Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Encryption Security Technology

NSA Turns To Commercial Software For Encryption 264

Posted by simoniker
from the chinese-government-buys-certicom dept.
Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."
This discussion has been archived. No new comments can be posted.

NSA Turns To Commercial Software For Encryption

Comments Filter:
  • FUD (Score:4, Funny)

    by ChozCunningham (698051) <slashdot.orgNO@SPAMchozcunningham.com> on Sunday October 26, 2003 @11:33AM (#7313831) Homepage
    Shouldn't we demand an open source solution? ;)
    • Re:FUD (Score:5, Insightful)

      by jdhutchins (559010) on Sunday October 26, 2003 @11:54AM (#7313925)
      You can bet that NSA demanded the source code. I don't think they'd trust something they can't see the source to for their security. As for them buying a closed-source or open-source, to them it doesn't matter, they'll get the source anyways.
      • Re:FUD (Score:5, Informative)

        by randyest (589159) on Sunday October 26, 2003 @12:46PM (#7314127) Homepage
        I'll take that bet aginst you. The NSA didn't demand the source code, they wrote the source code. Note that NSA is not buying some software tool, they are licensing a patented encryption concept. The NSA will implement this ECC encryption technology in many different ways, on their own:

        This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

        • " This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use."

          Who the hell in their right mind is going to license this from the NSA?

          The NSA - You Can Trust Us Not To Implement Backdoors(TM).

          • Re:FUD (Score:5, Insightful)

            by randyest (589159) on Sunday October 26, 2003 @03:14PM (#7314685) Homepage
            Who the hell in their right mind is going to license this from the NSA?

            Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.

            Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.
      • by Kenja (541830)
        They don't need to demand the source code. They just need to copy it over. Unless the deveopler has his tin foil hat on.
    • Re:FUD (Score:5, Informative)

      by quadelirus (694946) on Sunday October 26, 2003 @12:22PM (#7314052)
      I stated this in another post, but I've got a link now:

      The NSA is not lisencing software, it is lisencing the right to use Certicom's ECC cryptosystem. Cryptosystems now are usually known even when proprietary to allow mathematicians and cryptographers the ability to test the security of it. (The RSA cryptosystem for instance is thoroughly explained on RSA's web-site, but you would still need a lisence to use the algorithm in a program)

      I found a tutorial by Certicom on their ECC cryptosystem here [certicom.com].

      PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.
      • Re:FUD (Score:3, Interesting)

        by AKnightCowboy (608632)
        PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.

        Well, before they just used it and didn't bother asking for permission. This isn't that big of a deal. The only thing out of the ordinary is they asked before using it. Nothing is stopping the NSA from i

        • No. Part of being a counrty based on the rule of law is that even the government must obey the law. You might notice that a deceant part of constitutional law is laying out things the government may not do. Now there are, of course, many politicians and agencies that try to ignore this, and try to be above the law, but it can blow up on you.

          So say the NSA does take this patented technology and use it without a liscence. Certicom discovers this. Well, then they'll take them to court. Yes, government agencie
      • Re:FUD, but whose? (Score:4, Insightful)

        by tchdab1 (164848) on Sunday October 26, 2003 @03:46PM (#7314822) Homepage
        Given the secretive nature of the organization, it's possible (I have no proof or even inuendo) that the NSA is licensing technology that they themselves developed independently, perhaps even prior art.
        They could have determined that this is the preferred technology to use publically at this time, and then require the license in order to operate with it in the public domain.
        James Bamford's more recent review of the NSA documented an employee's discovery of public-key cryptography prior to Diffie's. They can't patent an invention without public disclosure (I presume), and they can't avoid licensing patented technology without proving prior art, which they must be reluctant to do - they would need to disclose when they discovered it. So, if all this presumption is true, from now on they'll be forced to license technology they they themselves created in order to keep the lid on their capabilities.
  • by MongooseCN (139203) on Sunday October 26, 2003 @11:36AM (#7313841) Homepage
    What if a company is suspicious of the NSA not following the license it was given? It's not like the government is going to let a commercial company into the NSA to audit all its computer systems. I suppose it will all be done on the honor system.
    • the government doesn't need to care about licensing costs. the government buys extra, and more extra.
    • I doubt the company cares much. The publicity and market attention they will receive from this deal will be more than enough to compensate for any licensing wrongdoings.
    • by randyest (589159) on Sunday October 26, 2003 @12:04PM (#7313966) Homepage
      The NSA practically can't not follow the license -- it's world-wide and allows granting sub-licenses, and is only restricted to use above a certain security level. The NSA would have to use relatively insecure implementations of the technology to violate the license, and I think that's unlikely:

      Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that the National Security Agency (NSA) in Maryland has purchased extensive licensing rights to Certicom's MQV-based Elliptic Curve Cryptography (ECC) intellectual property. ECC is becoming a crucial technology for protecting national security information.

