INTERVIEW: Arthur W. Coviello Jr., RSA's cipher chief

Our roots are in strong user authentication by at least two factors. We generally use something you know, such as a personal identification number, and something you physically possess, such as a token or a cell phone. The combination of two factors together is much stronger than a static password.We're one of the few start-ups from the early 1990s that's still around and prospering. We said we would add value to the security hierarchy in four ways.First, identify and authenticate the person you are doing business with or whoever is trying to access your computer resources.Next, define the privileges that user has once he's gained access. Third, ensure that the information remains private and confidential as it flows across the network. And finally, have a record that is nonrepudiable.You'll notice I didn't say anything about firewalls, antivirus software, intrusion monitoring or detection. Those are other elements in the overall security market. What I described is authenticity. It's not about defense, not about keeping people out. It's about letting the people in that deserve to be in, securely. Yes.Most corporations would be envious of some government agencies, particularly Defense and intelligence. Many civilian agencies would envy the commercial environment.The government is realizing that the issue is too big to supply its technology for itself. The security industry has grown up to a point now where the government can take more off-the-shelf products. The government has been good at defining the standards and requirements for security that the industry engineers into products. I think the change is in the sense of urgency. I haven't seen all the funding that I would like. Security was important before and is ultra-important now. It's time to stop studying and start implementing. I don't think so. Unfortunately, just as with the airline industry, where threats were real before Sept. 11, the same cyberspace threats were there before. What's changed is the attitude about addressing them and the recognition that bad things can happen. One, disaster recovery. If something gets knocked out, how do you get it back online? That's the belt-and-suspenders application that people recognize they need.Second, assessment of vulnerabilities and intrusion monitoring. Once you've deduced where your vulnerabilities are, that tends to generate policies to mitigate or eliminate them. And that leads to defensive things'keeping antivirus software up to date, using virtual private networks, having a firewall that's implemented correctly.So how do you keep the bad guys out? That's where authenticity comes into play. You could have a firewall that is set up properly and a virtual private network for the administrator, but if the authentication is just a static password, almost anyone could crack it in a matter of hours. And then a terrorist would have a beautiful encrypted pipe through a firewall, because you hadn't properly authenticated at the front end.Decide what could happen to your mission if there were an attack. And then bring maximum force to bear in the areas where you have major vulnerabilities, where you cannot afford to be compromised. Work it backwards. I don't think people have understood what PKI is capable of doing. It can give you a digital identity, it can set up an encrypted session and it can give you nonrepudiation, so that no one can deny after the fact that something has taken place.But if you access a digital credential on a desktop PC or server through a static password, then you have the same vulnerability as a static password would have in the first place. That was an early mistake people made.The federal government is actively promoting smart cards. The Defense Department's Common Access card lets you protect your digital identity on a card that has encryption built in. By the way, that encryption comes from RSA.A smart card requires a reader. How many government computers come with smart-card readers built in? Virtually none. So we're missing a reader infrastructure. Next we have to get all of the infrastructure deployed. The smart cards have to be personalized. How do you get the digital credentials downloaded to the smart card, how do you get it issued?The Veterans Affairs Department has a good-sized implementation; DOD also. If it's just something like time-synchronous tokens, which give you very strong authentication, you could roll out thousands in a matter of days.If you want to have software that defines privileges, there is a lot of scoping-out work for individual users, and that could take weeks or longer. It's likely to require some professional services.Because it's the most complex, because it can get into the very fabric of individual applications, a public-key infrastructure could'but doesn't have to'take months.Any Web application can understand a digital certificate that is presented to it, because every Web server has keys that recognize credentials from a public-key infrastructure. The problem is that client-server applications and mainframe applications cannot distinguish a digital certificate from the rear end of a truck.So if you're trying to roll out PKI to a client-server application, you might need a Web front end or you might need some kind of custom agent.That's a truth-in-advertising thing that I don't think a lot of PKI vendors explain. We're into strong user authentication, however it's accomplished, but there are limitations based on the current technology for biometrics.First and foremost, it's still fairly costly. Second, there are still too many false positives and false negatives in reading and scanning. And third, and perhaps most problematic, is that there are security issues about storing the biometric information itself.For example, say I can get a copy of the digital representation of your thumbprint or your retina or perhaps your voice. If it's compromised once, it's compromised forever.You could give yourself a new digital identity, but you can't give yourself a new thumb. So the protection of that biometric information, once it's been digitized, is critically important.We produce the software that manages digital credentials. We do and will produce the software that manages and protects biometric information, so we have no particular ax to grind about any particular technology.