One of the first meetings I did in this job was with nCipher, where the concept of encryption was explained to me.
Now you could argue that I should have just sat down and read the Whitfield/Diffie paper or talked to the founders of RSA, but a lot has changed in the three years since then. Not just to me either; nCipher was subsequently acquired by global defence company Thales and, following other acquisitions, Thales is now one of the primary encryption firms.
The main function of nCipher was SSL technology with databases with built-in encryption and support offered for cryptography. Sitting with Thales's director of product management Mark Knight, and strategy manager Steve Brunswick, both from the Information Technology Security division, I asked them if encryption had changed since 1976.
Knight said that one of the challenges for businesses is how to retro-fit end-to-end encryption and how to improve security without affecting the user so it is as transparent as possible.
“Technology is making encryption transparent. If you know you are using it then it has gone wrong,” said Knight.
One area where encryption has evolved is with mobile payments. Brunswick explained that a credit card chip has moved into the phone SIM card. “In the past, a factory would create a card with data from a tape from the provider, but with cryptographic details added to the account it is then added to the card. With the Global Standards platform, the cryptographic element is not in factory but over the air,” he said.
“With our hardware security module (HSM), within the SIM there is security but the domain is owned by the mobile network operator so you can use traditional push commands to set up a secure channel, and send a message that the application can run on the ‘card'. The bank has the server and an HSM attached, so the contact comes from the HSM and secures the message so the bank doesn't need to know anything about how the message gets to the phone.”
Knight commented that with end-to-end encryption, the bank has the data, but everyone should be hiding opaque information – although fitting this sort of technology is proving to be difficult.
Brunswick said: “Protecting a password with encryption is done everywhere. PCI-DSS says you need to protect data but does not say how to.”
A key area for chip-based security is in the US; Knight said this is a major case for retro-fitting, with a move to issuing and accepting chip cards getting closer.
Knight said: “A step to mobile payments is not about making payment cards more secure, contactless mobile card payments use the same standards. In the phone, the SIM connects to the near-field communication (NFC) chip via a single wire protocol to make the SIM look like a contactless card, so you can make a payment.
“We have got to see a communal relationship between the bank and retailers as the technology is ahead of the market.”
A Forrester report commissioned by PayPal last year said that by 2016, UK mobile retail sales will reach £2.5bn, and consumers will be able to leave their cash at home and use their mobile "as the 21st century digital wallet".
Brunswick said this capability is not one of technology as it is already there – 2011 saw industry groups created and the first real mobile payment applications – but now people are now investing more in security for the big push towards this reality.
“With mobile payments, the operator doesn't want a cut of the transaction, they want the data of users' shopping habits so they can give them offers. This is all aligned in a single application,” he said.