About Grady Paul Gaston
Based in Huntsville, Alabama, Grady Paul Gaston, III, is a talented and accomplished software engineer and entrepreneur with over three decades of experience. Gaston co-founded A defense contracting company in 1990, which became a leader in the tech industry, and a digital signature company in 1995. Grady served as an officer of both companies for over 16 years. Government agencies and commercial enterprise clients trusted his companies to deliver solutions to complex problems and oversee large-scale projects.
The Early Years: His Passion for Computers
While working towards his Bachelor’s degree, Grady Paul Gaston began working as a courier for the Computer Sciences Corporation. His position with the company launched his passion for computers and technology. Between deliveries, he would spend all his time with the computer operators, who taught him a great deal about programming—so much so that when an emergency arrived, Gaston could handle it. His talent and fortitude landed him a job as a programmer, where his interest in computers and technology expanded, and he never looked back.
He later began working for the United States Army Corps of Engineers. As a junior in college, he became the USACE’s youngest software analyst, earning a reputation as one of the best programmers.
His Education
Gaston has a dual Bachelor of Science degree in Finance and Management from the University of Alabama, Huntsville, and a Master of Science Degree in Software Engineering from Southeastern Institute of Technology. He is also a Certified Data Processor by the Institute for the Certification of Computer Professionals.
Gaston received the University of Alabama Huntsville Life-Time Achievement Award in 2002. He served as a University of Alabama Huntsville Capital Management Board Group Member in 2002, was the President of the University of Alabama Huntsville Alumni Association in 2006, and was a Board of Trustee member in Alabama School Systems in 2007.
A Bespoke Legacy
His legacy includes developing a financial management system, which was selected as the Defense Department (DoD) standard and is the only economic system to pass the CFO Act of 1990 for 15 consecutive years with no exceptions. Gaston is also known for pioneering digital signatures and smart cards (chips on cards). He first implemented this technology in 1991 in cooperation with the National Institute of Standards and Technology (NIST) and the Governmental Accountability Office (GAO). His copyrighted digital signature software is the most widely used in the Department of Defense and has over four million users.
Gaston’s vision
Gaston’s vision in forming the two companies was to provide the most effective software solutions to the emerging technology landscape. This involved building many custom applications to manage their software, including Engineering Change Proposal (ECP) systems, Data Dictionaries, and Configuration Management Systems long before such commercial applications were available. Having worked under Defense Department contracts, his software belonged to the DoD and, therefore, was not commercially available. However, when solving the electronic signature problem, Gaston preserved his digital signature rights. His most proud accomplishment is pioneering digital signatures while developing a financial management system for The US Army Corps of Engineers. Waiting on wet signatures had been the biggest bottleneck of the Corp’s financial workload, sometimes with as many as six-month delays waiting on signed documents to be mailed.
Obstacles to the Solution
The US Army Corps of Engineers (USACE) is a vast agency with many accomplishments. For instance, the Manhattan Project that developed the first atomic bomb was the work of USACE.
Therefore, a solution to the biggest problem facing the Corps’ finance and accounting required upper brass buy-in and congressional support. USACE is the only DoD agency that receives both military and civil funds. So, USACE must answer to the Governmental Accountability Office (GAO) and the Office of Management and Budget (OMB).
Legally Binding Signatures
Gaston met with the Deputy Director of GAO while his Government client met with OMB. The bottom line was that the National Institute of Standards and Technology (NIST) had to provide the standards for USACE to follow before GAO would sanction the digital signature solution as legally binding. Timing is everything. It just so happened that NIST was drafting FIPS Pub 140-1. This Federal Information Processing Standard addresses the problem of how to ensure that a message is authentic. Four fundamental rules were 1) the signing had to be under the signer’s control, 2) the signer had to see all the data they were signing, 3) the signature had to be verifiable, and 4) the signature verification had to fail if any bit of data was changed. In late 1991, by early 1992, the USACE financial system had a prototype of electronic signatures called “ESIG.” By 1993, GAO had sanctioned Grady’s implementation as “legally binding.”
How it worked
Grady Paul Gaston’s meeting with GAO resulted in the necessary criteria for implementation before his solution could be sanctioned as legally binding. The biggest worry at this point was fraud. The ESIG implementation used symmetric key technology. In layperson’s terms, this means that the key used to encrypt is the same key used to decrypt. The “message” or document being signed is “hashed” down into 20 bytes of data. Then, the hash output is signed (encrypted) with a symmetric key. The criteria required by GAO included “split-knowledge, dual-control.” This meant no one could make a signature with just their key. Two keys are combined to create a third key, and the document is signed with the third key.
Security of the Keys
Knowing a password is insufficient for the security of a technology responsible for disbursing billions of tax-payer dollars. A more robust key protection scheme is required. In Europe, plastic cards shaped like credit cards with computer chips were used as wallets. The chip is not just memory but has all the requirements to be classified as a computer, known as a smart card. This was our solution, but no one in the US was using it. Gaston had a lot to learn about this new technology quickly. NIST issued specifications, and many vendors answered with cryptographic board prototypes that had to be installed in the PC and communicated with the “smart card” through a card reader. That computer had to respond to a challenge test by the smart card before access was granted. This was done via the password prompt. However, the password was to never pass through the PC’s CPU. Otherwise, spy software could grab it. Thus, a “keyboard intercept” cable acted as a gateway and routed only the password response through the cryptographic board in the PC, bypassing the CPU. The cryptographic board had a unique cover so that the keys would immediately be erased if ever tampered with.
