NSA Turns To Commercial Software For Encryption

Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."

Size of key

[ptaff]

...the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits.

Brute-force decoding of these schemes is not recommended for the faint of heart, but I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?

Attention to the knee-jerkers!

[Anonymous Coward]

In case you didn't catch the hint in the article, this is significant because NSA chose an EXTERNALLY developed encryption solution over an INTERNALLY developed solution. This has NOTHING TO DO WITH OPEN SOURCE SOFTWARE. Please save your comments like "what about SSH/GPG/SSL?" for some other discussion.

Thanks.

Re:FUD

[jdhutchins]

You can bet that NSA demanded the source code. I don't think they'd trust something they can't see the source to for their security. As for them buying a closed-source or open-source, to them it doesn't matter, they'll get the source anyways.

Re:Privatization

[paranoidsim]

I don't think this is about privatization. I think this is about the NSA being overloaded with more important things to worry about. Such as the "War on Inanimate Objects", namely, Terrorism. For instance, look at their new hires figures jump from roughly 100/yr, to over 1000. They are busy, they are upgrading, and they are worrying about processing the loads of new data from monitoring an exponentially higher amount of data then they were accustomed to only a few years ago.

Re:If true it sends a signal. No quantum computer

[dAzED1]

How on EARTH did you come to that conclusion? Are you saying that if they had a quantum computer they should just throw their hands up in the air for anything else, and not get it as tight as possible? Or that if they have a single quantum computer, that they would necessarily have hundreds of thousands (if you can make one, then you can make millions?), and therefore would be able to distribute classified documents/transmitions with ease? It would be pointless if the same capability didn't exist on both ends, you know.

No, all this means is that they want something with better encryption. Even if they had a dozen fully functional "quantum computers" that were able to do spectacular computations in an instant (ah, that lovely superposition...) that wouldn't mean that they should just suddenly give up and use weak encryption. Better that only a few people in the world could break it with ease, than that anyone with $100k could build a sufficient cluster to do it quickly...

Re:Huh?

[randyest]

Being the NSA doesn't guarantee you can develop the best technology in every security-related area. If another company or research institute happens to come up with a technology that's remarkably better than anything else like it and patent it first (such as the ECC mentioned in the article), the NSA should and does license it. That is, they buy the the rights to use the technology that someone else spent a lot of time and effort to develop (maybe even more than the NSA put forth in this field) .

It's not like the NSA is buying a binary encryption software package they can't decompile, or shipping the secrets up to Canada for encrypting. This isn't a security concern. The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it. The NSA can do anything they want with ECC now, including grant sub-licenses without approvasl from Certicom. The only restriction is to require a minimum level of ecryption field size (encryption strength), which isn't a problem for NSA:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

This is for the more discerning crypto customer

[vt0asta]

"If you want to build an NSA-approved product, they want this in there."

All that means, is like DES back in the day, if you want to have something NSA approved you pick this. I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need. NSA has government customers that want protection, and instead of giving them the super secret good stuff, they find something off the shelf and give them this. This Certicom Corp. ECC is the new algorithm to study, because if it's NSA endorsed it's "probably" years ahead of the public domain state of the art, and is "probably" resistant to some pretty sophisticated crypto analysis techniques.

Re:Privatization

[Anonymous Coward]

on one hand, you have a crackhead who could get all the drugs he wanted legally and privately, but for some unexplicable reason bought his dope illegaly on the street through someone who could (and did) dime him out.

on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license

You're wondering why the NSA didn't just go ahead and use Certicom's patented ECC implementation and keep it a secret? Because they're a lot bigger than Rush freakin' Limbaugh, and it only takes one employee to speak up and say, "we knew someone else patented this but we used it anyway" before someone gets in a lot of trouble.

No one wants that kind of a black eye. If that scandal broke, the manager who gave the go-ahead to implement the Certicom solution without licensing it would probably find himself reassigned to a communications post in Afghanistan.

And one thing about the US government... no matter how hard they try to keep things under wraps, they're just not very good at it. There are just too many nosy journalists and authors poking around... everything comes out sooner or later :) (For examples, see the SR-71, spy satellite imagery, Predator UAVs, the TIA project, etc. and the number of times Tom Clancy has been accused of espionage for incorporating published projects into his work.)

