Security's inseparable couple

<http://www.itworldcanada.com:80/Mobile/ViewArticle.aspx?id=idgml-257f41ee-4005-4949-b75c-a2e55d52f3ec&format=Print> Network World Security's inseparable couple By: Bob Brown Network World (US) (07 Feb 2005) The most familiar names in network security are neither vendors nor geeks: Try Alice and Bob. Since Ron Rivest, Adi Shamir and Len Adleman - the R, S and A in RSA Security Inc. - introduced Alice and Bob in their seminal public-key cryptosystem paper in 1978, the couple has become the subject of countless security-related papers, test questions, speeches and even, ahem, jokes. Alice and Bob were the names given to fictitious characters used to explain how the RSA encryption method worked, with the thinking being that using names instead of letters like A and B would make a complex subject easier to grasp. They are so commonly used that most security experts don't even give a second thought to reaching for them. "They're like old friends," says Charles Kolodgy, research director for security products at IDC. "I use them the same way everyone else does. 'So the sender, Alice, is trying to message Bob. . . .'" "I use them conversationally. Sometimes I use them in documents, as well," says James Cupps, information security officer at Sappi Fine Paper North America in Portland, Maine. "I often use them in training because they are easier than Machine A and Machine B." Over the years, the Alice and Bob story line has become more complicated, something of a high-tech reality show. Not only are Alice and Bob trying to share a secret, say a Valentine's Day poem, but Carol and Dave want in and Eve is trying to eavesdrop. A whole cast of characters has been introduced to explain everything from micropayments to SSL to quantum cryptography. "Cryptography is the one area of mathematics where there are people, not just numbers," says Bruce Schneier, CTO of Counterpane Internet Security Inc. and author of Applied Cryptography, a book first published in 1994 that includes a table of "dramatis personae" headed by Alice and Bob (see graphic). "Alice and Bob are the links between the mathematical variables and the people." Whitfield Diffie, Sun Microsystems Inc.'s chief security officer and co-author of the Diffie-Hellman key agreement protocol, says there is seemingly no end to this modern day Dick and Jane's adventures. "(They have) appeared in fanciful circumstances in numerous papers carrying on their stormy relationship entirely over unprotected communication media and against the plots of their exes, the secret police.," he says. One gossipy headline in a trade journal teased: "Alice and Bob grow apart." Some suspect the names stem from the swinging 1960s movie "Bob & Carol & Ted & Alice." RSA co-founder Rivest, who is a Massachusetts Institute of Technology (MIT) professor, says he came up with Alice and Bob to be able to use "A" and "B" for notation, and that by having one male and one female, the pronouns "he" and "she" could be used in descriptions. Rivest says it is possible that Alice came to mind because he is something of an Alice in Wonderland buff. Never did he expect the names to take on lives of their own. "Nor did I imagine that our proposed cryptosystem would be so widely used," he says. Ask those in the know about Alice and Bob and you'll inevitably be pointed to an after-dinner speech delivered at a technology seminar in Zurich, Switzerland in 1984 by data security expert John Gordon. In his "Story of Alice and Bob," Gordon refers to the speech as perhaps "the first time a definitive biography of Alice and Bob has been given." From the speech we learn that "Bob is a subversive stockbroker and Alice is a two-timing speculator" and that they've never actually met one another. Gordon, who runs a consultancy in the U.K., sums up their story like this: "Against all odds, over a noisy telephone line, tapped by the tax authorities and the secret police, Alice will happily attempt, with someone she doesn't trust, whom she cannot hear clearly, and who is probably someone else, to fiddle (with) her tax returns and to organize a coup d'tat, while at the same time minimizing the cost of the phone call." Gordon, who has been in cryptography since 1976, says over the years he has taken the text of the speech off his company's Web site, only to put it back on because of reader demand. "Today, nobody remembers I invented Strong Primes (special numbers used in cryptography), but everyone knows me as the guy who wrote the story of Alice and Bob," he says. Gordon estimates the speech gets viewed about 1,000 times a month. Security experts say Alice and Bob likely aren't going anywhere soon. Other names, such as Lucy and Desi, have been used, but without a following. "I suspect that (Alice and Bob) will be around almost forever," says Joel Snyder, a senior partner with consulting firm Opus One. "In our business, we tend to live by very long and ugly traditions, and people are using terms now that were invented by MIT and Cal Tech undergrads in the 1970s -- mostly without knowing why or what. Consider 'hacker' for example." Barry Stiefel, CTO for consulting and training company Information Engine and founder of the Check Point User Group, says he still gets "a wry little smile" whenever he hears or uses the names Alice and Bob. "As soon as you say those names, everybody's already 5 minutes into the story's exposition and excited to hear where the plot will take us," he says. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'