NSA Turns To Commercial Software For Encryption 264
Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."
OSS ECC? ECC vs AES (Score:0, Interesting)
--
Have you sent a check to SCO today?
What about license abuse? (Score:3, Interesting)
Re:FINALLY ... (Score:2, Interesting)
- I am happy to see a local business score a large contract in my hometown
- I am confused as to how the American Government ever approved a purchase of an external Intellectual Property
I'm sure alot of Americans will have disagreements on this one!
If true it sends a signal. No quantum computer now (Score:2, Interesting)
This isn't an issue of "open" vs "closed" (Score:3, Interesting)
The algorithm they used is patented and very much open for criticism. It would need to be fore NSA to choose it. Think of it like RSA where the algorithm was patented as well (many open source applications use RSA now, since the license has expired).
Dr. Scott A. Vanstone [certicom.com] is a professor at University of Waterloo, so it is kind of neat to see one of my profs in the news (I knew about the company, but they haven't had much going for them for a while). He teaches Coding Theory (CO 331 [uwaterloo.ca]) and is the Executive Director of Centre for Applied Cryptographic Research [uwaterloo.ca]
Re:Privatization (Score:3, Interesting)
You're the premiere intelligence agency in the world. When you need to secure data, you use algorithms that nobody else in the world knows about, designed in secret by some of the greatest mathematical geniuses there are.
When you need to secure an email you're sending to someone not in the agency, you can't (not to mention don't) use your hidden good stuff, because the recipient doesn't have the algorithm. So, you use something publicly available.
Re:FUD (Score:3, Interesting)
Well, before they just used it and didn't bother asking for permission. This isn't that big of a deal. The only thing out of the ordinary is they asked before using it. Nothing is stopping the NSA from ignoring a license for anything. Who are you going to call, the BSA to battle the NSA? Licensing applies to corporations and individuals.. governments can choose whether to obey them or not. We'd like for them to obey them, but who watches the watchers?
So this means there's no easy way to break ECC... (Score:3, Interesting)
Hmm...
Or maybe there *is* a suble weakness, leading to an "easy" way to break ECC. And NSA is licensing this to give it undue creidibility, so more people start using it, while NSA can easily (compared to RSA or whatnot) read everything encrypted with it...
Re:Size of key (Score:3, Interesting)
You don't brute force either system. Useing the best known mythods to break encryption today (which in the case of both RSA and ECC is not brute force) breaking a 512 bit ECC key is about the same effort of breaking a 15360 bit RSA key. Note that breaking a 512 bit symetric key (something like AES, blowfish, modified to use a 512 bit key) is more effort than breaking either one.
I'm not sure I belive the difference is that great. RSA type encryption has had a lot of effort put into breaking it, ECC gets less attention (though it is getting more). If ECC got as much attention as RSA did from the mathamatical world, the difference in efforts to break them would be a lot closer.
Note that both ECC and RSA are NP-complete, meaning that if there is a generic way to break one, in essentially no time (no matter how big the key is), that algorythm can be easially modified to break the other. There is a lot fo debate in CS about such problems and if such an algorythm exists. Anyone using either must be aware that there is no proff that you can't break it trivially.
Re:Huh? (Score:3, Interesting)
The difference is that patents on mathematical techniques or software algorithms are a distinct limitation of free speech, whereas patents relating to physical inventions are only a limitation of manufacturing rights. Ultimately, it could be argued that all invention has a mathematical basis, but software patents are unique in that they are unembodied. Because anyone can create software, software patents directly infringe on personal freedoms, in the same way that patents on literary style would.