NSA Turns To Commercial Software For Encryption

Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."

FUD

[ChozCunningham]

Shouldn't we demand an open source solution? ;)

Re:FUD

[jdhutchins]

You can bet that NSA demanded the source code. I don't think they'd trust something they can't see the source to for their security. As for them buying a closed-source or open-source, to them it doesn't matter, they'll get the source anyways.

Re:FUD

[randyest]

I'll take that bet aginst you. The NSA didn't demand the source code, they wrote the source code. Note that NSA is not buying some software tool, they are licensing a patented encryption concept. The NSA will implement this ECC encryption technology in many different ways, on their own:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

Re:FUD

[Blue Stone]

" This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use."

Who the hell in their right mind is going to license this from the NSA?

The NSA - You Can Trust Us Not To Implement Backdoors(TM).

Re:FUD

[randyest]

Who the hell in their right mind is going to license this from the NSA?

Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.

Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.

Re:FUD

[Kenja]

They don't need to demand the source code. They just need to copy it over. Unless the deveopler has his tin foil hat on.

Re:FUD

[quadelirus]

I stated this in another post, but I've got a link now:

The NSA is not lisencing software, it is lisencing the right to use Certicom's ECC cryptosystem. Cryptosystems now are usually known even when proprietary to allow mathematicians and cryptographers the ability to test the security of it. (The RSA cryptosystem for instance is thoroughly explained on RSA's web-site, but you would still need a lisence to use the algorithm in a program)

I found a tutorial by Certicom on their ECC cryptosystem here [certicom.com].

PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.

Re:FUD

[AKnightCowboy]

PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.

Well, before they just used it and didn't bother asking for permission. This isn't that big of a deal. The only thing out of the ordinary is they asked before using it. Nothing is stopping the NSA from i

Ummm, well

[Sycraft-fu]

No. Part of being a counrty based on the rule of law is that even the government must obey the law. You might notice that a deceant part of constitutional law is laying out things the government may not do. Now there are, of course, many politicians and agencies that try to ignore this, and try to be above the law, but it can blow up on you.

So say the NSA does take this patented technology and use it without a liscence. Certicom discovers this. Well, then they'll take them to court. Yes, government agencie

Re:FUD, but whose?

[tchdab1]

Given the secretive nature of the organization, it's possible (I have no proof or even inuendo) that the NSA is licensing technology that they themselves developed independently, perhaps even prior art.
They could have determined that this is the preferred technology to use publically at this time, and then require the license in order to operate with it in the public domain.
James Bamford's more recent review of the NSA documented an employee's discovery of public-key cryptography prior to Diffie's. They can't patent an invention without public disclosure (I presume), and they can't avoid licensing patented technology without proving prior art, which they must be reluctant to do - they would need to disclose when they discovered it. So, if all this presumption is true, from now on they'll be forced to license technology they they themselves created in order to keep the lid on their capabilities.

What about license abuse?

[MongooseCN]

What if a company is suspicious of the NSA not following the license it was given? It's not like the government is going to let a commercial company into the NSA to audit all its computer systems. I suppose it will all be done on the honor system.

Re:What about license abuse?

[croddy]

the government doesn't need to care about licensing costs. the government buys extra, and more extra.

Re:What about license abuse?

[leerpm]

I doubt the company cares much. The publicity and market attention they will receive from this deal will be more than enough to compensate for any licensing wrongdoings.

Re:What about license abuse?

[randyest]

The NSA practically can't not follow the license -- it's world-wide and allows granting sub-licenses, and is only restricted to use above a certain security level. The NSA would have to use relatively insecure implementations of the technology to violate the license, and I think that's unlikely:

Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that the National Security Agency (NSA) in Maryland has purchased extensive licensing rights to Certicom's MQV-based Elliptic Curve Cryptography (ECC) intellectual property. ECC is becoming a crucial technology for protecting national security information.

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256. Outside the field of use, Certicom will retain all rights to the technology for other industries that require the same levels of security, including state and local government agencies. Certicom will continue its policy of making its intellectual property available to implementers of ECC under normal commercial terms on a non discriminatory basis.

