ad info

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
Computing

Crypto battle gets ugly

October 12, 1998
Web posted at: 1:15 PM EDT

by Ellen Messmer

From...


(IDG) -- REDWOOD SHORES, California -- Under the probing eyes of security experts, encryption products undergo the kind of intense peer-review scrutiny seldom seen anywhere else in the information-technology industry.

But sometimes vendors refuse to reveal as much as security experts would like. Then tensions flare into bitter argument, such as the ugly battle breaking out this week between TriStrata Security here and Minneapolis-based cryptography expert Bruce Schneier.

Schneier, who has made headlines as the security guru who exposed security flaws in everything from cell phones to Microsoft encryption software, is now accusing TriStrata of presenting false information about its flagship product, the TriStrata Enterprise Security Server (TESS). TriStrata is firing back that Schneier is just out for revenge because TriStrata won't let him do a technical review of the product -- something for which Schneier wants to charge a fee.

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  Network World Fusion home page
 Free registration required to access Network World
  Free Network World Fusion newsletters
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
    IDG.net's bridges & routers page
  IDG.net's hubs & switches page
    IDG.net's network operating systems page
  IDG.net's network management software page
  IDG.net's personal news page
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
  Subscribe to IDG.net's free daily newsletter for network experts
 News Radio
  Fusion audio primers
  Computerworld Minute
   

TriStrata's vice president of business development Bill Atalla refused to respond directly to the accusations made in Schneier's scathing critique of TESS published today on the Web. In it, Schneier argues that TESS does not even work with the technology TriStrata says it does -- something called "one-time pad" -- and that TriStrata is basically lying about its security architecture. In fact, Schneier's report claims it's a practical impossibility to achieve the kind of "unbreakable" encryption TriStrata claims to have in its enterprise server that manages an entire organization's security policy.

"It's his speculation based on what little he has seen," counters Atalla about the devastating report, adding TriStrata only allows prospective customers, mostly the Fortune 500, to get a close look (under non-disclosure) at the high-ticket TESS, which can cost in the million-dollar range.

"Our technology is revolutionary, we have patents pending," explained Atalla. "We reveal details on a need-to-know basis with these companies."

TriStrata did have University of London crypto expert Dr. Fred Piper review TESS in a positive light, but the company is not making that report available yet.

Schneier says TESS, a central server that requires the user to log on to get permission to encrypt and decrypt files, is impractical to use in the real world anyway because if the user can't get to a network to reach the server, he can't even decrypt his own stored files. He said it's also unclear how two different TESS servers would manage secure information exchange between users registered to two diffeent systems for electronic commerce.

TriStrata acknowledged that remote-access does present a limitation, and that the company is working on a second version of TESS for better remote management. But officials declined to address any other specifics raised in Schneier's report.

According to Schneier, if TESS did use a "one-time pad," an older technology used to secure the U.S.-Soviet hotline TTY devices in the Cold War days, it might indeed be theoretically unbreakable. But he claims it's impossible to make this work in a modern computer environment because you'd had to create a unique one-time encryption key 1 MB long for a 1M-byte file and get that key securely to the file's recipient each time.

Schneier, basing his judgement on some of TriStrata's documentation -- and that mysterious crypto grapevine where all secrets are ultimately shared -- believes TESS actually uses a "pseudo one-time pad," also known as a one-time stream cipher.

According to Schneier, that means TESS relies on an private encryption algorithm that TriStrata is refusing to acknowledge or publish for review for crypto experts who will scrutinize its mathematical strength to determine if it's breakable or not.

It's very hard to create an algorithm that no one else can break, said Schneier in his report. "And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around."

He added the commercial world typically relies on the public review process to evaluate the security of systems, and protocols like SSL, IPSec and PKIX undergo this scrutiny as public standards.

About TriStrata's TESS, Schenier says, "TriStrata has chosen to ignore all public standards in favor of their own proprietary technology, while at the same time refusing to make technical details of the technology public. In order to use their system, the purchaser must trust their cryptographers are better than the collective wisdom of the world's academic cryptographers, that their protocol designers are better than everyone who has worked on the open Internet protocols over the last few years, that their implementors are better than everyone who has made and evalauated the public implementations of those protocols."

For its own part, TriStrata has decided to not respond to Schenier's attack. Atalla would only say, "He's good at P.R., and this is the newest thing on the block, and he's hoping to be part of this paradigm shift. But, we don't want to start a war here."

Schneier does admit he's got clients calling who want to know what TriStrata is about after reading about it in places like the Wall Street Journal, and he does want to get paid to review TESS. But in his final salvo, he adds, "In my back pocket I have a way to break the system, but I can't publish it until I know I'm right."

How the TriStrata Enterprise Security Server works

Every decryption or encryption operation requires a "permit" from the TESS.

The user contacts the TESS over the network so both sides can authenticate each other using a proprietary protocol called the Private Access Line.

TESS seals a permit to the user machine, which is used to encrypt the file or message. TESS also sends a "seal" to the user, which is only readable by the TESS. The user stores the seal with the file (if it is with the file (if it is encrypted locally)) or sends the seal, along with the encrypted message, if transmitted to another user.

To decrypt a file, the user retrieves the seal and sends the seal to the TESS along with authentication data from the PAL protocol. TESS opens the seal, and determines whether the user is allowed to decrypt this data. If so, the TESS sends a decryption permit to the user so the local machine can use it to decrypt the file or message.

Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

  
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.