Human Capital & Careers

COLUMN: Xenakis on Technology (10/31/00)

Expiration of RSA Encryption Patent Should End Sticker Shock
John XenakisOctober 31, 2000

Xenakis on Technology will appear each week in, covering technology topics of interest to financial executives. John Xenakis has been in the computer industry for over 30 years and a technology journalist for 20 years. From 1992 to March, 2000, he was Technology Editor of CFO Magazine and wrote the monthly TechWatch column.

Many companies have been shocked at the near six-figure or more licensing fees they’ve been forced to pay to incorporate security into their software to do business over the Internet.

Take Wake Forest University Baptist Medical Center, which is about to go live with a leading edge system to use e-mail to send patients’ lab test results and admission notices to referring doctors. “We wanted to make sure that this information is secured, so we’re encrypting the e-mail before it goes out,” says Joe Foster, Manager of system development.

The six-month implementation cost of the Winston-Salem, N.C., based teaching hospital’s entire project is $250,000 and of that amount, $75,000 is licensing fees for the BSafe software from RSA Security Inc. ( Related technology from VeriSign Inc. ( was used as well. There will be no transaction or royalty fees.

“Although we were pressed for time,” says Foster, “we looked at other vendors, and we decided that RSA and VeriSign were leaders, and we were comfortable with their products and technology.”

What exactly is Encryption?

Encryption is the process of scrambling the bits and bytes of a message so that no one but the intended recipient can read the original message. Encryption can be used for other things as well, including credit card numbers or invoice information in an e-commerce application. Without encryption, any data transmitted over the internet is vulnerable to hackers. Click here for a primer on encryption.

Encryption has come a long way since you used a secret decoder ring to send scrambled messages to your friends as a kid. Almost any method that you might think of on your own to scramble your messages, no matter how clever you think it is, would be almost child’s play for many hackers to crack. Nowadays, uncrackable encryption requires tools based on the most advanced and sophisticated mathematics, and that’s the problem.

One of the most popular encryption algorithms, used in millions of software applications around the world today, was patented in 1983. The name of the algorithm is the RSA encryption algorithm, and the patent is held by RSA Security.

So if you wanted to do business securely over the Internet, you had to buy BSafe from RSA Security. And they weren’t too easy to do business with. They’d be happy to license BSafe to you to secure your data, but they charged you $75,000, $100,000 or more, plus transaction or royalty fees amounting to a fraction of your income.

That’s pretty discouraging–like General Motors selling you a car for $100K, and then demanding 10% of your income as well, since you need the car to get to work.

And RSA Security got away with it, too. Although the company and its clients won’t disclose prices, rumors are that some large e-commerce companies have been paying RSA Security several million dollars per year. That may be OK for the giants, but even small e-commerce companies were being charged annual six figure licensing and royalty fees — for nothing more than to use the RSA encryption algorithm.

But that’s all finally expected to change, now that the patent for the basic technology, the RSA encryption algorithm, expired in September.

Baltimore Technologies ( has been selling its KeyTools product, encryption software including the RSA algorithm, around the world for five years — except in North America. (Because of the newness of software patents in 1983 when RSA Security Inc. first got its patent, it’s never had any patent protection outside of North America.) Baltimore used to have licensing fees similarly onerous to those of RSA Security’s, but now has dropped them.

You can license their KeyTools Pro software for $9,000 per application, per platform, with no transaction fees. And they’ve even made a subset version, called KeyTools Light, available to be downloaded for free on their web site, with no licensing fees whatsoever.

RSA Security, meantime, isn’t going to drop prices at all, according to Michael Vergara, the company’s director of product marketing, who says that they have the best product. “The number of licensees keeps growing, even since the patent expiration,” he says.

Critical Path (, a San Francisco-based developer of applications for running secure messaging over the internet, licenses both RSA’s BSafe and Baltimore’s KeyTools, and has always simply passed the licensing fees through to its own customers. They believe that RSA Security will have to cave in and lower prices.

“Our view is that this [patent expiration] is great for the security market, since you now you can buy RSA products and Baltimore products, both of which deliver a lot of the same algorithms,” says Michael Sebinis, chief security officer. “Now there’s competition, which is always good for the customer and end user, and that’s very positive.”

However, David Thompson, an analyst with the Meta Group, believes that RSA Security will be able to keeps its prices up, at least for a little while. “The other tool kits don’t do all the things that the RSA tool kits do. There are more bells and whistles that you can configure and modify – key sizes, different implementations for some algorithms, things like that,” he says. “However, with the patent expiration, there are going to be a lot more tool kits available from a lot more companies out there, and overall pricing will be dropping.”

Amdahl leaving the mainframe business

Amdahl Corp., a unit of Fujitsu, is announcing this week that it’s discontinuing its IBM compatible mainframe product line.

This is the second such defection, since Hitachi Data Systems also announced a pullout early this year. Neither company wanted to make the huge investment necessary to match IBM’s new 64 bit technology that’s coming in a couple of years. That means that the only major remaining company making IBM compatible System/390 mainframes is, well, IBM.

When I spoke to Carol Stone, Amdahl’s VP of server marketing, she wanted to be sure that I told everyone that Amdahl wasn’t abandoning its existing customers. “We’ll be making 32- bit machines until March, 2002, and servicing and supporting them for four or five more years,” she says.

Will IBM feel free to jack up prices, now that there is no more competition? Almost certainly not, according to Gartner Group analyst John Phelps.

“IBM has battled Amdahl for over 20 years, but now that they’ve won they may not have won,” says Phelps. “IBM has really believed for the past few years that their main competitor was not Amdahl or Hitachi, but Sun and HP.”

Both Sun Microsystems Inc. ( and Hewlett-Packard ( sell high-end systems that begin to approach the power of a mainframe and can run either Unix or Windows NT operating systems. Legacy application software was often written in a way that was dependent on IBM’s proprietary MVS mainframe operating, but in recent years, much new application software has been designed to run on either mainframe or Unix platforms.

This means that IBM could charge different prices to different users, according to Phelps. “We believe that there is a potential for there to be a price differential for people looking to buy cheap legacy MIPS [mainframe computing power], where competition is disappearing, and people looking for new application areas, where Sun and HP compete, since if there is no competition, then the potential exists for the local teams to not give the best discounts.”

(E-mail your questions and comments to John J. Xenakis at [email protected])

4 Powerful Communication Strategies for Your Next Board Meeting