If true it sends a signal. No quantum computer now

[j_dot_bomb]

If true it sends a signal. They currently dont have a quantum computer (and therefore expect no one else does or will in a reasonable amount of time). However I do remember seeing a standard created to do a form of digital signatures only with conventional encryption (which is not in general "breakable" by quantum computers like "hard problem" public key cryptography).

Re:If true it sends a signal. No quantum computer

[dAzED1]

How on EARTH did you come to that conclusion? Are you saying that if they had a quantum computer they should just throw their hands up in the air for anything else, and not get it as tight as possible? Or that if they have a single quantum computer, that they would necessarily have hundreds of thousands (if you can make one, then you can make millions?), and therefore would be able to distribute classified documents/transmitions with ease? It would be pointless if the same capability didn't exist on both

Re:If true it sends a signal. No quantum computer

[SamIIs]

I think you misunderstand the comment. I understood that JDotBomb was saying that any agency that had a quantum computer (therefore able to break RSA type encryption in a blink) wouldn't be spending money on or trusting an RSA system. They'd be using one of the encryptions that aren't broken by the tool that quantum.

-Sam

Re:If true it sends a signal. No quantum computer

[adrianbaugh]

Don't be so naive. They might be procuring this software just to make people (us, other governments) /think/ they don't have a quantum computer. People happily go on using our 2048-bit GPG keys assuming no QC exists, the NSA happily break all the crypto.

Just 'cause you're not paranoid don't mean they're not out to get you!

Where's the money

[DNS-and-BIND]

Gosh, I bet this had nothing to do with the fact that NSA insiders held a lot of Certicom stock.

Nah, that kind of thing never happens. It's tinfoil-hat thinking. It's as unlikely as the President sexually abusing one of his interns.

Size of key

[ptaff]

...the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits.

Brute-force decoding of these schemes is not recommended for the faint of heart, but I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?

Re:Size of key

[espo812]

I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

Because breaking RSA does not involve brute forcing the bits, it involves factoring huge ass numbers into primes. Look up the differences between symmetric and asymmetric (or private and public) key cryptosystems.

Re:Size of key

[inburito]

But they are both public key cryptosystems!

And yes, they both pretty much involve brute forcing the bits to try to crack the message. It just happens that ecc problem is lot harder than large number factorization (computationally and conceptually too). If you know how to factor huge ass numbers without brute forcing let the nobel committee know as you may be eligible for next year.

Re:Size of key

[damiam]

There are many algorithms for factoring large numbers without brute-forcing every conceivable possibility. Obviously, there are none fast enough to damage RSA's security (at least, none that are publicly known).

Re:Size of key

[espo812]

If you know how to factor huge ass numbers without brute forcing let the nobel committee know as you may be eligible for next year.

What like the General Number Field Sieve [nfsnet.org]? Let them know for me, but I doubt they'll be too interested.

Re:Size of key

[inburito]

Yes, there is the general number field sieve, but still for all practical purposes you're brute forcing. Complexity is reduced to something like O(exp((c*(logn)^(1/3)*(loglogn)^(2/3))) where n is the length of number in bits.

Re:Size of key

[inburito]

Maybe because discrete logarithm problems in ordinary number groups are much easier to solve than in elliptic number groups.

As a matter of fact, discrete log problem for ordinary numbers has been improving steadily whereas Elliptic curve group discrete log techniques have not seen significant improvement in the past 20 years. This difference accounts for today's reduced key-size requirements for elliptic curves.

Re:Size of key

[LT Grant]

If you look back at Dr Chris Monico's work at cracking ECC-109 [nd.edu] you can get some more background on the equivalences and how they match up and how the two are compared and how they are very different. 109 took a lot of computational time (biggest ever so far I believe), and this is vastly bigger, as if I remember correctly ECC encryption doesn't grow linearly, but exponentially. The code used to crack ECC-109 has been somewhat improved in ECC2-109 [ecc2.com] based mainly on things Dr Monico saw in 109 and based on s

Re:Size of key

[Metex]

Ugh this is actually pretty easy to calculate,
for the rsa key in order to find the approximate number of keys possible you use the simple equation 2^k / (ln 2^k) this gives you an 'approximation' for all possible primes you can have in k-bits.

