Seth Meltzer | Researching the future

The Internal Revenue Service has a research and development arm? That's a question Seth Meltzer, a researcher at the IRS Research Division, based in Washington, hears a lot. The agency is interested in matters of identity and authentication, two topics that the division has investigated in depth. Meltzer has developed an expertise in these topics.He's written a book on cryptography, 'Cryptography Decrypted,' now available for free on his Web site, www.hxmel.com. The Research Division has almost 100 economists and statisticians who look for ways to make the IRS function more efficiently.A few of us have advanced training in computer science and look at how state-of-the-art computer technologies can benefit the IRS. I'm working on the Taxpayer Burden project, which seeks to identify and reduce the hassle the American public has in filing a tax form ' check writing not included. More than 20 years ago, an IRS senior executive had a vision to staff the IRS with highly trained computer system developers who also had specialized training in an area beneficial to the IRS. I was hired because I have graduate degrees in economics and actuarial science; others had accounting, statistics, management or other financial backgrounds. I mostly look at state-of-the-art programming languages and techniques. Recently, I've been looking at programming multicore computers ' concurrent programming ' and Java generics.In my opinion, multicore computers, like Intel's dual- or quad-core chips, present the next big challenge to system developers. A program run alone will not run faster on a multicore computer if it is not retooled to take advantage of the multicore capabilities. Though some buy multicore machines to improve performance, most performance gains are the result of running two or more programs at the same time.Java generic programming enables stronger error-checking capabilities. Generic programming emanates from the desire to have the compiler identify and flag errors before the program is run. It's complicated ' some say too complicated ' but it's better to find as many errors as possible before program run.Being in research, I usually am working ahead of the curve, technologically. For instance, I was an early deployer of programs written in C++ and Java. In 1999, I led the development and deployment of a client-server system protected by cryptographic methods and keys. Two years ago, I led a team that analyzed designed, retooled and deployed a multithreaded system that takes advantage of multicore capabilities. A fun story. A little more than 10 years ago I was asked to design, build and deploy a program on a small network of IRS computers that could securely share data. Back then, I certainly didn't know how cryptography worked. So, with a senior executive at my shoulder, I typed what I thought was 'cryptography' into a search engine. Unfortunately I misspelled cryptography, and the executive sighed. Although it's a fun story now, I wasn't smiling at that time. I needed to learn fundamentals of cryptography ' and how to spell it.The result of my need to teach myself the fundamentals of cryptography turned me into a published author. ['Cryptography Decrypted' has been in print for seven years.] Since I don't work in IRS Information Systems, I can't comment on their operations. But here's my take on authentication and privacy.Before telecommunications, the authentication problem was easily solved by our senses: We knew who we were talking to because we recognized their faces, voices, etc. Privacy could be ensured by correctly positioning respective mouths and ears.Cryptography and other mechanisms that enable private communication have been around for thousands of years. One macabre story is about messengers whose heads were shaved, messages tattooed onto their scalp and after hair covered the tattoo, sent to deliver the message. After delivery, the only way to ensure no one else would read the message [was] to dispose of his head: Kill the messenger.Fortunately, today we have the Internet for communications instead of such delivery systems. Since the Internet needs lightning-fast secure communication, top-of-the-line mathematicians and computer scientists have, to my satisfaction, solved the technical aspects of Internet authentication and privacy. But, like the gruesome story I just told, administration is a killer. Specifically, managing the distribution of and revocation of keys can be very cumbersome. Research wanted to study authenticated secure pipes. An ASP ensures users that their Internet conversations are with whom they thought ' that the other parties are authenticated ' and that those conversations are private.Assuring another's identity is accomplished with one or more of the following: physical identification, a common shared secret or a physical token. These are respectively referred to as who you are, what you know and what you have. With respect to computers, these can be implemented with biometrics (who you are), cryptographic keys (what you know) and smart cards (what you have).In 2002, we decided to focus on smart cards. I arranged with Carnegie-Mellon University to let me train some graduate students in these technologies, and together with help from a brilliant developer we built a deployable system. My CMU experience made me realize how fruitful collaboration could be when you combine government/corporate expertise and projects with motivated graduate students. We even got help from a famous three-letter federal agency that does know how to spell cryptography. We were very excited; the smart-card system was built so it could transparently replace the cryptographic-key system I helped build in Research in 1999, replacing last-century technology in an innovative and cost-effective way. That's a tough question. Smart cards are widely used in other European and Asian countries to authenticate large and small purchases. Although the Defense Department has issued millions of smart cards to their personnel, smart cards are seldom used in the USA's dot-gov or dot-com sectors. The smart cards I've seen as government ID cards are not used, and other efforts in the commercial sector have also failed.Many believe there's no reason to use a smart card as long as credit card companies are willing to pick up the losses from fraudulent use. Perhaps a huge scam will tilt the board in the smart-card direction.Some big computer manufacturers felt that way a year or two ago when they sold keyboards with smart-card readers built in. Many notebooks have them as well. Nevertheless, I don't see widespread use of smart cards in the next three years; there's too much inertia.