Is the expiry of the benchmark RSA encryption patent an Internet watershed? Karlin Lillington At a large security software conference held recently in Florida, United States, the most popular T-shirt among the 1 000 delegates was the one you could get for free from the exhibition stand for a company called RSA Security. On the front of the black shirt was printed the RSA algorithm, the formula used to encode information in nearly all security software. Under the equation, the shirt read: “It’s just an algorithm.” Except it really isn’t, and never has been; and the shirt’s popularity was a wry acknowledgement of this. For 17 years, the RSA algorithm has been the industry standard for so-called public key cryptography – a system whereby a person can encode and decode e-mails or other digital information by using special mathematical keys. One is a public key unique to an individual that anyone can use to encode and send that person information, and one is a secret, private key, affiliated with the public key, which lets the individual alone decode it. Because RSA held the licence for the patented algorithm for its full US run of 17 years, many industry figures argue that RSA effectively controlled – and limited – the development of the security software industry.
When the patent expired on September 6 (it was due to end on the 20th but RSA unexpectedly released it earlier), many senior industry figures were quick to issue biting comments. “Over the past two decades the RSA patent and other public key patents did more to suppress the deployment of public key cryptography than the NSA [the US National Security Agency],” said Phil Zimmerman, inventor of personal cryptography product Pretty Good Privacy, in a statement. “As long as this patent was in effect, anyone who used it was a sharecropper on someone else’s land. Now at last we can implement our own code.” Among the loudest critics of RSA was the security software company holding last week’s conference, an Irish firm, Baltimore Technologies. Baltimore, which had only six employees in 1996, has stormed the security technologies market through a series of adept mergers and acquisitions – starting with British firm Zergo in 1998. To the surprise of most US analysts, Baltimore has now stepped into the number three spot in the tough US market behind Verisign and Entrust and, with about 30% of the US market, is snapping at its two big rivals’ heels. Baltimore claims that the way in which the patent was enforced hobbled the growth of the security industry and the adoption of public key cryptography, which has in turn shackled the growth of electronic commerce. “I think patent bodies need to be a lot more careful” in deciding when to issue patents, Fran Rooney, Baltimore’s CEO, said in a keynote speech that took several swipes at RSA.
According to Baltimore, RSA’s high licence fees for the rights to use the patent, its system of charging companies additional royalties for products sold, and policy of forbidding non-US companies to sell any algorithm-based products into the US market made it costly for even large competitors to enter the security software industry. Rooney claimed that at one stage the restrictions threatened his business. While he believed companies deserved patents for unique technologies and should be able to charge “reasonable” fees for their use, “no one should be able to put any restrictions on people being innovative”. One conference attendee who had headed a security division for a large European competitor had no doubt that RSA’s licensing restrictions had been formidable for most non-US companies. His company had found the payments punishing, especially the additional royalty charge. Despite widespread grumbling among industry insiders, the patent’s expiry has drawn little attention, and most delegates in Orlando appeared uninterested. “There are other challenges,” said one. The RSA employees staffing the stand shrugged off Rooney’s speech. RSA Security is more interested in remaking itself as a security technologies company that can offer not just an algorithm, but “the total solution”. Certainly, the whole sector faces enormous challenges in making public key infrastructure (PKI) – a global system to support the use of public key cryptography – a reality. Most industry analysts agree that PKI will be the main system in the future, but a bickering industry, with different factions trying to create and own standards, has not advanced the cause. Speakers throughout the conference highlighted problems. A lack of hardware and software standards has limited the development of e-commerce over mobile phones and handheld devices. Interoperability is a huge issue. Smart cards, which seem to be gaining ground as a complementary technology for PKI, are little used in the US and hardware manufacturers aren’t adding card readers to PCs and other devices. Many PKI programs are difficult to use. And the security industry has done little to inform either businesses or the public about PKI and its uses. Still, everything indicates that the Net – probably delivered over mobiles or small devices – will be the central medium for transactions in the future, so the security software industry has everything to play for.