At 30, crypto still lacks usability, experts say

Government controls held back cryptography in the past, but today usability blocks adoption. Microsoft's Ray Ozzie promises a fix. Photos: Crypto anniversary

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
MOUNTAIN VIEW, Calif.--Government controls held back cryptography in the past, but today, it's usability that blocks adoption, a panel of experts said Thursday.

At an event here celebrating 30 years of public key cryptography, several top minds in the field gathered for a trip down memory lane. Over the years, public key cryptography has grown from an idea in a paper published by Whitfield Diffie and Martin Hellman, both present at the event, to technology used in everyday transactions on the Web.


The U.S. government was a major obstacle in advancing cryptography until it lifted export controls in 1996, a panel of experts said. Much of the discussion Thursday evening covered that topic, with Brian Snow, a retired technical director at the National Security Agency, offering some insight into what happened at the government in the 20 years before that.

"This, for us, was a weapon," Snow said. "And this was possible free release of weapons we needed to defend the nation to other nations who could be opponents at times."

As cryptography grew out of the research stage and into actual products, companies such as RSA Security had a tough time establishing themselves. In 1986, Jim Bidzos, then chief executive of RSA, at times, felt his business wouldn't go anywhere.

"There was this big monster in Maryland that I discovered that we had to deal with," Bidzos said. "We found ourselves competing with NSA, especially in the '90s."

One of RSA's first customers was Ray Ozzie. Today, he's chief software architect at Microsoft, but back in 1986, Ozzie was looking to secure what would become Lotus Notes. Security was necessary to prevent eavesdropping on communications, as Ozzie admitted he himself had done in the past.

"I was a student systems programmer, and we used to have lots of fun looking inside of people's e-mail and private discussions," he said, talking about his days in the late 1970s and early 1980s at the University of Illinois, when he worked on Plato, a computer-based education system.

But when it came time to get an export license for Lotus Notes, Ozzie ran into the U.S. government's restrictions. "I had no clue," Ozzie said. "Initially, we had wanted to use hefty keys...We had spent years working on it, and after the third meeting (with the government), I thought we were dead."

But that's all history. The Web hit in 1994, erasing borders and giving rise to the need to secure electronic commerce. In 1996, the government eased export controls, clearing most regulatory obstacles for widespread adoption of cryptography.

"The one thing I fault the (NSA) for is that they were not willing to be open-minded in the discussion," Snow said. "There was a very valid case to be made on the other side."

The government has even made an about-face on encryption. These days, many regulations such as those laid down by HIPAA and the Sarbanes-Oxley Act require encryption, noted Dan Boneh, an associate professor of computer science at Stanford University and co-founder of Voltage Security.

"There has been a complete flip recognizing that encryption is here to help us," Boneh said.

Yet cryptography hasn't become as commonly used as some might have hoped, the panel noted. Web transactions might be encrypted, but a lot of data and communications still are not.

The issue, Snow said, is products. "The remaining issue that is big today on the plate is lack of quality in the products," he said, adding that security products are poorly designed and often not in a secure way.

Other panelists agreed. "I will fix it all," Ozzie said. He said he had built security into Notes and in Groove, a later venture. At Microsoft, he plans to design it into products as well, keeping in mind compliance issues and the realities of enterprise systems, he said.

"In the early years, we as an industry could blame the system for controlling the pace of innovation because the government was throwing up roadblocks," Ozzie said. "At this moment in time, it's laziness on the part of the industry in terms of not embracing architecture and the importance of human interface in design of secure systems."