Clock strikes 12 for RSA

Security players have mixed views about whether this month's expiration

of a key security patent will lower the prices that agencies pay for products

that use encryption and digital signature technology. But they do agree

that buyers should soon have more options from which to choose.

The 17-year patent for the RSA public-key encryption algorithm was

set to expire Sept. 20. However, the holder of the patent, RSA Security

Inc., sought to steal the spotlight from competitors celebrating the expiration

by releasing the patent into the public domain two weeks earlier than scheduled.

Still, RSA officials downplayed the importance of the event.

"I don't believe that there's a lot of significance to this," said

Lynn McNulty, director of government affairs for RSA Security. "We've licensed

the technology to more than 800 companies over the years. Most of the companies

that are serious about this technology use our toolkit already."

"Everyone has known the date has been coming closer; it's more symbolic

than important," said John Pescatore, research director for Internet security

for technology research firm Gartner Group Inc. "It is the end of an era,

however."

Carl Boecher, president and chief executive officer of smart card vendor

Datakey Inc., an RSA licensee, thinks the cost impact of the patent expiration

"is not that significant."

Datakey uses the RSA algorithm in its products two ways. First, the

company bought an RSA patent license, which enables it to implement the

algorithm in its smart cards. It paid RSA Security an initial fee for the

license and a royalty for every card it sold.

Now that the patent has expired, Datakey doesn't have to pay RSA Security

the royalty on the license. "We pay about 25 cents per card for it, so the

savings as far as the system is concerned are insignificant," Boecher said.

Datakey also licenses RSA's BSAFE programming toolkit, which it used

to help build a desktop software application that uses the RSA algorithm

and works in conjunction with the smart cards. That agreement will not be

immediately affected by the patent's expiration.

If the competition has any effect on prices, he believes it will be

negligible. "The cost of BSAFE [in our desktop application] is around a

dollar," he said. "If it gets cut in half or by a quarter, it's not really

that different than where things are now."

But Boecher does expect that the patent's expiration will encourage

other vendors to develop the equivalent of RSA's BSAFE toolkit.

Indeed, on Sept. 11 security vendor Baltimore Technologies Inc. launched

its KeyTools suite of software that other developers can use to integrate

security features into their applications. Previously, Baltimore Technologies

offered only a limited set of its products for sale in the United States

because of RSA's licensing conditions, but it did sell the entire tool-

kit elsewhere in the world, where the RSA patent did not apply.

With the new KeyTools products, Baltimore Technologies will sell a uniform

set of products that use the RSA algorithm in the United States and abroad.

For their part, RSA Security officials believe the patent expiration

will not adversely affect their company's prospects.

"It's not so much the [algorithm], but it's how it gets implemented,"

said Art Coviello, chief executive officer of RSA Security. "We're hoping

this will spur people to use the RSA algorithm, and we think we have the

best implementation of this algorithm. We've been developing with this technology

now for 17 years. This algorithm represents one-tenth of 1 percent of the

code in one of our products."

Outside of RSA Security, other vendors expect significant changes to

follow the patent's expiration. Raosoft Inc., a developer of electronic

forms software used by the Marine Corps and the Air Force, built support

for the RSA algorithm into its products but left it up to its customers

to obtain the license to use the algorithm directly from RSA.

"We built it with the expectation that the price would be low enough

that customers could afford it," said Potluri Rao, president of Raosoft.

"But after our customers saw the price tag, they shied away from it."

Rao thinks that many of his customers will consider using the RSA algorithm

now that the patent has expired. Many of them, however, developed work-arounds

for the security issue, such as printing paper versions of completed surveys

or forms and then signing them manually. Those customers will have to rethink

and probably redesign their forms applications to use electronic signatures

based on the RSA algorithm.

Rao also believes that a crop of new RSA-based tools and applications will

emerge that come in limited versions for little or no charge and as more

sophisticated products that will carry a higher price.

The RSA patent issue would have been moot about two years ago for the

government because before then federal standards for security technology

did not allow agencies to use the RSA algorithm.

Since 1994, under Federal Information Processing Standard (FIPS) 186,

agencies were supposed to use only the Digital Signature Standard, which

specified the government's own Digital Signature Algorithm as the single

technique for the generation and verification of digital signatures.

But in December 1998 the National Institute of Standards and Technology

approved FIPS 186-1, which allowed agencies to use the RSA algorithm without

obtaining a waiver. Six months later, FIPS 186-2 was approved, allowing

the use of the Elliptic Curve Digital Signature Algorithm as well.

—George A. Chidi Jr. of the IDG News Service contributed to this story.