As for the ECC system I cant remeber the exsact computation off the top of my head to calculate key space but it has a much higher key concentration per bit added to key. not as high as a symetric cryptographic system with a 2^k keyspace but pretty high up there.

As f

Re:Size of key

[bluGill]

You don't brute force either system. Useing the best known mythods to break encryption today (which in the case of both RSA and ECC is not brute force) breaking a 512 bit ECC key is about the same effort of breaking a 15360 bit RSA key. Note that breaking a 512 bit symetric key (something like AES, blowfish, modified to use a 512 bit key) is more effort than breaking either one.

I'm not sure I belive the difference is that great. RSA type encryption has had a lot of effort put into breaking it, ECC gets

Re:Size of key

[jareds]

Note that both ECC and RSA are NP-complete

This has not been proven, nor is it even commonly believed to be true.

Re:Size of key

[joeblarnystone]

The best known means for solving the Discrete Log Problem over an EC is much slower then the best known means for factoring integers. This is why they can claim that a 512 bit ECC key is equivilant to a 15630 bit RSA key. The time it would take to solve both problems is equivilant.

Re:Size of key

[caluml]

They use math. Bruteforcing an RSA key 15360 bits long takes about the same amount of work as an ECC key 512 bits long.

And who has done this, and when did they time it?

This isn't an issue of "open" vs "closed"

[NotQuiteSonic]

The algorithm they used is patented and very much open for criticism. It would need to be fore NSA to choose it. Think of it like RSA where the algorithm was patented as well (many open source applications use RSA now, since the license has expired).

Dr. Scott A. Vanstone [certicom.com] is a professor at University of Waterloo, so it is kind of neat to see one of my profs in the news (I knew about the company, but they haven't had much going for them for a while). He teaches Coding Theory (CO 331 [uwaterloo.ca]) and is the Executive Director of Centre for Applied Cryptographic Research [uwaterloo.ca]

Damn!

[MMC Monster]

I guess rot-13 just isn't good enough anymore. (Am I the only one to think "Wow, how the mighty have fallen!" when I read this?)

Attention to the knee-jerkers!

[Anonymous Coward]

In case you didn't catch the hint in the article, this is significant because NSA chose an EXTERNALLY developed encryption solution over an INTERNALLY developed solution. This has NOTHING TO DO WITH OPEN SOURCE SOFTWARE. Please save your comments like "what about SSH/GPG/SSL?" for some other discussion.

Thanks.

This isn't software, it's patents.

[Garin]

As far as I understand the deal, this has nothing to do with licensing software. They couldn't have gone with an OSS version (or "roll their own") as so many suggest because they're not licensing just software, they're licensing patents.

You'll note that they've also got sublicensing rights on those patents. There could be a software component to this deal, but as far I can tell it appears that this is mainly about patents.

Re:This isn't software, it's patents.

[Garin]

Well, the nice thing about it is that they've paid for the rights to the patent, including sublicensing. The NSA could whip up their own implementation of it and distribute that software as some kind of standard. Who knows?

For all we know, the sublicensing agreement for the use of the specific parts of the patents may be absolutely up to the NSA (they seem to suggest as much from the Certicom press releases..? Anyone know more?)

If that is the case, the NSA might very well release an open source version th

Re:This isn't software, it's patents.

[Garin]

Uh yeah. That's kinda my point that you're explaining to me there, and you appear to be contradicting yourself.

They've licensed the patent, not the code. The algorithm. No source. No binaries. "It's just an algorithm" as the folks as RSA are fond of saying. They are allowed to use the math. There is probably no programming involved here, as you state yourself. How many times can it be said?

It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see

Restrictions on field of use, royalties, etc.

[Adam J. Richter]

It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see fit.

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a

limited field of use.

The "field of use" is not specified in any of the links provided by the slashdot article (and is probably confidential), nor are the parameters of th

Re:Restrictions on field of use, royalties, etc.

[Garin]

Oh, absolutely you're right. There may be strange undisclosed limitations that specifically limit sublicensees to be US or Canadian corporations (say), and that these sublicensees may not themselves sublicense under any conditions.

