Crypto rivals challenge RSA

Encryption upstarts Certicom and Cylink are exploiting dominant RSA Data Security's annual conference to undermine RSA's hold on the market.

3 min read
SAN FRANCISCO--With guerrilla tactics, encryption upstarts Certicom and Cylink (CYLK) are exploiting dominant RSA Data Security's annual conference to undermine RSA's hold on the market.

From a suite in the Fairmont Hotel, RSA's conference headquarters, Certicom Tuesday announced that 3Com will use Certicom's elliptic curve cryptography (ECC) in future versions of its popular PalmPilot handheld device. 3Com hinted it will use Certicom crypto more broadly too.

Then Cylink, which has both security hardware and software, announced its first commercial encryption software toolkit, cutting into RSA's bread-and-butter market.

As if that weren't enough, Pretty Good Privacy, another RSA rival now owned by big Network Associates, wooed cryptographers yesterday night with a splashy party--across the street from RSA's conference hotel.

"The crypto market is going to be a more freewheeling, free-for-all situation," said Zona Research analyst Jim Balderston. "The competitive landscape has changed drastically for RSA and will continue to. They've got a fight on their hands."

But even Certicom CEO Philip Deck thinks the various elements don't add up to a frontal assault on RSA's franchise, arguing that Certicom, Cylink, PGP, and RSA are in somewhat different segments.

"I don't see any vulnerability of RSA. They have an important and growing business in things that aren't just bare technology--we're a bare cryptography provider," Deck said. His firm has licensed elliptic curve crypto to small-device manufacturers such as 3Com, Motorola for a pager, VeriFone for smart-card readers, and Atalla for security hardware.

RSA chief executive Jim Bidzos too disputes the notion his firm, which gets 90 percent of its revenue from software tools to build security into software and hardware, is vulnerable.

"Business is great," he said in an interview before this week's conference. RSA too has won business from small-device manufacturers, Bidzos notes, including Motorola, Atalla, and giant French smart-card manufacturer Schlumberger.

But after years of talking up the limits of elliptic curve, RSA announced this week that its flagship BSafe toolkit will support EC by mid-year.

Scott Schnell, RSA's vice president of marketing, pooh-poohs Cylink's toolkit as a me-too announcement.

"It sure sounds a heckuva lot like what we announced--a high-level set of tools to integrate certificate-based security, based on a bunch of algorithms no one uses," Schnell said. As the security market expands, he noted, other competitors will enter too.

Matthew Kovar, an industry analyst at the Yankee Group, thinks Cylink's new toolkit, Foundation Suite, may make inroads in RSA's market, particularly among smaller developers.

"People will look for the cheap alternative, and Diffie-Hellman is a great tool for public key algorithms," Kovar said. "It represents the further erosion of what was an RSA stronghold. It is a more cost-effective substitute."

In fact, Cylink said it will sell its tool suite at a flat fee with no additional charges per user or application, a variance from RSA's approach. Cylink won't announce specific prices until it ships in March.

Cylink's toolkit supports Diffie-Hellman and digital signature standard (DSS) encryption, two protocols that had been patented until last September, when they expired.

RSA itself faces expiration of its basic RSA patents in September 2000--which some think motivates the company to support algorithms such as elliptic curve.

RSA is weathering other challenges on the standards front too. Although its S/MIME protocol for secure email is a de facto standard, standards body Internet Engineering Task Force won't require RSA's algorithm in its official S/MIME standard track--it'll be optional, not required. Furthermore, OpenPGP, another secure email protocol from PGP, is farther along the IETF standards track.

Indeed, the IETF appears to be moving away from requiring RSA in any standard because many of the engineers and cryptographers who work on standards think RSA is proprietary.

"The IETF is making it pretty clear which way it wants to go, and we're supporting it," John Kalb, Cylink's vice president of business development, said.