RSA Data Security Inc.'s patent for the most important encryption technology used in corporate networks is set to expire in September - an event that could lead to lower prices for software incorporating RSA public-key technology and new challenges to RSA Security's encryption industry leadership.
Funded by the U.S. government, RSA public-key technology debuted two decades ago as a dazzling concept in encryption.The technology has come to form the foundation for the Web's ubiquitous Secure Sockets Layer (SSL) security, as well as most e-mail encryption, digital certificates and virtual private network (VPN) software.
The technology, based on a complex math algorithm, is now used in popular products such as Microsoft and Netscape Web browsers and servers, Lotus Notes and Novell NetWare. The technology can be found in about 90 percent of all products sold with encryption.
In the network industry, there is not only admiration for but also fear of cryptography kingpin RSA Security, which wields power through the licensing of its BSAFE tool kits for making products that use the patented technology. Jim Bidzos, once the company president and now vice chairman of RSA Security's board of directors, built up the company's business through licensing deals.
But with its key patent expiring on Sept. 21, RSA Security for the first time is bound to find competitors. Chief among these firms will be Certicom, which currently specializes in cryptography technology used in small, wireless devices such as 3Com's Palm Pilot.
Certicom CEO Rick Dalmazzi says, "We will compete against them with a product we will have out this year."
As a result of the new competition, it could become less expensive for software developers to incorporate RSA technology into products, though Certicom isn't promising that its tool kit will cost less than RSA Security's. However, some of RSA Security's 500 customers might take away business from the company by creating their own encryption code to avoid license fees.
According to several industry sources, RSA requires licensees to pay upfront costs that might add up to as much as 10 percent of the cost of their products, plus extra charges on each unit sold. Some licensees, speaking anonymously out of fear that RSA Security might yank their licenses, claim the company last year gave vendors a choice: Either sign up for new five-year licenses, or wait until the RSA patent runs out.
RSA Security, which last week hosted about 8,000 people at its annual security conference in San Jose, wasn't willing to discuss its licensing policies in detail.
RSA Security does acknowledge its tool kits still account for about 30 percent of its revenue, but says it's not worried about the impending loss of its patent. The company has some large and apparently content customers that don't plan to bolt in September. "Once the patent is in the public domain, different companies can and will compete," says Jeffrey Jaffe, vice president of technology policy at IBM. "Right now, we're happy with our implementation of RSA in the BSAFE tool kit."
Microsoft has no plans to stop licensing RSA Security's version of RSA either.
But Brian Valentine, the Microsoft senior vice president who heads up Windows 2000 development, says his company is open to exploring other options when the patent expires. That might mean Microsoft's in-house cryptographers write RSA code.
RSA Security's stance is that nothing is going to change once the patent expires. "We don't think it's going to tremendously impact our business," says Scott Schnell, the company's vice president of marketing.
And MIT professor Ron Rivest - co-inventor of the RSA technology with scientists Adi Shamir and Len Adelman - says the expiration of the RSA Security patent will "not have much effect. People will still go to RSA."
But there are a couple of other possible ramifications of the patent expiring.
There has been interest in making RSA - which has become an ISO and IETF standard - into open source software. Australian cryptographers have posted the RSA algorithm as SSL code on the Internet. (Because RSA Security holds only a U.S. patent, developers outside the U.S. can develop unlicensed copycat RSA implementations, but they can't sell products based on such implementations in the U.S. until the patent expires.)And The Sun-Netscape Alliance has been trying to push RSA Security to make its code open source, says Claire Hough, vice president at the alliance. With the U.S. government now allowing strong encryption code to be posted on the 'Net, the alliance last week posted Netscape public-key infrastructure libraries to the mozilla.org Web site to let developers have free use of SSL and PKI. "But we had to strip out the RSA algorithm before posting it," Hough says.
And there is also the issue of whether the entry of new competitors in the encryption market will compromise interoperability, particularly among products supporting RSA-based SSL. Interoperability could erode when all users aren't using RSA Security's implementation of RSA, some observers say.
But John Ryan, CEO of security technology vendor Entrust, says any interoperability problems would be addressed immediately.
"If there were a problem with that, we'd wreck the golden goose of e-commerce," which relies on secure communications technology, Ryan says. The IETF and industry groups would quickly become a forum for SSL interoperability testing if problems cropped up, he adds.