In that case, it would kill any GPL hopes right away.

By "appears" I mean exactly that. It seems to me, on first reading, that they're allowed to do pretty much whatever they want with the (GF(p), p > 2**256) instance of ECC, and that naively I would read that that is the only

Re:This isn't software, it's patents.

[ScrewMaster]

Try screen wire (the kind you use for your back porch in the summer.) Works great as a Faraday shield, keeps the mosquitoes out, is much less noticeable than Reynolds Wrap and lets the fresh air in.

This is for the more discerning crypto customer

[vt0asta]

"If you want to build an NSA-approved product, they want this in there."

All that means, is like DES back in the day, if you want to have something NSA approved you pick this. I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need. NSA has government customers that want protection, and instead of giving them the super secret good stuff, they find something off the shelf and give them this. This Certicom Corp. ECC is the new algorithm to study, because if it's NSA endorsed it's "probably" years ahead of the public domain state of the art, and is "probably" resistant to some pretty sophisticated crypto analysis techniques.

Re:This is for the more discerning crypto customer

[thing12]

I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need.

But aren't they allowed to mine the patent office? After all they are part of the government - and patents are there only to protect inventors from each other - not to protect inventors from the govt. I've always understood that in exchange for that protection the government is all

Oh my God!

[Ars-Fartsica]

Next thing you know the government will contract out the manufacture of nuclear missiles!

There is a method to the madness... for sure!!!

[3seas]

We all know that the way to make documents secure does not including making them accessable via the internet or intranet or any net, regardless of encryption or key size.

For it only takes the breaking of one key document at the right time and misuse of the information found, for the NSA to then need to have someone to blame while the damages of the results would still exist.

Encryption, regardless of how big the key is, still has the possibility of someone hitting it, like the lottery.

Not to mention I rea

Re:There is a method to the madness... for sure!!!

[3seas]

Is that where you keep your passcodes? On your arm.

Re:There is a method to the madness... for sure!!!

[3seas]

I guess that proves beyond a shadow of a doubt that pi can never be written out all the way, not that we don't know how to do it, but physically there are not enough atoms to write it out. I guess the same goes for being able to use all possibilities of 512 bit encryption.

But since there are more possibilities than atoms in the visible universe I guess that means all the rest are in the mind.

It only takes one hit.

Buy Canadian

[solprovider]

Did anybody notice that the United States National Security Agency is buying encryption software from a Canadian company? Is this the same United States that refused to allow products using good encryption to be exported because they were considered military weapons?

I am not flaming Canada; I work with several Canadians and they are all nice and knowledgable people. I just noticed the inconsistencies in our policies.

Disclaimer: I am a citizen of the USA, and I hope that this trend continues. I would really like all our government agencies to use the best global software, not just our homegrown insecure proprietary systems.

Re:Buy Canadian

[Detritus]

The NSA has provided encryption systems to countries all over the world. The catch is that this has been limited to the governments and armed forces of friendly countries.

You can export strong encryption if you get an export license. The U.S. Government will grant a license if they think it is in the national interest.

The United States and Canada have been cooperating in communications security and intelligence gathering for many years.

key strength

[TheSHAD0W]

That's quite a difference in key strength between RSA and ECC. How does ECC's key strength compare to the best symmetric cryptosystems? Is it of the same close order of magnitude? If so, that's rather impressive.

let it be said

[mcryptic]

15,360 bits ought to be enough for everyone.

Wait a minute!

[smart.id]

There actually is an NSA? I thought it only appeared in movies like Triple X...

Re:Wait a minute!

[AJWM]

There actually is an NSA?

No, there's No Such Agency. Move along, nothing to see here.

(Actually, for many years even the existence of the Agency was officially not acknowledged. AFAIK most if not all of its budget is still "black", ie doesn't show up in detail in the budget bills.)

So this means there's no easy way to break ECC...

[Urkki]

...known to NSA I mean. Why would they license it if they knew of some weakness in it...

Hmm...

Or maybe there *is* a suble weakness, leading to an "easy" way to break ECC. And NSA is licensing this to give it undue creidibility, so more people start using it, while NSA can easily (compared to RSA or whatnot) read everything encrypted with it...