      This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256. Outside the field of use, Certicom will retain all rights to the technology for other industries that require the same levels of security, including state and local government agencies. Certicom will continue its policy of making its intellectual property available to implementers of ECC under normal commercial terms on a non discriminatory basis.
  • If true it sends a signal. They currently dont have a quantum computer (and therefore expect no one else does or will in a reasonable amount of time). However I do remember seeing a standard created to do a form of digital signatures only with conventional encryption (which is not in general "breakable" by quantum computers like "hard problem" public key cryptography).
    • How on EARTH did you come to that conclusion? Are you saying that if they had a quantum computer they should just throw their hands up in the air for anything else, and not get it as tight as possible? Or that if they have a single quantum computer, that they would necessarily have hundreds of thousands (if you can make one, then you can make millions?), and therefore would be able to distribute classified documents/transmitions with ease? It would be pointless if the same capability didn't exist on both
      • I think you misunderstand the comment. I understood that JDotBomb was saying that any agency that had a quantum computer (therefore able to break RSA type encryption in a blink) wouldn't be spending money on or trusting an RSA system. They'd be using one of the encryptions that aren't broken by the tool that quantum.

        -Sam
    • Don't be so naive. They might be procuring this software just to make people (us, other governments) /think/ they don't have a quantum computer. People happily go on using our 2048-bit GPG keys assuming no QC exists, the NSA happily break all the crypto.

      Just 'cause you're not paranoid don't mean they're not out to get you!
  • Gosh, I bet this had nothing to do with the fact that NSA insiders held a lot of Certicom stock.

    Nah, that kind of thing never happens. It's tinfoil-hat thinking. It's as unlikely as the President sexually abusing one of his interns.

  • Size of key (Score:4, Insightful)

    by ptaff (165113) on Sunday October 26, 2003 @11:49AM (#7313901) Homepage
    ...the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits.


    Brute-force decoding of these schemes is not recommended for the faint of heart, but I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

    If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?

    • Re:Size of key (Score:5, Informative)

      by espo812 (261758) on Sunday October 26, 2003 @12:01PM (#7313956)
      I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?
      Because breaking RSA does not involve brute forcing the bits, it involves factoring huge ass numbers into primes. Look up the differences between symmetric and asymmetric (or private and public) key cryptosystems.
      • But they are both public key cryptosystems!

        And yes, they both pretty much involve brute forcing the bits to try to crack the message. It just happens that ecc problem is lot harder than large number factorization (computationally and conceptually too). If you know how to factor huge ass numbers without brute forcing let the nobel committee know as you may be eligible for next year.
        • There are many algorithms for factoring large numbers without brute-forcing every conceivable possibility. Obviously, there are none fast enough to damage RSA's security (at least, none that are publicly known).
        • If you know how to factor huge ass numbers without brute forcing let the nobel committee know as you may be eligible for next year.
          What like the General Number Field Sieve [nfsnet.org]? Let them know for me, but I doubt they'll be too interested.
          • Yes, there is the general number field sieve, but still for all practical purposes you're brute forcing. Complexity is reduced to something like O(exp((c*(logn)^(1/3)*(loglogn)^(2/3))) where n is the length of number in bits.
    • Re:Size of key (Score:3, Informative)

      by inburito (89603)
      Maybe because discrete logarithm problems in ordinary number groups are much easier to solve than in elliptic number groups.

      As a matter of fact, discrete log problem for ordinary numbers has been improving steadily whereas Elliptic curve group discrete log techniques have not seen significant improvement in the past 20 years. This difference accounts for today's reduced key-size requirements for elliptic curves.
    • Re:Size of key (Score:2, Informative)

      by LT Grant (371)
      If you look back at Dr Chris Monico's work at cracking ECC-109 [nd.edu] you can get some more background on the equivalences and how they match up and how the two are compared and how they are very different. 109 took a lot of computational time (biggest ever so far I believe), and this is vastly bigger, as if I remember correctly ECC encryption doesn't grow linearly, but exponentially. The code used to crack ECC-109 has been somewhat improved in ECC2-109 [ecc2.com] based mainly on things Dr Monico saw in 109 and based on s
    • Re:Size of key (Score:2, Informative)

      by Metex (302736)
      Ugh this is actually pretty easy to calculate,
      for the rsa key in order to find the approximate number of keys possible you use the simple equation 2^k / (ln 2^k) this gives you an 'approximation' for all possible primes you can have in k-bits.

