SAN FRANCISCO—As the wave of acquisitions in the security industry continues to mold innovation and original thought into a gray mass of sameness and me-too product offerings, successful, independent security companies are fast becoming a dying breed. One of the few holdouts in this arena is Cryptography Research Inc., a small San Francisco-based company that tackles difficult cryptographic issues for a variety of high-end clients. The company is currently working on a new copy-protection scheme for digital content that enables content owners to control how the content is used. Paul Kocher, the companys president, is considered one of the rising stars in the world of cryptography, thanks to his design for the SSL v3.0 protocol and development of a timing attack on the RSA algorithm. Senior Editor Dennis Fisher sat down with Kocher and Benjamin Jun, the companys vice president, at the RSA Conference last week to discuss the new technology and why the current argument over mandated copy protection is moot.
eWEEK: Can you tell me a bit about how your company is different from most security companies?
Kocher: Our focus is to solve the hardest security problems that people have. We do a lot of work with Hollywood studios. There have been a lot of technologically poor proposals [regarding digital piracy] that are in a lot of ways the worst of all worlds. They not only dont solve the problem, they make it worse. We dont build products or write huge pieces of software, but we can tackle the really hard problems. We only have eight people, but its a small shop of really bright people.
eWEEK: Well, there probably arent that many people who have the kind of knowledge that you need.
Kocher: Yeah, we do see cryptography as a people problem and a technical problem. Almost all of the technical problems in a cryptosystem are the result of two people who designed different blocks and didnt communicate with each other and then tried to put them together.
Jun: Some of the people who weve hired, we hired for one reason and then it turns out that they have a lot of knowledge in another very specialized area that we werent that excited about until we found an application for it.
eWEEK: Do you see yourselves as having any direct competitors?
Kocher: I dont know. Theres so much work to be done. The size of the problem out there divided by the number of people working on it means that theres a lot of work out there. There could be 50 times as many people working on it and our focus still wouldnt be competitive.
Jun: Research is about failure. You try to get through all of the wrong answers as quickly as possible so you can get to the right one. We try to fail as quickly as possible, if that makes sense.
eWEEK: What would be the next big problem for you guys to tackle? Is quantum cryptography something that youre interested in? I know theres already been some successful work on quantum key generation.
Kocher: To me, quantum cryptography is useless. It purports to solve a problem thats already solved. It is an interesting research problem, though. But, youre not going to see quantum computers showing up to do useful things probably in my lifetime and possibly never. But it is the most interesting problem in computing in the last 30 years. Its absolutely fascinating. But, of all the things that keep us awake at night, thats way down there with alien invasions.
eWEEK: Tell me about the work youre doing on copy protection.
Kocher: The studios have real problems. Piracy is illegal, and my job is to solve those security problems. Both sides in this debate are missing the point. Mandating copy protection isnt realistic. The hardware model doesnt work. In our technology, the player carries software with it that runs in a virtual machine. The security is player-centric and is associated with the content. So if the security is broken, its just one movie [thats compromised], not all of them.
eWEEK: I understand that you also found a way to trace illegal copies back to their original owners.
Kocher: If you just use a watermark for forensic purposes, it can be made provably secure. You can apply this to digital content. As decryption occurs, we can encode little differences. Each player has different keys and decrypts differently. The code in the content will decide how that happens. If you copy it, we can trace it to the original owner. Then the studio can take measures to prevent future movies from playing in that player. Were building a stalemate. Attackers will break the security, but then the content owner can have countermeasures.
eWEEK: Have you had discussions with Hollywood about this?
Kocher: Were talking to some studios now. It takes time. Its 20,000 people who all have different opinions. But once we can show them how the technology can work for them, they usually get it.
Latest Security News:
Search for more stories by Dennis Fisher.
Find white papers on security.