Evidence for Quantum Computer

[Markus Registrada]

This isn't proof that they don't have a quantum computer. It's evidence that they do have, or expect to, or expect others to have soon. A quantum computer isn't magic. The best guess about the power of quantum computers, as applied to decryption, is that they can crack a 2N-bit cipher about as fast as an ordinary computer cracks an N-bit cipher.

So, when we see the NSA not just adding key bits, but adding bits and then doubling them, we see evidence of countermeasures against quantum computers. This doesn't mean they have quantum computers. Remember that they are not just guarding secrets they transmit today against attack now, but against attack ten years from now, when revelation might still be damaging.

Once we all do have quantum computers, I wonder what amusing revelations will come from cracking old ciphertexts. You can bet the NSA will keep busy at it, and so will the Brits, and the French, and the Germans, and the Russians, and the Israelis. (No doubt a few of the biggest corporations go on that list too.)

512 bits?

[jrockway]

How is a 512 bit key equivalent to a 15,360 bit key? If you "only" have 512 bits, then you have to try 2^512 keys. If it's 15360, then you have to try 2^15360. 2^15360 is A LOT bigger than 2^512. So they're not equivalent. This is sort of irrellevant because 2^128 bit keys are still out of reach these days (i.e. if every computer in the world [every known computer; the NSA could probably break this?] worked on generating keys, the message would come out way after the Universe ended. That's a problem i

Re:512 bits?

[damiam]

If it's 15360, then you have to try 2^15360.

No, you don't. You have to find the factors of a prime number of that length. That leaves significantly less than 2^15630 possibilities, especially if you're using a decent factoring algorithm.

Re:512 bits?

[JKR]

You're assuming brute force attacks; a 512 bit key for one algorithm might be harder to crack than a 15360 bit key in a different algorithm, because of flaws or limitations in that algorithm.

Jon

Sun and ECC

[pmsyyz]

Sun likes [sun.com] Elliptic Curve Cryptography. They have helped add it to Mozilla's Network Security Services [mozilla.org] and to OpenSSL.

Just a Wild Guess, But...

[Nom du Keyboard]

Just a wild guess, but what are the chances that NSA developed this secretly years ago and either planned to, or already does, use it. When the civilian cryptography sector finally caught up with them and actually patented the algorithm, NSA had to license it or stop using it. It wouldn't be the first time NSA has been shown to be far ahead of publicly known cryptographic knowledge. Differential Cryptology comes to mind.

512bits

[Duncan3]

512bit ECC is exactly as strong as the thumb knuckle on your right hand, because that's what the NSA will remove if you don't tell them your key. They don't brute force keys they brute force YOU.

And ECC is _VERY_ heavily encombered by patents, that's why none of us are using it yet out here in the real world, we can't. They could have used RSA for free, so you should be upset with their irresponsible use of tax dollars.

The chart is interesting tho...

Public key vs. symetric

[autopr0n]

You can't really compare symetric key systems like AES with public key systems like ECC or RSA. With a symetric system you need keey your key secret, with public key you have two keys (encryption and decryption), and you only need to keep one of them secret. The other you can distribute far and wide.

A lot of times, people will create symetric keys and then use public key systems to distribute them.

Re:OSS ECC? ECC vs AES

[espo812]

What makes ECC so much better vs AES with a key size of 256?

I'm sure a small ammount of googling could tell you this, but comparing ECC to AES is like comparing apples to oranges. ECC is a public key algorithm, and AES is a symmetric key algorithm. Thus, you would have to look up the fundamental differences between public and private key algorithms to find the differences between ECC and AES.

The difference between ECC and algorithms like RSA, for example, is that elliptic algorithms can work with smaller keysizes, and this should have been noticable from the slashdot post that points out the commercial product uses a smaller keysize than the equiviliant strength RSA key.

Re:OSS ECC? ECC vs AES

[quadelirus]

In cryptography it's usually not a program that gets lisenced, but an algorithm (or cryptosystem). My guess would be that ECC has the copyright or patent or whatever you get on their algorithm which would make it illegal to write a program using elliptic curve cryptography (or at least their algorithm) without permission from the company. I once wrote a project that used the RSA cryptosystem for education purposes and I had to obtain permission from RSA legal to use the cryptosystem. (However it might be pu

Re:OSS ECC? ECC vs AES

[daserver]

correction DSA is not ECC.

