November 7, 2000

Little fish, big fish, twofish: John Kelsey of Counterpane Internet

Author: JT Smith

By Julie Bresnick
NewsForge Columnist
Open Source people

I have no idea what John Kelsey is talking about. Our conversation is like a
parody. It could be a Saturday Night Live skit in which a collegiate
Gore
and Bush are paired on a science project.

John Kelsey is a security architect at Counterpane
Internet
Security, and the co-author of almost 30 papers on crypotography including the Street
Performer
Protocol
paper that inspired
Jesse Vincent
's OpenCulture.Org, and the Twofish block cipher
that
became a finalist at the Advanced Encryption Standard Development Effort(AES).

We are discussing an article I read in the Boston Globe on how solving
Minesweeper could prove encryption to be inadequate.

I'm sure the only accurate response I can make besides "a-ha,"
"sure-sure," and "yeah, I follow," (which, of course I don't) is "wow,
this
is complicated stuff." But even that turns out to be inaccurate.

"It's complicated in a sense that the words are complicated,"
explains Kelsey, "but the concepts really are not." I go back and review
my
notes on the several minutes he dedicated to explaining the trouble
with ... what, I'm not sure. My notes are scattered with question marks
and
sophisticated computer terms like "NP complete," "polynomial,"
"linear,"
"deterministic." I copy the terms on the front of index cards and
stick
them on my pile of vocabulary cards provided by a GRE review course.

Context indicates that it has something to do with cryptography.

The concept, he explains, is that "some problems are just a pain to
do on
a computer." Sure, sure, I can handle that. "OK, when you try to
dress it
up in math it gets harder. But then you can make some really precise
statements." Yup.

The Street Performer Protocol paper is probably the only one of
Kelsey's
papers I can even begin to understand. The majority of his work is
more
about science than law. But after speaking with him further, the
deviation is
not so surprising.

In fact, law and politics are what got him into cryptography in the
first place. He was finishing up an undergraduate degree in Computer
Science at University of Missouri at Columbia. He had heard a fellow
student mention the RSA, but other than that he knew very little about
cryptography--until he saw people debating the politics of it on
listservs.
He was intrigued. He jumped in. To better support his arguments he
started
educating himself. Finally, it was the math that sealed the deal. He
was
hooked.

It wasn't long after that he met Bruce Schneier in a
discussion group. The first edition of Applied Cryptography had just been
published and
Kelsey, being his voracious self, discovered some typos in the book's
formulas. He sent them in an email to Schneier. Schneier began
contracting
projects out to Kelsey and eventually took him on as Counterpane's
employee
number one.

Though his 33 years makes him among the oldest of my
subjects,
Kelsey has only had one other employer since college. Before
Counterpane he
worked for the Missouri Department of Corrections.

"Sometimes we would work with inmate programmers. You had to go
into a
locked facility to work with them. It was really odd.

"It wasn't anything like I would have expected. There were some
very
smart people, and almost none of them denied guilt, and they were some
pretty
serious criminals -- armed robbery, murder. I would have assumed that
they
would be a lot less intelligent. There was one guy I remember. I've
interacted with a lot of people at cryptoconferences who have degrees
from world-class places and I don't think any of them were as smart as this
guy."

When they moved the programmers into the administration building of
the
prison itself, Kelsey decided it was time to move on. That's when
Schneier
suggested he work for Counterpane. It's an interesting juxtaposition: first the
department of corrections, and then the cutting edge of Internet
security.

It's this kind of juxtaposition I so enjoy. It reminds of the
thrill when I meet a hard-core intellectual with a serious Boston
accent.
And it is the kind of unlikeliness that marks more than just Kelsey's
employment
history.

Kelsey grew up south of Paris and northeast of Columbia,
in a
small town right outside of Mexico ... Missouri. Mexico, Missouri, is
where
John's father ran the county program for mentally retarded adults. The paradox isn't just that a guy as bright as John grew up in a
family
supported by special education,
but
that he went into a profession so worldly after a youth spent in a town
with a population of 3,000. It was too remote even for cable
television. There were not a lot of neighbors. Distraction, let alone technology, was
limited.

He was 14 when his mother finally responded to his pleas and
brought home a VIC20. It had few rivals for John's attention, which he
first
dedicated to learning BASIC. He wrote games simple enough for his
sister,
six years his junior, to play. Roughly 15 years later Kelsey is
one of
six authors of Twofish, which was
recently one of the five finalists in the AES
Development Effort conducted by the National
Institute of Standards and Technology
. The AES will
"specify a
cryptographic algorithm for use by U.S. government organizations to
protect
sensitive (unclassified) information." The only thing in common with where he started and where he is, is that they are both extremes, nowhere to
somewhere, a regular small-town-boy-goes-big story. Small fish in a
small
pond to big fish in very big pond.

He had never even been on a plane until he was 22. Now he
flies
all over, presenting papers that could influence the future of
our
nation's security.

Considering these credentials, an endorsement
would
be favorable, but Kelsey is not overly enthusiastic about the security
benefits of Open Source.

"I don't think there's anything magical about Open Source. Having
it
available so people can evaluate it is good for code review but in the
end
it only matters how many eyes are really reviewing it."

Like his boss Schneier, Kelsey believes that analyzing cryptography is complicated,
and
the most important thing is that it be reviewed by people who know how
to.
Whether they are within a private organization or not is secondary.

Nevertheless, he respects the benefits of Open Source and even
hopes to
originate a project of his own. He is working with a
company
(that he doesn't want to commit on record) to develop a second
generation of
Yarrow, a
random
number generator, which he hopes the Open Source community will
eventually
have the opportunity to sink its teeth into.

He also astutely equates the paper publishing process with that of
Open
Source code development.

"You actually feel like you're making the world an unambiguously
better
place. You produce information and make it freely available. You
don't
actually get paid but your reputation is enhanced."

Sounds like he does, after all, speak a familiar language.

Category:

  • Linux
Click Here!