      As for the ECC system I cant remeber the exsact computation off the top of my head to calculate key space but it has a much higher key concentration per bit added to key. not as high as a symetric cryptographic system with a 2^k keyspace but pretty high up there.

      As f
    • Re:Size of key (Score:3, Interesting)

      by bluGill (862)

      You don't brute force either system. Useing the best known mythods to break encryption today (which in the case of both RSA and ECC is not brute force) breaking a 512 bit ECC key is about the same effort of breaking a 15360 bit RSA key. Note that breaking a 512 bit symetric key (something like AES, blowfish, modified to use a 512 bit key) is more effort than breaking either one.

      I'm not sure I belive the difference is that great. RSA type encryption has had a lot of effort put into breaking it, ECC gets

    • Re:Size of key (Score:2, Informative)

      The best known means for solving the Discrete Log Problem over an EC is much slower then the best known means for factoring integers. This is why they can claim that a 512 bit ECC key is equivilant to a 15630 bit RSA key. The time it would take to solve both problems is equivilant.
  • by NotQuiteSonic (23451) on Sunday October 26, 2003 @11:50AM (#7313906) Homepage

    The algorithm they used is patented and very much open for criticism. It would need to be fore NSA to choose it. Think of it like RSA where the algorithm was patented as well (many open source applications use RSA now, since the license has expired).

    Dr. Scott A. Vanstone [certicom.com] is a professor at University of Waterloo, so it is kind of neat to see one of my profs in the news (I knew about the company, but they haven't had much going for them for a while). He teaches Coding Theory (CO 331 [uwaterloo.ca]) and is the Executive Director of Centre for Applied Cryptographic Research [uwaterloo.ca]

  • Damn! (Score:3, Funny)

    by MMC Monster (602931) on Sunday October 26, 2003 @11:51AM (#7313910)
    I guess rot-13 just isn't good enough anymore. (Am I the only one to think "Wow, how the mighty have fallen!" when I read this?)
  • by Anonymous Coward on Sunday October 26, 2003 @11:52AM (#7313914)
    In case you didn't catch the hint in the article, this is significant because NSA chose an EXTERNALLY developed encryption solution over an INTERNALLY developed solution. This has NOTHING TO DO WITH OPEN SOURCE SOFTWARE. Please save your comments like "what about SSH/GPG/SSL?" for some other discussion.

    Thanks.
  • by Garin (26873) on Sunday October 26, 2003 @11:53AM (#7313919)
    As far as I understand the deal, this has nothing to do with licensing software. They couldn't have gone with an OSS version (or "roll their own") as so many suggest because they're not licensing just software, they're licensing patents.

    You'll note that they've also got sublicensing rights on those patents. There could be a software component to this deal, but as far I can tell it appears that this is mainly about patents.
  • by vt0asta (16536) on Sunday October 26, 2003 @12:17PM (#7314029)
    "If you want to build an NSA-approved product, they want this in there."
    All that means, is like DES back in the day, if you want to have something NSA approved you pick this. I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need. NSA has government customers that want protection, and instead of giving them the super secret good stuff, they find something off the shelf and give them this. This Certicom Corp. ECC is the new algorithm to study, because if it's NSA endorsed it's "probably" years ahead of the public domain state of the art, and is "probably" resistant to some pretty sophisticated crypto analysis techniques.
    • I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need.

      But aren't they allowed to mine the patent office? After all they are part of the government - and patents are there only to protect inventors from each other - not to protect inventors from the govt. I've always understood that in exchange for that protection the government is all

  • Next thing you know the government will contract out the manufacture of nuclear missiles!
  • We all know that the way to make documents secure does not including making them accessable via the internet or intranet or any net, regardless of encryption or key size.

    For it only takes the breaking of one key document at the right time and misuse of the information found, for the NSA to then need to have someone to blame while the damages of the results would still exist.

    Encryption, regardless of how big the key is, still has the possibility of someone hitting it, like the lottery.

    Not to mention I rea
  • Buy Canadian (Score:4, Insightful)

    by solprovider (628033) on Sunday October 26, 2003 @12:36PM (#7314097) Homepage
    Did anybody notice that the United States National Security Agency is buying encryption software from a Canadian company? Is this the same United States that refused to allow products using good encryption to be exported because they were considered military weapons?

    I am not flaming Canada; I work with several Canadians and they are all nice and knowledgable people. I just noticed the inconsistencies in our policies.