Re:OSS ECC? ECC vs AES

[graf0z]

GnuPG can use DSA which is ECC.

No, DSA != ECC.

DSA and ECC both do encryption by exponentation, relying on the assumtion that the reverse function - the logarithm - is infeasible with the used keylengths. They are both called "Discrete Logarithm Systems".

But the multiplication is done in completly different mathematical contexts: DSA multiplies in the rings Z/p (that are the natural numbers modulo p, p being a prime) where ECC multiplies in suitable "elliptic curve groups over finite fields" . That are finite sets of "numbers" paired with an complicated operation called "multiplication". These "numbers" behave quiet odd.

The main practical difference is the neccessary keylength. Depending on the chosen eliptic curve, ECC keys are 4-8 times smaller than DSA keys. They get much closer to the "no attack is faster than the brute force attack"-paradigm than other public key algorithms like DSA or RSA.

Unfortunatly, huge classes of suitable elliptic curves got patented.

Google for free ECC software. There are at least some libraries published by academic research groups.

/graf0z.

Room for prior art on non-patented elliiptics?

[Morgaine]

Unfortunatly, huge classes of suitable elliptic curves got patented.

On what basis were the different elliptic curves considered different, to allow for the patentability of followups after the first patent was granted?

I ask this because along that dimension of "approved" non-overlapping variance there must be other elliptic curves for which there is no current patent, and if prior art is established for them then we can use that in an ECC implementation for GnuPG without fear of patent claims. Proceedin

Re:Room for prior art on non-patented elliiptics?

[cicadia]

I believe that it was not so much the curves themselves, but the methods for quickly finding them, which were patented.

After several attacks were published showing that large numbers of elliptic curves were too weak for use in known ECC cryptosystems, software techniques had to be developed which allowed the fast generateion of curves which are known to avoid all of the weak areas. Those methods, to a large extent, are all patented.

It's a similar problem to finding 'safe' primes for use in RSA. You can

Re:OSS ECC? ECC vs AES

[pyrbe]

Bouncycastle Crypto APIs [bouncycastle.org] support atleast Elliptic Curve DSA and Elliptic Curve basic Diffie-Hellman (according to release notes). Possible other ECC algorithms too.

Re:OSS ECC? ECC vs AES

[dasmegabyte]

Unfortunatly, huge classes of suitable elliptic curves got patented.

Unfortunate? For whom? For the people who spent long hours doing the extensive research which led to the development of advanced encyption systems? Or for the people who read the papers and attended the conferences and say "Great idea...think I'll make the same thing for free in the name of Openness!"

Encryption is not like a 1-click pattent or library compression. It's hard, expensive and risky to devote your time to coming up with t

Re:FINALLY ...

[Egonis]

I am from Mississauga, Ontario - where Certicom resides, and am feeling two emotions:

- I am happy to see a local business score a large contract in my hometown
- I am confused as to how the American Government ever approved a purchase of an external Intellectual Property

I'm sure alot of Americans will have disagreements on this one!

Re:FINALLY ...

[EvilSS]

Yea, it's really bizarre. You would think there was some kind of draconian regulations on cryptography in the US that encourages companies that develop crypto to not reside here. hrm....

Re:FINALLY ...

[Tensor]

ROFL ... VERY good point. I guess crypto export regulations bit them in the ass huh ? :)

Re:FINALLY ...

[ratfynk]

Same thing for Ferengies! Explain the New World order in terms other than economics. There is no difference when economic policies are used as a weapon. That is the fundimental tenet of the Monroe Doctrine. War is to avoided if economic leverage is usually cheaper. The 54.40 or fight crowd thought economics was not enough.

"Living next to the US is like sleeping next to an Elephant" In the case of software the Elephant has eaten too much grass and smoked too much crack!

Re:Huh?

[AllUsernamesAreGone]

It isn't a troll, but perhaps you're asking the wrong question.

