&
Maclean's Magazine
Monday, September 21, 1998

Secretive by design

Canadians lead a new industry that has come in from the cold

by Warren Caragata

The art of writing and deciphering coded messages was once the preserve of spy novelists and shadowy government agencies that often refused to acknowledge even their own existence. Cryptography, as the science of codes and ciphers is known, helped the Allies win the Second World War by cracking the Enigma code machines used by the Germans. The 1946 defection of Soviet cipher clerk Igor Gouzenko in Ottawa allowed the Americans to break Soviet codes that revealed Stalin's efforts to steal nuclear secrets. Now, propelled by the rise of the Internet and the need to secure business transactions in cyberspace, the business of encryption is starting to move out of the shadows. "Increasingly", says Sean Elrington, a computer security expert at Ernst and Young in Vancouver, "we are going to have to do business with people we have never met and never will meet, and we will have to do that business electronically." The answer to keeping that business secure and safe lies with a new generation of cryptographers, and a lot of them just happen to be Canadian.

The biggest and most successful of the Canadian companies in the code business is Entrust Technologies Ltd., a spinoff of telecommunications giant Nortel. Entrust, with headquarters in Richardson, Tex., but 300 of its 425 employees in Ottawa, produces software that helps companies keep their secrets safe. That's a big job: the computer has not only made it easier to code messages, it has made it easier for hackers to break those codes. And keeping secrets from prying eyes on the grand computer bazaar of the Internet, where an increasing amount of business communication takes place, is a daunting task. A global survey of businesses last year by Ernst and Young indicated that 45 per cent of firms that monitor their networks for intrusions had an Internet security breach. "The Internet has revolutionized the need for security", says Toronto-born John Ryan, Entrust's president and CEO.

The Internet and electronic commerce are also revolutionizing the way that codes are being used. In the old days, the same key was used to both encode and decode a message, a method referred to as symmetrical cryptography. Such a system is not totally secure. Steal an Enigma machine, as the Allies did, and all is revealed. But in those days, codes were generally used by people working for the same organization, whether a company or a spy agency, and that made it easier to keep the keys safe and secure. But, as Elrington says, people now want to send coded messages to people they have never met, working for an organization they may have never heard of. Using symmetrical encryption, about the only way to do that is to send the descrambling key along with the coded message, a system obviously fraught with peril.

To meet these new demands, companies like Entrust are turning to a relatively new form of cryptography where a sender uses one code, or key, to encrypt a message and the recipient uses another key to decrypt and read the message, a system known as public key encryption. The encoding and decoding ciphers are mathematically related but it is almost impossible to use one of the keys to break the other. That allows such systems to have one half of the pair stored on publicly accessible directories on the Internet. To send a coded message to someone, the sender merely uses the recipient's publicly available key. "The only person in the world that can decrypt that message is the holder of your private key, which is presumably you", Elrington says.

The other advantage of Entrust's system is that it can be used as a digital signature, answering a key problem encountered in these early days of Internet commerce--having some confidence that people are who they say they are. To provide this assurance, Entrust uses a second key pair, with the person sending the message using his private code to identify himself and the recipient using the sender's public signature key to verify that identity.

Entrust, which went public last month on the U.S. Nasdaq exchange, has already sold its system to a number of large companies, including J. P. Morgan and the Bank of Nova Scotia, which uses public key encryption to safeguard its online banking operation. The Canadian government is also a client. Nicole Schmidt, a director in the equity research department at CIBC Oppenheimer in New York City, says the market, still in its infancy, is now led by Entrust and a U.S. competitor, California-based VeriSign Inc. Ryan estimates that the market size will be about $1.7 billion by 2003. Entrust's sales last year totalled $38 million, almost double the 1996 figure.

But as the Russians learned when Gouzenko walked out of their Ottawa embassy with cipher books under his arm, people, not systems, are the weakest security link. Elrington says he has seen cases where the best system is defeated because people put their passwords on notes stuck to their computers. The price of security is eternal vigilance. "The bad guys", he says, "only have to win once. If you're on the other side of the fence, you need to win every day."


Copyright © 1998 by Maclean's Magazine. All Rights Reserved. Reprinted with permission.