NSA Turns To Commercial Software For Encryption 264
Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."
Size of key (Score:4, Insightful)
Brute-force decoding of these schemes is not recommended for the faint of heart, but I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?
If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?
Attention to the knee-jerkers! (Score:3, Insightful)
Thanks.
Re:FUD (Score:5, Insightful)
Re:Privatization (Score:3, Insightful)
Re:If true it sends a signal. No quantum computer (Score:3, Insightful)
No, all this means is that they want something with better encryption. Even if they had a dozen fully functional "quantum computers" that were able to do spectacular computations in an instant (ah, that lovely superposition...) that wouldn't mean that they should just suddenly give up and use weak encryption. Better that only a few people in the world could break it with ease, than that anyone with $100k could build a sufficient cluster to do it quickly...
Re:Huh? (Score:5, Insightful)
It's not like the NSA is buying a binary encryption software package they can't decompile, or shipping the secrets up to Canada for encrypting. This isn't a security concern. The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it. The NSA can do anything they want with ECC now, including grant sub-licenses without approvasl from Certicom. The only restriction is to require a minimum level of ecryption field size (encryption strength), which isn't a problem for NSA:
This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.
This is for the more discerning crypto customer (Score:5, Insightful)
Re:Privatization (Score:5, Insightful)
on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license
You're wondering why the NSA didn't just go ahead and use Certicom's patented ECC implementation and keep it a secret? Because they're a lot bigger than Rush freakin' Limbaugh, and it only takes one employee to speak up and say, "we knew someone else patented this but we used it anyway" before someone gets in a lot of trouble.
No one wants that kind of a black eye. If that scandal broke, the manager who gave the go-ahead to implement the Certicom solution without licensing it would probably find himself reassigned to a communications post in Afghanistan.
And one thing about the US government... no matter how hard they try to keep things under wraps, they're just not very good at it. There are just too many nosy journalists and authors poking around... everything comes out sooner or later
Buy Canadian (Score:4, Insightful)
I am not flaming Canada; I work with several Canadians and they are all nice and knowledgable people. I just noticed the inconsistencies in our policies.
Disclaimer: I am a citizen of the USA, and I hope that this trend continues. I would really like all our government agencies to use the best global software, not just our homegrown insecure proprietary systems.
Re:There is a method to the madness... for sure!!! (Score:1, Insightful)
I don't even think the odds are comparable. Consider that there roughly 10^80 atoms in the visible universe, and there are roughly 10^154 possible combinations of 512 bits. So that means there are about 10^74 512 bit keys for every atom in the universe.
Re:Privatization (Score:2, Insightful)
It's blatantly ignorant of the principles of cryptography which state that knowing the algorithm and implementation, or even part of the clear text should not compromise your security.
Re:There is a method to the madness... for sure!!! (Score:1, Insightful)
Not to mention I read somewhere recently how an enycription string length, the longer it gets the more likely it is to be written down somewhere or placed under a less secure but easier to remember key or password.
I'll give you some hints:
1) They aren't going to use the same encryption key on every document. In fact, they aren't going to use the same key for ANY documents. Every document (or user, or whatever they're using it for) will have a different public/private key pair. This is the NSA, do you think they're stupid or something?
2) They aren't going to let their users manage these encryption keys. They're not going to give them out as sheets of paper filled with thousands of letters or numbers that their users will then have to type in. The encryption algorithm will be built in to the software or hardware that they deploy in the field, and the key will be stored in flash memory on a dongle that the user carries around. The user simply has to keep control over the key itself at all times. Since they're professional spooks and they're lives depend on it, I'm sure they'll be suitably careful to keep the key from being compromised
Re:If true it sends a signal. No quantum computer (Score:1, Insightful)
Restrictions on field of use, royalties, etc. (Score:3, Insightful)
Re:FUD (Score:5, Insightful)
Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.
Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.
Re:FUD, but whose? (Score:4, Insightful)
They could have determined that this is the preferred technology to use publically at this time, and then require the license in order to operate with it in the public domain.
James Bamford's more recent review of the NSA documented an employee's discovery of public-key cryptography prior to Diffie's. They can't patent an invention without public disclosure (I presume), and they can't avoid licensing patented technology without proving prior art, which they must be reluctant to do - they would need to disclose when they discovered it. So, if all this presumption is true, from now on they'll be forced to license technology they they themselves created in order to keep the lid on their capabilities.
Re:OSS ECC? ECC vs AES (Score:3, Insightful)
Unfortunate? For whom? For the people who spent long hours doing the extensive research which led to the development of advanced encyption systems? Or for the people who read the papers and attended the conferences and say "Great idea...think I'll make the same thing for free in the name of Openness!"
Encryption is not like a 1-click pattent or library compression. It's hard, expensive and risky to devote your time to coming up with the next great encryption algorithm. And I am glad that we have agencies like the NSA to help offset this cost. It means there might be jobs somewhere for some of us to sit around and think about stuff rather than have to sell our talents like consultant whores.
Free Software is all well and good, but some things are worth paying for. Right?