Instead of asking why picking a commercial solution when no open one exist is remarkable, ask why it is remarkable that the NSA have selected a commercial solution instead of developing their own version of it.

Re:Huh?

[randyest]

Being the NSA doesn't guarantee you can develop the best technology in every security-related area. If another company or research institute happens to come up with a technology that's remarkably better than anything else like it and patent it first (such as the ECC mentioned in the article), the NSA should and does license it. That is, they buy the the rights to use the technology that someone else spent a lot of time and effort to develop (maybe even more than the NSA put forth in this field) .

It's not like the NSA is buying a binary encryption software package they can't decompile, or shipping the secrets up to Canada for encrypting. This isn't a security concern. The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it. The NSA can do anything they want with ECC now, including grant sub-licenses without approvasl from Certicom. The only restriction is to require a minimum level of ecryption field size (encryption strength), which isn't a problem for NSA:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

Re:Huh?

[Ogerman]

However, I'm not sure that I'd go so far as to say anything mathematical shouldn't be patentable. In particular, this is an application of mathematics, not just pure math. I don't think you can come up with a new way to solve a pure math problem, or a new way of expressing an equation, and get a patent on it. ... We could argue that ECC is a discovery rather than an invention just as easily as we can for any other technological advancement.

The difference is that patents on mathematical techniques or softw

Re:Huh?

[VertigoAce]

According to the summary, what's interesting about it is that they didn't use their own proprietary solution. I don't see any mention of an open source solution in the summary. From the article, the significance seems to be that anyone who creates something that is NSA-approved must go through Certicom.

"They were very interested in getting the best IP out there, and we own a lot of the patents in this area," said Tony Rosati, director of marketing at Certicom, based in Mississauga, Ontario. "If you want t

Re:Canadian code?

[Timesprout]

Its pretty obvious. The strange pronunciation required for Canadian variables makes the code more difficult to comprehend and so creates an additional level of obfuscation and thus greater security.

Canada

[nuggz]

FWIW I'm Canadian.

Canada has many exceptions to US restrictions. This makes sense. It is cheaper to work together, and we do in many military and space applications.
Our interests are basically very similar, and both countries are generally trustworthy of each other.

The only conflict are on specific policy issues.
It also matters which government is in power in each country.

There have been quite a few times where state and provincial officials have banded together to fight both federal governments.

Plus if it works well, why shouldn't they use it?

Re: Privatization

[Black Parrot]

> The NSA's job is to make secure codes for government use, and break other people's codes. So they licensed someone else's code, but why are they announcing it for intra-government use? The obvious question is, Can't they roll their own?

Probably just means that they've discovered how to crack it, so now they want everyone else to use it.

Re: Privatization

[God! Awful 2]

Probably just means that they've discovered how to crack it, so now they want everyone else to use it.

Yeah, that was my immediate reaction when I saw the article. Not that I actually believe that, but it makes for a good conspiracy theory.

-a

Re:Privatization

[paranoidsim]

I don't think this is about privatization. I think this is about the NSA being overloaded with more important things to worry about. Such as the "War on Inanimate Objects", namely, Terrorism. For instance, look at their new hires figures jump from roughly 100/yr, to over 1000. They are busy, they are upgrading, and they are worrying about processing the loads of new data from monitoring an exponentially higher amount of data then they were accustomed to only a few years ago.

Re:Privatization

[espo812]

Oh come on, I know Bush's administration is all for privatization and turning to the private sector and all, but this?

I believe that the technological divide between the NSA and the private sector has been shrinking over the years. I also don't think they would have selected this product if they didn't have good reason to. I suspect that this product was probably developed with some degree of NSA involvement, either contract work there or by former contractors/employees. And, low and behold, as I RTFA it says:

Certicom has worked with the NSA, based at Fort Meade, Md., on several classified projects in the past, and this agreement is essentially an outgrowth of that work, officials said.

So, it appears to have a lot of NSA involvement in the development. Actually, RTFAing a bit more closely it appears NSA is licensing the algorithm from Certicom. So they may not even be using the code from Certicom, they could be developing all the systems in house. Clearly, they wouldn't make a move like this without thoroughly analyzing the algorithms involved.