    Disclaimer: I am a citizen of the USA, and I hope that this trend continues. I would really like all our government agencies to use the best global software, not just our homegrown insecure proprietary systems.
    • The NSA has provided encryption systems to countries all over the world. The catch is that this has been limited to the governments and armed forces of friendly countries.

      You can export strong encryption if you get an export license. The U.S. Government will grant a license if they think it is in the national interest.

      The United States and Canada have been cooperating in communications security and intelligence gathering for many years.

  • That's quite a difference in key strength between RSA and ECC. How does ECC's key strength compare to the best symmetric cryptosystems? Is it of the same close order of magnitude? If so, that's rather impressive.
  • by mcryptic (196974) on Sunday October 26, 2003 @12:49PM (#7314141)
    15,360 bits ought to be enough for everyone.
  • There actually is an NSA? I thought it only appeared in movies like Triple X...
    • There actually is an NSA?

      No, there's No Such Agency. Move along, nothing to see here.

      (Actually, for many years even the existence of the Agency was officially not acknowledged. AFAIK most if not all of its budget is still "black", ie doesn't show up in detail in the budget bills.)
  • by Urkki (668283) on Sunday October 26, 2003 @01:14PM (#7314253)
    ...known to NSA I mean. Why would they license it if they knew of some weakness in it...

    Hmm...

    Or maybe there *is* a suble weakness, leading to an "easy" way to break ECC. And NSA is licensing this to give it undue creidibility, so more people start using it, while NSA can easily (compared to RSA or whatnot) read everything encrypted with it...
  • by Markus Registrada (642224) on Sunday October 26, 2003 @01:34PM (#7314303)
    This isn't proof that they don't have a quantum computer. It's evidence that they do have, or expect to, or expect others to have soon. A quantum computer isn't magic. The best guess about the power of quantum computers, as applied to decryption, is that they can crack a 2N-bit cipher about as fast as an ordinary computer cracks an N-bit cipher.

    So, when we see the NSA not just adding key bits, but adding bits and then doubling them, we see evidence of countermeasures against quantum computers. This doesn't mean they have quantum computers. Remember that they are not just guarding secrets they transmit today against attack now, but against attack ten years from now, when revelation might still be damaging.

    Once we all do have quantum computers, I wonder what amusing revelations will come from cracking old ciphertexts. You can bet the NSA will keep busy at it, and so will the Brits, and the French, and the Germans, and the Russians, and the Israelis. (No doubt a few of the biggest corporations go on that list too.)

  • How is a 512 bit key equivalent to a 15,360 bit key? If you "only" have 512 bits, then you have to try 2^512 keys. If it's 15360, then you have to try 2^15360. 2^15360 is A LOT bigger than 2^512. So they're not equivalent. This is sort of irrellevant because 2^128 bit keys are still out of reach these days (i.e. if every computer in the world [every known computer; the NSA could probably break this?] worked on generating keys, the message would come out way after the Universe ended. That's a problem i
    • Re:512 bits? (Score:2, Informative)

      by damiam (409504)
      If it's 15360, then you have to try 2^15360.

      No, you don't. You have to find the factors of a prime number of that length. That leaves significantly less than 2^15630 possibilities, especially if you're using a decent factoring algorithm.

    • You're assuming brute force attacks; a 512 bit key for one algorithm might be harder to crack than a 15360 bit key in a different algorithm, because of flaws or limitations in that algorithm.

      Jon

  • Sun and ECC (Score:3, Informative)

    by pmsyyz (23514) on Sunday October 26, 2003 @02:32PM (#7314555) Homepage Journal
    Sun likes [sun.com] Elliptic Curve Cryptography. They have helped add it to Mozilla's Network Security Services [mozilla.org] and to OpenSSL.
  • by Nom du Keyboard (633989) on Sunday October 26, 2003 @02:59PM (#7314649)
    Just a wild guess, but what are the chances that NSA developed this secretly years ago and either planned to, or already does, use it. When the civilian cryptography sector finally caught up with them and actually patented the algorithm, NSA had to license it or stop using it. It wouldn't be the first time NSA has been shown to be far ahead of publicly known cryptographic knowledge. Differential Cryptology comes to mind.
  • 512bit ECC is exactly as strong as the thumb knuckle on your right hand, because that's what the NSA will remove if you don't tell them your key. They don't brute force keys they brute force YOU.

    And ECC is _VERY_ heavily encombered by patents, that's why none of us are using it yet out here in the real world, we can't. They could have used RSA for free, so you should be upset with their irresponsible use of tax dollars.

    The chart is interesting tho...

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...