Communications Week January 20, 1997, Issue: 646 Section: Top of the News Hardcore Security -- Chip-level implementation bolsters encryption technology for electronic commerce By David Joachim If data encryption tasks are bogging down your systems, it may be time to consider some new options. Intel and a slew of other hardware manufacturers are behind a wave of new devices designed to make encryption faster and more secure. These products are the latest evidence that encryption, essential for secure electronic commerce and communications via the Internet, is migrating from software-based technology to hardware-and the pace is picking up. In the long run, encryption technology will be embedded directly into the core of PCs, servers, switches and other devices, including high-volume chips such as the Pentium. But that won't happen for years, experts say. In the interim, leading hardware vendors are providing a host of new products designed to add hardware muscle to Web servers and other systems that can get bogged down by RSA data encryption, the Data Encryption Standard and other compute-intensive cryptographic algorithms. Some systems can experience as much as a hundredfold performance drop once encryption is turned on, analysts said. "RSA should stand for Really Slow Algorithm," said Peter Craig, vice chairman of Rainbow Technologies, a network security developer in Irvine, Calif. "As you turn this stuff on, you discover that your server transaction capacity goes from several hundred transactions a second to three or four per second." Intel is preparing a coprocessor designed to handle encryption in various hardware devices, and several OEMs and sources close to the company had expected an announcement at the RSA Data Security Conference in San Francisco next week (CommWeek, Jan. 13). Several OEMs also confirmed plans for systems based on an Intel crypto-chip. But Intel said last week there would be no announcement at the show, though officials confirmed that they are working on such a product. Other vendors, however, are not waiting for Intel to set the pace and plan their own product introductions at the RSA conference. Atalla, a San Jose, Calif., subsidiary of Tandem Computers Inc., will debut a PCI card for handling data encryption on Web servers. Atalla's card actually is a miniature version of its WebSafe unit, a closed system it calls a "co-server" for off-loading Web transactions. Starting at $12,500, WebSafe is designed to erase encrypted data when a breach is attempted. Pricing for the unnamed PCI card has not been set. Atalla, a developer of secure banking systems, also will join partner VLSI Technology Inc., San Jose, to introduce a cryptography chip called NetArmor for use in motherboards, set-top boxes and other server-side devices. It starts at a unit price of $50 in volumes of 10,000 or more. VLSI is set to debut a crypto-chip called GhostRider, developed with Lucent Technologies Inc., Murray Hill, N.J., for use in PCTV consumer devices. A number of other vendors also will showcase new hardware solutions at the show, including Rainbow Technologies and Spyrus Inc., San Jose, Calif. Adding Muscle The new product category is aimed at several concerns. On the server side, the offerings closely resemble math coprocessors for off-loading heavy computations, though most also include special "firmware," or unerasable software, as well as secure storage for private keys that identify a group or company doing business on the Internet. On the client, however, secure E-mail and other mobile applications are driving the development of new smart cards and PC Cards, so-called tokens that not only store private keys for authentication but any type of data an end user wants to store securely and take with him, such as credit card numbers and virtual keys to the corporate network. Kevin McCurley, a cryptology expert at the U.S. Department of Energy's Sandia National Laboratories, Albuquerque, N.M., said storing such data on hardware is far more secure. "It's very difficult to protect private keys in software, which is why we have seen so many breaches," he said. Spyrus will introduce at the show PC Card devices adapted from products previously only sold to the government, said Charles Walton, the company's director for electronic commerce. They are the Hydra Privacy Card on the client, with 64 megabytes of storage; and the MultiCard Accelerator, an array of two to 14 PC Cards for servers. Pricing starts at $500 for cards with no memory. Hewlett-Packard and IBM also market PC Cards and PCI cards for use on their systems. To appreciate the advantages of hardware, consider these "hard tokens" to be miniature computers dedicated solely to one function. "On a hard token, your keys and other information are not visible to anything else but the card it's running on," said David Bernstein, editor of Infosecurity News, a newsletter based in Framingham, Mass. "If the keys are in software, and your computer is the token, that data is visible to other processes of that machine and callable by your computer, so it can be hacked," Bernstein said. The downside of hardware is that once private keys and other variables are set, they cannot be changed, Bernstein noted. Last year there were only a handful of hardware options for encryption; this year there are dozens, and all the top silicon vendors have staked a claim. Motorola, Mitsubishi, National Semiconductor, NTT, Siemens and VLSI, among others, have recently shipped processors optimized for encryption. Experts agree that encryption support will one day be built into all processors. "It needs to become something everyone needs and everyone is willing to pay for," said Jim Bidzos, RSA Data Security president. "That's about five to 10 years off." Copyright ® 1997 CMP Media Inc.