The cryptographic board required two smart cards to log in. The first, the Security Administrator (SA card), was logged in and removed. Its key was held in memory on the cryptographic board. Then, the user’s smart card was logged in and left in the reader to function. The bits of the two keys were XOR’d together to create a unique key. The 40-byte hash was then encrypted with the unique key.
Smart cards and their keys and passwords were generated at a “Key Translation Center” by a highly secured computer that held a copy of all the keys. To verify a signature, the data had to be hashed and signed again by the same XOR unique key to see if the two encryptions matched. To get the XOR key, requests were sent to the Key Translation Center to retrieve the unique XOR key. Gaston’s team built two Key Translations Centers to service USACE, an organization with 30,000 savvy card users.
Since the passwords were one-time, never-changing codes, NIST wanted them memorized and never written down. Thus, they wanted the Key Translation Center to generate 6-character pronounceable passwords. These were printed on an inkless, impact envelope that the SA and User would open, memorize, and destroy. Unintentionally, some very offensive passwords were made.
New Clients
Once again, timing is everything. Grady Gaston’s team had just finished deploying the USACE financial system in 1996 when they learned that the US State Department had developed a new economic system for the US Embassies worldwide. The Program Director asked GAO for guidance on signing information electronically. GAO pointed to the USACE implementation and said to follow their implementation for it to be sanctioned as legally binding. When the State Department approached Grady Gaston, he could already see the potential for this technology. However, with cryptographic boards, keyboard intercepts, and Key Translation Centers, the cost was prohibitive for most organizations. In addition, there was no solution for laptops without purchasing a “Signet” device that Gaston’s company developed. The device was an encased cryptographic module connected to the laptop’s port. It caused consternation at TSA counters.
It took about six months to implement the ESIG solution for the US State Department, after which the US Census Bureau approached Gaston about implementing the electronic signature solution in their newly built travel system. The Bureau was gearing up for the year 2000 and wanted their travelers to sign documents while on the road. Because of lessons learned from the State Department implementation, it only took three months to implement the solution for the Census Bureau, but that still was not good enough for Gaston. It was time to develop a “drop-in” product.
The Drop-In Solution
An algorithm invented back in the 1970s by MIT professors turned out to be the answer. When professors Rivest, Shamir, and Alderman (RSA) invented their algorithm, they called it “a solution in search of a problem.” It works by encrypting data with one key and decrypting it with another. This made it possible to give out your decrypting key freely, but only you could use your encrypting key. This is called the public key /private key pair and is generated by special processors called Certificate Authorities (CAs). This eliminated the need for cryptographic hardware modules, keyboard intercepts, and Key Translation Centers, thus costing pennies per user rather than hundreds per user.
A drop-in product was born by taking the ESIG signing solution and combining it with the RSA algorithm. Gaston’s team named the software “DBsign,” as in “Database Signing.” Gaston’s solution signs the data as it resides in the database. The philosophy behind DBsign(R) is that the data can be presented in any format or font. However, the signature will still be verified because the database information is signed, not the stale, online formatted document. Gaston also adopted the term “digital signature” for his solution because “electronic signature” broadly includes signatures that do not involve encryption.
When Northrop Grumman chose DBsign as the signature methodology for the Defense Travel System, it became the de facto standard for the Department of Defense, and the rest is history.
Gaston’s Additional Accomplishments and Milestones
In addition to pioneering the first digital signature solution and receiving the first GAO sanctioning of digital signature implementation as “legally binding,” Gaston’s list of achievements is numerous and includes the following: providing key input to DoD Public Key Infrastructure (PKI) Roadmap (2000); receiving first Joint Interoperability Test Command (JITC) certification of a digital signature solution (2001); having his digital signature solution selected for DoD-wide deployment (2003); receiving the first National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation (CCEVS) Assessment (2005); received the NIAP CCEVS validation for a second time (2011); developing digital signatures for mobile devices (2016); deploying digital signature solutions to cloud technologies (2018); and received the Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessment (2023).
Gaston’s Hobbies
One of his hobbies is maintaining the Sim Corder/Harrison Mill, which he restored in 2005. It was built by Sim Corder at the start of the 1900s and run by Gaston’s great-grandfather, George Harrison. It was decommissioned, and his grandfather sold the waterwheel in 1939. Gaston found the original waterwheel, repurchased it, and moved it back to the mill, restoring it to its original position. In an article by David Haynes, a freelance writer from Blount Springs, Grady’s Mill was featured in the October 2009 issue of Alabama Living. To see the mill, take Highway 99 northwest of Athens, Alabama, and go about 15 miles to the Salem community. The mill is on Gaston’s farm at the bottom of the hill past the community.
Another of Gaston’s hobbies is fitness. Having been a runner-up in Athlete of the Year in elementary school many years ago, he realized he had exceptional upper body strength for his size. He was on the wrestling team in high school and could bench press 175 lbs while weighing only 120 lbs. Recently, he read that only 17% of gym-going males can bench 225 lbs, so he made it his goal to do so. He is probably among the much smaller percentage of males over 60 who can do so. Part of his exceptional benching ability is due to a commitment he made at the age of 30. He decided that he would always strive to do his age in push-ups on his birthday. He had not failed, even on a birthday in his mid-50s when he had separated his shoulder just 8 weeks prior. An added benefit is heart health. An article written in 2019 at the Harvard School of Public Health states that men who can do 40 push-ups have a significantly lower risk of cardiovascular disease.
