1996-04-16 - Re: RSA & SDI

Header Data

From: vin@shore.net (Vin McLellan)
To: cypherpunks@toad.com
Message Hash: f0767f4b4d2df9408f92c69fb1eedaceff514a73a405d525f3a97ab7da78a945
Message ID: <v02130501ad98fd7a87b0@[198.115.179.225]>
Reply To: N/A
UTC Datetime: 1996-04-16 21:19:51 UTC
Raw Date: Wed, 17 Apr 1996 05:19:51 +0800

Raw message

From: vin@shore.net (Vin McLellan)
Date: Wed, 17 Apr 1996 05:19:51 +0800
To: cypherpunks@toad.com
Subject: Re: RSA & SDI
Message-ID: <v02130501ad98fd7a87b0@[198.115.179.225]>
MIME-Version: 1.0
Content-Type: text/plain


Steve Reid <steve@edmweb.com> exclaimed:

>> It's true:
>> FOR IMMEDIATE RELEASE
>> Security Dynamics to Acquire RSA in Transaction Valued at
>> Approximately $200 Million
>
>Okay, so what do we know about Security Dynamics? What are they expected
>to do about licensing etc?

        I know a lot about SDI's technology and history.  (Under contract
to SDI, I just finished writing a draft FAQ on their ACE/SecurID user
authenication system.  It's unofficial and in-process, but I'm willing to
e-mail the SecurID FAQ to anyone willing to read it and give me comments,
criticism, and suggestions on how to improve it.  Fair warning: it is
20,000+ words and written to educate a lay audience.)

        I haven't heard anything yet about SDI's position on RSA licences;
but I doubt if there will be any surprises in that area soon. Among people
associated with either company, it has been common knowledge that SDI and
RSA folk have been very close for years, on both personal and professional
levels.  RSA's technical expertise has been apparent in SDI's user
authentication system at several levels (albiet undocumented) and SDI's
marketing expertise has doubtless informed RSA's policies in recent years.


        SDI, with over 150 salesmen on the street, fields the largest and
most successful sales force selling Computer Security.  SDI's SecurIDs
tokens dominate the large-site (<1,500 tokens) corporate market for user
authentication tokens with an estimated 70-80 percent of the market --
largely on the basis of the relative ease-of-use of the SecurID over its
challenge/response competitors; SDI's early committment to client/server
environments; and SDI's corporate promise to evolve to meet the changing
CompSec threat.

        A SecurID generates the token's 4-8 digit token-code from an
SDI-proprietary hash that puts Current Time and a token-specific key
through a one-way function to create a PRN that changes every 30 or 60
seconds.  All SecurID authentication calls also require two-factor
validation; both the token-code and a user-memorized PIN must be submitted
to the ACE/Sever for validation.

        There has never been any doubt -- given the evolving risks and the
needs of on-line business community -- that SDI would eventually sell both
authentication and encryption services.  (It has also been obvious for
years that SDI had, in its SecurID token-code, a neat symmetrical
encryption key-generator already in widespread use in many networked
environments.  SDI had a mocked-up system that effectively used a SecurID
token to generate DES keys seven or eight years ago, as I recall -- but
apparently SDI never felt the market opportunities were sufficient to lure
them into the political malestrom around crypto... until now.)

         I have no secrets to share, but it would surprise me if many SDI
customers don't read a major opportunity for themselves in SDI's purchase
of RSA.  Last fall, SDI upgraded its ACE/Server to a new version (2.X)
which manages user records on a fully-integrated Progress relational
database.  This integration of a SQL and 4GL-accessible RDBS brought a
whole new level of functionality, complexity, and opportunity into ACE
system administration -- but it also offers the security, scalability, and
RDBS-to-RDBS communication options necessary to manage enterprise-wide IS
security systems.

        Managing a large key-management system through a flat text database
would be a nightmare.  With the flexibility of an indexed RDBS, it becomes
feasible to look to SDI's ACE/Server as a vehicle to hold and manage crypto
keys, either PKC pairs or symmetrical keys, for an enterprise-wide system
with multiple and distributed sysadmin sites.  Some ACE/Server systems now
support over 20,000 SecurID users, and the ESQL comm options will finally
open the door to integrated multiple-server environments.

>The question of the day is... HOW WILL THIS AFFECT CRYPTO?

        I have no answer on that one, but the marrage of RSA's technology
and SDI's marketing muscle -- given RSA's credibility and SDI's installed
base in commercial MIS sites -- unveils a world of interesting
opportunities.

        One interesting thought: since SDI has a shoe-leather sales force
on the street in 20-odd nations, SDI (with RSA) might be able to leverage
an integrated crypto/authentication technology and sell in markets where
RSA's algorithms doesn't even enjoy patent protection.  In the best of
commercial traditions, SDI would be selling a solution rather than a
technology.

        Suerte,
                                _Vin

         Vin McLellan +The Privacy Guild+ <vin@shore.net>
      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
                         <*><*><*><*><*><*><*><*><*>







Thread