Interview with Cryptography Research Inc

Published: 23 Nov 2004

By Anoop Ubhey, Senior Smart Card Industry Analyst

At the Cartes smart card exhibition early this month, I got a chance to meet up with a number of companies offering new solutions to the market.  There was a lot of talk surrounding contactless technology and the potential uptake in the short to medium term.

I got to speak to Cryptography Research Inc, a company which I would expect, or at least hope much of the core value chain would have heard of.  If not, then read on.  I spoke with Paul Kocher, President & Chief Scientist, Kit Rodgers, Business Development & Director of Licensing and Ken Warren, Smart Card Business Manager.


Kit Rodgers
While the smart card market is global with booming growth in some geographic regions the majority of the industry have their headquarters and design centres based in Europe. CRI are looking to increase their presence in the European market. By doing this, I believe CRI are showing their commitment to the smart card industry which allows them to provide the support needed to improve security. The introduction of Ken Warren has bolstered CRI’s effort and will allow CRI to leverage their effort from Ken’s vast experience in the industry. He will ensure European customers can successfully implement CRI's patented countermeasures, and he will actively represent CRI in all European smart card industry activities.

I take this opportunity to provide feedback of some of the things we discussed.


Me: Differential Power Analysis (DPA) attacks - Are you telling me smart cards are insecure?

Kit: First, I definitely do not want to convey that smart cards are insecure. In fact, smart cards are one of the most secure technologies available. As you know, smart cards are tamper-resistant, self-contained modules which can offer excellent protection at a reasonable cost. However, no device can guarantee absolute security and smart cards are no exception. There is also significant variation among smart cards; some low-end cards offer very limited security, while the best cards are among the most secure devices available anywhere. DPA attacks are a significant concern for smart cards because the attacks are unfortunately very powerful and easy to replicate. The good news is that smart cards can be made very resistant if manufacturers implement proper countermeasures.

Me: How can Cryptography Research (CRI) help?

Kit: CRI discovered DPA in the mid 90’s. At the time we worked closely with the industry to educate leading issuers, smart card manufacturers and silicon suppliers about DPA on both a technical and business level. Today CRI remains a leader in helping organizations worldwide develop products that are secure against DPA by:

  • Providing effective countermeasure technologies
  • Developing evaluation hardware for evaluation labs
  • Assisting with certification, requirement generation, evaluation, design, and education

Me: Is there anyone who should be most responsible for protecting against these attacks?

Kit: Silicon providers and smart card manufacturers must work together in both hardware and software to ensure their devices are secure against DPA. Vulnerabilities can exist at both the hardware and software level. Particular attention needs to be paid to the interface between hardware and software components.

Me: At the end of the day, the attack will harm the end user's (card issuer) business, so should they be more proactive in licensing your solution?

Kit: Indeed, card issuers (and individual users) are the ones that ultimately suffer when fraud or other attacks occur. Issuers definitely need to be focused on security issues, including DPA, and should demand that their suppliers provide products with effective countermeasures that have been properly tested. In terms of licensing our technology, issuers should check with their smart card suppliers to see if their products are properly licensed. Some issuers have chosen to license with us directly, while others are requiring that their smart card suppliers implement and license the necessary DPA countermeasures as part of their products. Ultimately, our objective is to be sure each device using our technology has been licensed, but it does not matter if the silicon supplier, card manufacturer, or issuer pays the royalty.

Me: As far as you are aware, are there any other solutions that do the same as CRI?

Kit: We do not believe there is a way to make DPA-resistant smart cards without using our technology. One of the advantages of discovering DPA is that we were able to focus on developing countermeasures before anyone else. Thus, we spent considerable effort ensuring our patents broadly cover the fundamental approaches for countering DPA attacks. While technologists in the security and smart card communities have been actively researching DPA over the last few years, their developments build upon our foundational patent portfolio.

Me: Is a DPA attack expensive or can any amateur attacker/hacker do it?

Kit: DPA attacks do not require any expensive hardware; a PC and under $1,000 worth of equipment is sufficient.

Me: In your experience, in which applications would you expect to see such attacks happen?

Kit: Security risks are always greatest in situations where it’s worth somebody’s effort to mount attacks. Smart cards used for banking, pay television, and mass transit have always been major targets for fraud and piracy. On the government side, defense and identity applications also face particularly serious threats. GSM SIMs are also an area of increasing focus, particularly as applications become more complex and integrated with various forms of commerce. In general, any application where smart card is being used for security reasons is a potential target.

Me: Cost - can you give me some idea how much it would cost a licensee to feel safe from a DPA attack?

Kit: Issuers and users can feel safe if their smart cards include properly implemented and licensed countermeasures. We are not sharing detailed pricing information at this time, though as a general philosophy we want our business to succeed along with the proliferation of smart cards.

Me: Can you tell me a little more about CRI - i.e. what are your main markets?

Kit: CRI is a combination technology licensing and security services firm. We’re nearly 10 years old and are headquartered in San Francisco. Our business seeks to anticipate fraud and piracy trends and then develop technologies that help solve those problems. For instance, our clients are happy to pay us a few cents for a technology if they know it is likely to save them a few dollars in fraud or piracy costs. We’ve been quite successful implementing this model to date. In addition to our DPA countermeasures, our licensing efforts also include a custom security ASIC technology called the CryptoFirewall (tm) for pay television systems and security architecture for securing high-definition video on next-generation optical media formats.

Me: Can you see smart cards turning into your main market? If so, can you provide me with a time frame?

Kit: The smart card industry is a very important market for us. We’re also having great success with anti-piracy technologies. While it’s hard to predict which will grow faster, we’re very enthusiastic about the smart card industry over the long term, and we see our technology licensing program growing with the industry.

Me: What do you see as the key strategies for CRI over the next 12-18 months in the smart card arena?

Kit: For now, we’re focused on negotiating licenses with the vendors that are the most proactive about obtaining security technologies for their customers. We are also continuing to work closely with testing labs and other security experts to help ensure smart cards are secure. We also recently started our European operation, which we plan to expand to increase the visibility and importance of our licensing program among card issuers and users. A final area of focus is our DPA logo program, which will be increasing in visibility over the months ahead.

Me: If you had three words to sum up Cryptography Research, what would they be?

Kit: Solving security problems. or Technology. Security. Assurance.


Sign in to read the rest of this article

Not signed up? Register now Forgot your password?

Help Desk

Full list of offices

For more information and general enquiries, contact Frost & Sullivan near you.

North America
tel: +1.877.463.7678

Select a location near you..