Ed Scheidt is trying to make a point about cryptography, the transmission of meaning in a compressed form, hiding secrets in plain sight. He is a patient man, but also realizes that he is trying to deliver a lesson that blends philosophy and geekiness. He reaches across the table and hands a visitor a child's guide to Egyptian hieroglyphics.
It might seem absurd, but this is the way Scheidt -- whose tie shows a subtle pattern of hieroglyphics as well -- works. Scheidt is an avuncular, soft-spoken figure with a vaguely dreamy air who seems more like a scoutmaster, which he is, than a former CIA cryptography expert, which he was. When Scheidt left the agency in 1990, then-CIA director William Webster hailed him as "the Wizard of Codes."
After leaving the agency, Scheidt formed the company now known as TecSec Inc., a privately held Vienna-based firm that is trying to change the way the world looks at encryption.
Encryption, of course, is the technology for keeping secrets, whether on our hard drives or over the Internet. Computer programs scramble data, which can then be unscrambled only by someone with the proper "key" for doing so.
For the most part, encryption is incorporated into computer networks as an afterthought -- a software function that scrambles information before it's sent out over the Internet, or once it's stored on a hard drive. Scheidt went farther, contemplating a way to use encryption as an integral part of a computer network. TecSec's growing, changing system, called "constructive key management," can differentiate between users, letting each one see only the information intended for his eyes.
"It's not simply ones and zeroes and numbers -- it's a different philosophical approach," says John Petty, TecSec's chairman and former chief executive of Marine Midland Bank.
A company processing medical records has information that many people might need -- but a lot of information that shouldn't be available to just anybody. A low-level claims processor might be granted access to give the record an initial review, but would not get access to the patient's entire medical history. A reviewer of claims for unconventional therapies might get access to even more of the medical information in order to determine whether the insurer will approve it. A medical researcher should have access to the results of thousands of cases to see which treatments get the best results -- but should not be allowed to read the individual patients' names.
When the information is received on a Web page, the system can even redraw the page to accommodate the information it allows to go out, so that the screen doesn't look like a redacted document. The users with the highest level of access simply get more information on the computer screen.
Because the processing is done on the user's PC and not on the network, TecSec officials say, the process does not unduly burden the network as it grows. Although many companies are working on various solutions to the issues that TecSec has tackled, "I'm sure there's nothing out there with the sophistication that [Scheidt] has come out with," said Peter Schweitzer, a cryptanalyst at Information Security Systems Inc. in Baltimore.
Constructive key management is now being used by several government agencies and government contractors; the U.S. Postal Service has been evaluating it in a pilot program to move electronic versions of documents between government agencies with privacy and security.
It has been a long road to CKM. After leaving the CIA, Scheidt formed the company and set out on its first moneymaking venture: manufacturing portable satellite versions of the secure "STU-III" telephones used by the government. Scheidt says he made the first model at home, bending the metal for the carrying case in his basement workshop. The suitcase-sized phones became the mainstay of the U.S. Foreign Service and other government agencies; about 1,000 are in use around the world today.
But while the phones provided a steady income stream in the early days of the company, Scheidt wanted to do more. He hooked up with Petty and recruited businessman Jay Wack as president of the company based on his intimate knowledge of computer guts. At their first meeting, he simply asked Wack to look at a circuit board and describe where it came from and what it might do. Wack, taken aback, recalls that he did a fair job of describing the device and deciphering its function -- and then Scheidt thanked him and sent him on his way with little more conversation. On their second visit, Scheidt asked him to do it again. When Wack again rose to the challenge, Scheidt started the conversation that led to Wack's job.
As a Washington area firm built largely on the expertise of former government employees, TecSec has an approach to cryptography very different from that of companies such as industry leader RSA Security Inc., which often paints itself as an adversary to government plans to regulate encryption. Instead, TecSec looks to cooperate with government and to seek the opportunities that can be found there. "We're trying to look at it, definitely, in a non-adversarial role," Scheidt says.
So the product does what the Clinton administration says it wants to see in encryption products: It allows the company to go back and recover the key used in any transaction so that the information can be retrieved under a search warrant; that's why the government has given the product free right of export even though its software uses encryption far more powerful than what it usually allows.
The user's information resides on "smart cards," which can be tricky to use -- especially if employees refuse to carry them or use them. But Petty says there are ways to ensure that people carry their smart cards: "If you put a lock on the men's room that requires the use of the card, they're going to use it."
Scheidt suggests that the system might eventually move to a biometric password system based on the user's fingerprint or retinal scan. "People might give up their password, but they probably aren't going to cut off their finger," Scheidt said.