News

Who's who: Steve Weingart

Holding the keys to data security: For more than two decades, Futurex's Steve Weingart has watched the evolution of encryption technology.

August 31, 2005

While studying electron beam lithography at IBM Corp.'s Thomas J. Watson Research Center in New York during the early 1980s, Weingart was asked to join a lunchtime conversation about how best to protect sensitive data.

"From that little lunchtime conversation in 1983, I got started in cryptography and security, and have been doing it pretty much ever since," Weingart said.

Weingart, who is now the chief technology officer at Bulverde, Texas-based Futurex Inc., a company that produces cryptographic hardware, was introduced to cryptography at the same time the financial industry began exploring ways to protect financial data.

FIs turn to encryption

The need for increased financial data security came with the advent of interbank ATM networks, said Alan Falconer, the executive director of Akron, Ohio-based Electronic Transaction Advisors.

"Most information, in the early days, never left the ATM," Falconer said. "There was not a lot of switching. You were dealing with your own bank. It was all very local."

But once account numbers and PINs were transferred between institutions, it all changed. The industry adopted the military's Data Encryption Standard, or DES, to protect and encrypt data being transferred. At the heart of DES is a key, or a randomly generated set of numbers used to encrypt or decrypt data.

Protecting the small part of computer hardware that generates keys was proving difficult, however, in the early days of cryptology.

Plugging holes

Steve White - the IBM employee who asked Weingart to join that lunch conversation - and some colleges had been tinkering for more than a year with the idea of developing a small device that could create data keys and be attached to the computer on which sensitive data was collected and transferred. The problem, however, was protecting that hardware from tampering.

"So the question became, 'How do you take that small piece of the computer and physically protect it?' 'How do you create some sort of `lockbox' that cannot be tampered with?'" White asked. "For us, it was not so much a mathematical problem as it was a physical problem."

For more than a year, White and his colleagues would create a solution and then "poke holes in it, plug those holes and then poke new holes." And Weingart was just the person to help plug the remaining holes in their project, White said.

"Steve is a very clever guy. He's a very inventive guy," White said. "He came up with several ways that are still in use today. For example, he thought of wrapping the box (that generates keys) in wire and then monitoring that loop. If the wire is disturbed, then that is considered tampering and the keys would automatically be erased."

Since his start in the early 1980s, Weingart helped guide IBM's cryptology efforts for nearly two decades. He also wrote academic papers about the subject for the Washington, D.C.-based National Institute for Standards and Technology.

While at IBM, Weingart also worked with representatives of the Cryptographic Module Validation Program at NIST to develop the Federal Information Processing Standard 140-1.  

FIPS 140-1 sets the standards for security devices that handle "sensitive but not classified" data, such as financial transactions and medical records.

"FIPS 140-1 has become one of the de facto standards for independent validation for the financial industry," Weingart said. "That was a big part of my work at IBM, since I was also the primary hardware architect on the first device to be validated at FIPS 140-1 level 4 (the highest level). There are still only about a half dozen devices that have made that level."

Steve Weingart

Breaking the DES code?

Beyond the physical protection of key-generating hardware, Falconer said, industry experts feared a personal computer could be used to break the DES code.

When the banking industry first adopted DES, the thought of deciphering the tens of millions of number combinations used in the creation of keys seemed unthinkable. But that thought was soon swayed, Falconer said.
 
"Over time, with PC processing power continuing to grow, someone with a PC could actually figure out a way to break DES," Falconer said. "In fact, a company called RSA held a contest to see if someone could break DES as a way to demonstrate that the standards needed to be changed. A group of college students and their professor broke it in less than three days."

That feat marked the beginning of the end for DES.

"Three or four years later, in the early 1990s, (breaking the code) had gone from three days to 45 minutes," Falconer said.

Adopting Triple DES

As the need to replace DES grew, the International Organization for Standardization and the American National Standards Institute, along with Visa and MasterCard, mandated that financial institutions begin adopting Triple DES - keys that are three times as long - by the end of 2005.

"There are now billions of combinations," Falconer said. "But honestly, it is only a matter of time before personal computers are powerful enough to break that as well."

Weingart said he would have preferred the industry wait and implement the Advanced Encryption Standard, which is widely believed to be more secure than Triple DES.

"The Triple-DES migration is a challenge mainly from an administrative standpoint," Weingart said. "My personal opinion is that they should have waited six months longer and introduced AES, which is a much better algorithm. But, people could wrap their arms around Triple DES."

Falconer agreed, saying the U.S. military simply bypassed Triple DES and adopted AES. He speculates that FIs were more comfortable with Triple DES because it is the same basic concept as DES, with the primary difference being longer keys.

"AES would have been a tremendous learning activity," he said.

Falconer added that by the time the industry is ready to change its encryption standards, AES probably will have been surpassed by biometrics or some other technology.

`Raising the bar'

But encryption's constant evolution has kept Weingart interested.
 
"We are always raising the bar ... and then the bad guys come up with a new trick, and then it's up to the good guys to find a way to thwart that," he said. "It really is like a never-ending puzzle game."

And regardless of what encryption standards are adopted by his industry, Weingart's work at Futurex allows him to work on that puzzle.

"You can't just give people a toolkit. You have to give them solutions," he said. "Cryptology really is rocket science, and you have to make it as easy to use as any household appliance. It has to be as simple to use as a toaster, and that is our biggest challenge."