SAN JOSE, Calif. — Authentication and encryption up and down the stack are the watchwords at the annual RSA Security Conference here. And not just for the usual suspects, such as government, financial services providers and defense.
Every day, business users and eventually consumers will be moving closer to storing more of their digital identities and authentication on smart cards and USB devices, even pass them through the air via Bluetooth protocols.
Microsoft, RSA Security and Sun Microsystems set the pace and tone of the coming generation of encryption with upgrades to their roadmaps, authentication tools and partnerships that will push more encryption into the wider business world.
Consumer-facing support for smart cards and two-factor authentication in more devices, from a smart card to a USB plug-in to Bluetooth support, aren’t far behind, either.
Bill Gates, Microsoft Chairman, touted an updated roadmap for Active Directory and upcoming support for smart cards, which Microsoft calls “InfoCards” on the server side for customers as well as support for InfoCards in the next version of IE, currently in beta. Active Directory is one of the most widely used technologies by Microsoft customers.
RSA Security then stepped up to advance the authentication ball with a bunch of partners that will build in its encryption software to more hardware devices, including USB, wireless and Flash memory cards.
And Sun announced its plans to integrate its Elliptic Curve Cryptography (ECC) in its Java System Web Server 7.0, which is a big chunk of its Java Enterprise system.
The genesis of the evolution: smart cards with embedded encryption that enables two-factor authentication across networks.
In the past few years, smart cards have not taken off in the mainstream business world, but with three major technology players making moves to advance encryption into more devices, that’s changing.
Take the InfoCard support in the latest build of Internet Explorer (IE7). Released to a new beta in late January, IE7 now includes support for an InfoCard for users to add authentication and encryption to Web-based transactions.
In addition, Microsoft is extending into IE7 the capabilities of Active Directory, one of the most popular and widely used network access tools among Microsoft customers.
Gates said Active Directory will evolve to provide users of Windows Server with a single infrastructure with which to manage all of their identity and access needs, including domain and directory services, strong credentials, access control, single sign-on, federated identity, information rights protection, process automation and auditing.
Given how critical the Internet has become to the nation’s economy and infrastructure, advanced encryption for many transactions — especially on the Web — has been a missing link in the evolution of that digital ecosystem.
“The dreams we have [for the digital future] can only be realized if we not only build secure approaches that make those easy to administer,” Gates said, but make it so users understand how their information is being deployed.
“So that means a lot of improvement in where we are today,” he added. “I think we’re making progress. But it’s a very big challenge to make sure security is not the thing that will hold us back.”
The roadmap includes expanded capabilities that customers will see in future versions of Windows Server, he said, which is still code-named “Longhorn.” Look for a first-hand glimpse when the second beta arrives in the second quarter of this year.
Microsoft also announced the first beta of Microsoft Certificate Lifecycle Manager, which is a policy- and workflow-driven solution that streamlines the provisioning, configuration and management of digital certificates and smart cards.
And just to make sure customers are paying attention, Microsoft promised to align all of its identity and access capabilities available in Windows Server around Active Directory.
Expanding Hardware
For RSA Security’s CEO, Art Coviello, it’s all about obtaining the appropriate level of confidence in an assertion between two parties. Different transactions need different levels of security, he added.
“We need the ability to link transactions to personal identity. We all live in a crime-ridden neighborhood in the online world.”
To that end, RSA’s big push involves M-Systems, Motorola, RedCannon, Renasas Technology and SanDisk.
The companies will be putting RSA’s SecurID two-factor authentication software in their mobile phones, SIMs, PDAs, secure mobile Flash memory cards, USB thumb drives and software modules.
The idea, Coviello added, is to bring better authentication to consumers, businesses and partners.
Core to this effort is the extension of the RSA SecurID Ready Partner Program, which is designed to encourage device and software manufacturers to embed the RSA SecurID algorithm within their own solutions.
RSA Security also announced extended relationships with Microsoft and Research in Motion, broadening the range of devices able to serve as RSA SecurID authenticators.
But the latest partners are going a little farther. Take RIM, which plans to provision RSA’s SecurID credentials “over the air” or even by syncing up on the desktop, thanks to a licensing deal with Diversinet.
“Users will get the benefit of stronger security while taking advantage of the devices they already have,” said Coviello. “And consumer-facing account providers and enterprises will have a flexible mechanism to arm their customers with stronger authentication without having to procure and deliver standalone tokens.”
Not to be outdone on the server side, Sun Microsystems said its Sun Java System Web Server 7.0, which is a key component of the Sun Java Enterprise System, now supports Elliptic Curve Cryptography (ECC).
Sun said ECC is a next-generation security technology that dramatically reduces the time it takes to complete secure online transactions, improving both performance and scalability. The National Security Agency is already using the technology.