AES, advanced encryption standard. Once that is determined, expect to see it incorporated into the next generation of PKI products.
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2a429887-bb72-4814-bd40-0cbf79fe8d51.png)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VR3765MFOBH2NMV2QNICYDF67M.png)