Cloud and mobile security to encryption, security concerns abound as RSA turns 20

This marks the 20th year since the first RSA Conference, an annual meeting that has witnessed major technology shifts, aired significant controversies and undergone a name change on its way to becoming the largest security conference in the world.

2010’s biggest security SNAFUs

It’s even being challenged by a shadow conference – Securtiy B-Sides – that runs during the same timeframe in the same city and can fill a program with overflow presentations that don’t make the RSA cut.

As preparations for this year’s meeting (Feb. 14-18 in San Francisco) continue, here’s a look back at some of the highlights over the years.

Top 10 RSA Conference security innovators

The first conference was called “Cryptography, Standards & Public Policy: the Fall ’91 Crypto Technology Update” – not RSA – and met in the Hotel Sofitel in Redwood City, Calif., Nov. 4, 1991, from 9 a.m. to 3 p.m. Fewer than 50 signed in. The event was called to address a specific issue – the Digital Signature Standard that was about to be issued by the National Institute of Technology and Standards and which would undermine RSA as the de facto standard widely used commercially.

The conference was prompted by a call from Marc Rotenberg, executive director of the Electronic Privacy Information Center, who was concerned about mandating the standard for business, according to RSA’s then-CEO Jim Bidzos. “It sounds to me like the best thing we can do is educate people,” Bidzos replied, he says in an oral-history interview, “so maybe what we ought to do is host a conference and educate people about this. I’ve got access to a lot of people who can talk about it.”

He rounded up a group of people to say why DSS was a bad idea, and the afternoon agenda for the first conference wound up being just one panel: “DES and DSS: Standards of Choice?”

The panel was a who’s who of cryptographers: Whitfield Diffe and Martin Hellman (Diffie-Hellman key exchange); Ronald Rivest (the R in the RSA public key algorithm); Jim Omura (of the Massey-Omura cryptosystem); Taher Elgamal (the father of SSL encryption); and Burt Kaliski, who drove the standardization of public key encryption.

The bottom line for DSS was that it was adopted, but the discussion proved the need for a forum for discussing such topics.

Since then the conference has taken on important security issues, such as the battle against the Clipper Chip that would have give the U.S. government encryption keys to decrypt communications secured by the chips. Its prominence prompted the Cloud Security Alliance to launch at the conference in 2009.

As the conference grew, so did its scope, says Sandra LaPedis, general manager of the conference, with the 2005 keynote by Microsoft‘s Bill Gates being a turning point at which RSA became an all-encompassing security forum. “It was a big acknowledgment for Microsoft to send its top executive here,” she says. The conference has drawn Cisco‘s CEO John Chambers, U.S. department of Homeland Security secretaries Michael Chertoff and Janet Napolitano and this year features former President Bill Clinton.

Even with this broad spectrum of issues, the conference retains its roots, with some of the original attendees coming back for a popular recurring event that hails back to the conference’s roots – the cryptographer’s panel – where they tend to mix it up pretty candidly.

In 2010, for example, the former technical director for the National Security Agency declared he doesn’t trust cloud services because it’s hard for a resource stored there to be safe from attacks from within. “You don’t know what else is cuddling up next to it,” said Brian Snow.

But he got whacked by Adi Shamir (the “S” in RSA) who agreed cloud services aren’t safe, but because the NSA itself might tap them. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said, referring to a notorious splitter siphoning off copies of Internet traffic for the NSA. The implication was that technology could handle the risk Snow talked about, but the NSA was a different beast.

At the 2004 show, Rivest sat on the panel and rejected digital technology being used in elections because digital voting machines are so complex they necessarily offer multiple attack vectors. He called for paper ballots instead or at least as a backup to the electronic tally.

Not everything at RSA is serious, and even the corporate suits get in on the fun. In 1998, Bidzos donned gangster-rap attire and sunglasses to accompany The Sugarhill Gang lampooning government efforts to place back doors in encryption gear sold overseas. “Do encryption without going to jail,” Bidzos intoned.

In 2001, the conference hired rocker Pat Benatar, who parodied her own hit song, “Heartbreaker,” including the lyrics, “You’re a Codebreaker/Crash Maker, File Taker/Don’t you mess around with me.”

By 2001, the prestige of the show was such that it drew notorious hacker Kevin Mitnik back into the public eye after his release from jail in 2000 as a guest of security vendor Authentify. “It was good to reintegrate myself back into the computer security business without much resistance,” he said in a blog about attending the show.

“Having once been banned from the 1991 DECUS conference in Las Vegas solely based on my reputation as a hacker (and my forays into DEC’s Easynet), I know the feeling of being unwelcome. So I was pleasantly surprised to find most of the attendees friendly and respectful.”

He was also critical of the physical security at the show, noting that he wandered around unchallenged without a conference badge, gaining access to areas containing corporate laptops and expensive security gear, perhaps tempting his larcenous side.

Since 1995, the show has had official themes. That year it was the Egyptian scarab seals which were used to carry encrypted messages. In 1998 the theme was Trithemius, the medieval monk whose treatise on witchcraft was actually an encrypted book about hiding encryption and an iconic example of steganography.

Other themes have included amateur cryptologist Edgar Allen Poe, the secrets of the Maya and the Rosetta Stone. This year the theme is dedicated to two people, Alice and Bob, who were used to represent person A and person B in Rivest, Shamir and Leonard Adelman’s 1978 paper on public-key cryptosystems. Since then Alice and Bob have been adopted by the industry and commonly represent hypothetical parties in transactions to help make explanations of technology easier to grasp.

This year’s hot topics will be cloud security and the challenge of securing mobile devices in corporate networks, LaPedis says.

Read more about wide area network in Network World’s Wide Area Network section.