Thanks to the miracle of modern marketing, it’s getting harder and harder to tell the genuine technology companies from the snake oil salesman. Take TriStrata Security Inc, a Redwood Shores, California-based cryptography outfit. TriStrata’s credentials are impeccable. Founder John Atalla has an impressive track record in security systems for automatic teller machines; he’s credited with inventing the personal identification number (PIN). Retired president and CEO of Hewlett-Packard Co John Young sits on TriStrata’s board, along with Thomas Perkins of fabled venture capital firm Kleiner Perkins Caulfield Byers. To top it all off, last week the company poached Paul Wahl from the top of SAP America (CI No 3,490). Few startups are better bred. Yet a comparison of a TriStrata white paper with the Snake Oil FAQ (Snake Oil Warning Signs: Encryption Software to Avoid) brings up some disturbing parallels. Constant readers will remember that claims of unbreakability are a common sign of snake oil (CI No 3,488). TriStrata begins its white paper with a section on its Theoretically Unbreakable Encryption. The Snake Oil FAQ lists Revolutionary Breakthroughs as another red flag. TriStrata boasts that Atalla initiated a complete overhaul of computer security thinking… a fundamental shift in the secure computing paradigm…. cryptography as a profession is dead. Little wonder that cryptographer Bruce Schneier told the Wall Street Journal: These guys have no clue. TriStrata says its system is based on the Vernam cipher, a One Time Pad (OTP) method originally devised in 1917. An OTP works by having a long string of random numbers which the sender and recipient, and no one else, can access. The numbers must be genuinely random, based on radioactive decay timings or some such phenomenon. To encrypt a message x characters long, you take the next x bits of the pad. After use, the bits are destroyed and must never be used again. The Snake Oil FAQ says: The real limitation of OTPs is the generation and distribution of truly random keys. You have to distribute at least one bit of keys for every bit of data transmitted. So OTPs are awkward for general purpose cryptography. The’re only practical for extremely-low-bandwidth communication channels. TriStrata claims: Random KeyStream for the first time, leveraging off today’s low-cost of computing and memory, has made this system practical. Hmm. Who to believe? Though Schneier has made his position clear, the company has found a high-profile champion in UK cryptographer Fred Piper, a maths professor at the University of London. Not that that proves anything either way: the Snake Oil FAQ devotes an entire section to Experienced Security Experts, Rave Reviews and Other Useless Certificates. As ever, caveat emptor.