Buy Canadian

[solprovider]

Did anybody notice that the United States National Security Agency is buying encryption software from a Canadian company? Is this the same United States that refused to allow products using good encryption to be exported because they were considered military weapons?

I am not flaming Canada; I work with several Canadians and they are all nice and knowledgable people. I just noticed the inconsistencies in our policies.

Disclaimer: I am a citizen of the USA, and I hope that this trend continues. I would really like all our government agencies to use the best global software, not just our homegrown insecure proprietary systems.

Re:There is a method to the madness... for sure!!!

[Anonymous Coward]

Encryption, regardless of how big the key is, still has the possibility of someone hitting it, like the lottery.

I don't even think the odds are comparable. Consider that there roughly 10^80 atoms in the visible universe, and there are roughly 10^154 possible combinations of 512 bits. So that means there are about 10^74 512 bit keys for every atom in the universe.

Re:Privatization

[pVoid]

Uhh... why is this interesting?

It's blatantly ignorant of the principles of cryptography which state that knowing the algorithm and implementation, or even part of the clear text should not compromise your security.

Re:There is a method to the madness... for sure!!!

[Anonymous Coward]

For it only takes the breaking of one key document at the right time and misuse of the information found, for the NSA to then need to have someone to blame while the damages of the results would still exist.

Not to mention I read somewhere recently how an enycription string length, the longer it gets the more likely it is to be written down somewhere or placed under a less secure but easier to remember key or password.

I'll give you some hints:

1) They aren't going to use the same encryption key on every document. In fact, they aren't going to use the same key for ANY documents. Every document (or user, or whatever they're using it for) will have a different public/private key pair. This is the NSA, do you think they're stupid or something?

2) They aren't going to let their users manage these encryption keys. They're not going to give them out as sheets of paper filled with thousands of letters or numbers that their users will then have to type in. The encryption algorithm will be built in to the software or hardware that they deploy in the field, and the key will be stored in flash memory on a dongle that the user carries around. The user simply has to keep control over the key itself at all times. Since they're professional spooks and they're lives depend on it, I'm sure they'll be suitably careful to keep the key from being compromised :)

Re:If true it sends a signal. No quantum computer

[Anonymous Coward]

The NSA has a legal responsibility to create/endorse secure classified crypto. If they could this ECC now, they would have to assume that someone else could and not endorse it.

Restrictions on field of use, royalties, etc.

[Adam J. Richter]

It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see fit.

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a

limited field of use.

The "field of use" is not specified in any of the links provided by the slashdot article (and is probably confidential), nor are the parameters of the sublicensing, such as how much, if any, royalties NSA has to pass upstream. It is also worth noting that the users within "the limited field of use" are further slighty restricted, although I don't know enough math to understand how important the restriction is:

The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2**256. [exponent notation changed to get through slashdot filters]

Re:FUD

[randyest]

Who the hell in their right mind is going to license this from the NSA?

Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.

Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.

Re:FUD, but whose?

[tchdab1]

Given the secretive nature of the organization, it's possible (I have no proof or even inuendo) that the NSA is licensing technology that they themselves developed independently, perhaps even prior art.
They could have determined that this is the preferred technology to use publically at this time, and then require the license in order to operate with it in the public domain.
James Bamford's more recent review of the NSA documented an employee's discovery of public-key cryptography prior to Diffie's. They can't patent an invention without public disclosure (I presume), and they can't avoid licensing patented technology without proving prior art, which they must be reluctant to do - they would need to disclose when they discovered it. So, if all this presumption is true, from now on they'll be forced to license technology they they themselves created in order to keep the lid on their capabilities.

Re:OSS ECC? ECC vs AES

[dasmegabyte]

Unfortunatly, huge classes of suitable elliptic curves got patented.

Unfortunate? For whom? For the people who spent long hours doing the extensive research which led to the development of advanced encyption systems? Or for the people who read the papers and attended the conferences and say "Great idea...think I'll make the same thing for free in the name of Openness!"

Encryption is not like a 1-click pattent or library compression. It's hard, expensive and risky to devote your time to coming up with the next great encryption algorithm. And I am glad that we have agencies like the NSA to help offset this cost. It means there might be jobs somewhere for some of us to sit around and think about stuff rather than have to sell our talents like consultant whores.

Free Software is all well and good, but some things are worth paying for. Right?