Security's inseparable couple

R.A. Hettinga rah at
Mon Feb 7 09:33:56 PST 2005


Network World

Security's inseparable couple
By:  Bob Brown
Network World (US)    (07 Feb 2005)

 The most familiar names in network security are neither vendors nor geeks:
Try Alice and Bob.

 Since Ron Rivest, Adi Shamir and Len Adleman - the R, S and A in RSA
Security Inc. - introduced Alice and Bob in their seminal public-key
cryptosystem paper in 1978, the couple has become the subject of countless
security-related papers, test questions, speeches and even, ahem, jokes.

 Alice and Bob were the names given to fictitious characters used to
explain how the RSA encryption method worked, with the thinking being that
using names instead of letters like A and B would make a complex subject
easier to grasp. They are so commonly used that most security experts don't
even give a second thought to reaching for them.

 "They're like old friends," says Charles Kolodgy, research director for
security products at IDC. "I use them the same way everyone else does. 'So
the sender, Alice, is trying to message Bob. . . .'"

 "I use them conversationally. Sometimes I use them in documents, as well,"
says James Cupps, information security officer at Sappi Fine Paper North
America in Portland, Maine. "I often use them in training because they are
easier than Machine A and Machine B."

 Over the years, the Alice and Bob story line has become more complicated,
something of a high-tech reality show. Not only are Alice and Bob trying to
share a secret, say a Valentine's Day poem, but Carol and Dave want in and
Eve is trying to eavesdrop. A whole cast of characters has been introduced
to explain everything from micropayments to SSL to quantum cryptography.

 "Cryptography is the one area of mathematics where there are people, not
just numbers," says Bruce Schneier, CTO of Counterpane Internet Security
Inc. and author of Applied Cryptography, a book first published in 1994
that includes a table of "dramatis personae" headed by Alice and Bob (see
graphic). "Alice and Bob are the links between the mathematical variables
and the people."

 Whitfield Diffie, Sun Microsystems Inc.'s chief security officer and
co-author of the Diffie-Hellman key agreement protocol, says there is
seemingly no end to this modern day Dick and Jane's adventures.

 "(They have) appeared in fanciful circumstances in numerous papers
carrying on their stormy relationship entirely over unprotected
communication media and against the plots of their exes, the secret
police.," he says. One gossipy headline in a trade journal teased: "Alice
and Bob grow apart." Some suspect the names stem from the swinging 1960s
movie "Bob & Carol & Ted & Alice."

 RSA co-founder Rivest, who is a Massachusetts Institute of Technology
(MIT) professor, says he came up with Alice and Bob to be able to use "A"
and "B" for notation, and that by having one male and one female, the
pronouns "he" and "she" could be used in descriptions. Rivest says it is
possible that Alice came to mind because he is something of an Alice in
Wonderland buff.

 Never did he expect the names to take on lives of their own. "Nor did I
imagine that our proposed cryptosystem would be so widely used," he says.

 Ask those in the know about Alice and Bob and you'll inevitably be pointed
to an after-dinner speech delivered at a technology seminar in Zurich,
Switzerland in 1984 by data security expert John Gordon. In his "Story of
Alice and Bob," Gordon refers to the speech as perhaps "the first time a
definitive biography of Alice and Bob has been given."

 From the speech we learn that "Bob is a subversive stockbroker and Alice
is a two-timing speculator" and that they've never actually met one
another. Gordon, who runs a consultancy in the U.K., sums up their story
like this: "Against all odds, over a noisy telephone line, tapped by the
tax authorities and the secret police, Alice will happily attempt, with
someone she doesn't trust, whom she cannot hear clearly, and who is
probably someone else, to fiddle (with) her tax returns and to organize a
coup d'tat, while at the same time minimizing the cost of the phone call."

 Gordon, who has been in cryptography since 1976, says over the years he
has taken the text of the speech off his company's Web site, only to put it
back on because of reader demand.

 "Today, nobody remembers I invented Strong Primes (special numbers used in
cryptography), but everyone knows me as the guy who wrote the story of
Alice and Bob," he says. Gordon estimates the speech gets viewed about
1,000 times a month. Security experts say Alice and Bob likely aren't going
anywhere soon. Other names, such as Lucy and Desi, have been used, but
without a following.

 "I suspect that (Alice and Bob) will be around almost forever," says Joel
Snyder, a senior partner with consulting firm Opus One. "In our business,
we tend to live by very long and ugly traditions, and people are using
terms now that were invented by MIT and Cal Tech undergrads in the 1970s --
mostly without knowing why or what. Consider 'hacker' for example."

 Barry Stiefel, CTO for consulting and training company Information Engine
and founder of the Check Point User Group, says he still gets "a wry little
smile" whenever he hears or uses the names Alice and Bob.

 "As soon as you say those names, everybody's already 5 minutes into the
story's exposition and excited to hear where the plot will take us," he

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list