So what comes out is a solution that was produced much cheaper than a similar inhouse effort, and this will save the tax payers money (which sounds good to this poor college student.) I have to say I'm surprised at the Agency going after a commercial product for classified purposes, but I'm sure they have good reasons.

Re:Privatization

[Anonymous Coward]

Hypothetical:

You're the premiere intelligence agency in the world. When you need to secure data, you use algorithms that nobody else in the world knows about, designed in secret by some of the greatest mathematical geniuses there are.

When you need to secure an email you're sending to someone not in the agency, you can't (not to mention don't) use your hidden good stuff, because the recipient doesn't have the algorithm. So, you use something publicly available.

Re:Privatization

[pVoid]

Uhh... why is this interesting?

It's blatantly ignorant of the principles of cryptography which state that knowing the algorithm and implementation, or even part of the clear text should not compromise your security.

Re:Privatization

[Guppy06]

But the basic principles of security in general is to not share any information with anybody else unless you have to. Just because you can't see how the information could be useful doesn't mean nobody else can. Security through obscurity may not be worth much, but it sure as hell doesn't hurt.

Re:Privatization

[harriet nyborg]

"Can't they roll their own?"

good point mr100percent. something don't be adding up here.

the NSA employs more mathmeticians than any other organization in the world. they can grow their own and roll their own.

the thing is they usually bogart it.

what i don't understand is why the NSA just doesn't pinch from someone else's bag - i mean who's gonna know it? they're the friggin's NSA - the government, they can do anything... and only traitors and slanderous villians would criticize the government.

it's a

Re:Privatization

[Anonymous Coward]

on one hand, you have a crackhead who could get all the drugs he wanted legally and privately, but for some unexplicable reason bought his dope illegaly on the street through someone who could (and did) dime him out.

on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license

You're wondering why the NSA didn't just go ahead and use Certicom's patented ECC implementation and keep it a secret? Because they're a lot bigger than Rush freakin' Limbaugh, and it only takes one employee to speak up and say, "we knew someone else patented this but we used it anyway" before someone gets in a lot of trouble.

No one wants that kind of a black eye. If that scandal broke, the manager who gave the go-ahead to implement the Certicom solution without licensing it would probably find himself reassigned to a communications post in Afghanistan.

And one thing about the US government... no matter how hard they try to keep things under wraps, they're just not very good at it. There are just too many nosy journalists and authors poking around... everything comes out sooner or later :) (For examples, see the SR-71, spy satellite imagery, Predator UAVs, the TIA project, etc. and the number of times Tom Clancy has been accused of espionage for incorporating published projects into his work.)

Re:Privatization

[Bishop]

The NSA has used a mix of commercial and inhouse cryptography for a long time. For example DES and RSA.

The only thing remarkable about this deal is that it is with a Canadian company.

Re:Privatization

[AJWM]

It's probably a Canadian company because of the bizarre laws governing crypto in the US (although they're not as bad as they used to be). Same reason that a lot of OSS crypto projects, OpenBSD, etc are nominally HQ'd in Canada or other places outside the US.

Re:Privatization

[tigersha]

The NSA ARE the ones who decides if the bizarre laws apply or not and I seriously doubt that they will boycott themselves...

Re:someone to take blame

[Waffle Iron]

When there are problems, it's easy to sue a company and put the blame on them.

That's right. Now if terrorists crack the launch codes and launch our missiles against our own cities, we'll be able to sue Certicom to recoup our losses.

Re:Great

[kfg]

"I, for one, welcome our new elliptic overlords."

Indeed, this will be a major improvement on the hyperbolic overlords we now have.

KFG

Re:How about

[dotgain]

No and no.

Encrypting shouldn't make the resulting code bigger, except for rounding the size up to the next block size of the cypher. Encrypting something over and over with the same algorithm doesn't really have a cryptographic benefit.

Re:Not to burst your bubble, but .....

[ScrewMaster]

Cutting-edge military-grade crypto uses neural implants to measure how your brain processes various stimuli as part of the input term to a challenge/response protocol.

So you're saying that the NSA is a Borg operation.

That's such utter BS.

[pr0ntab]

1) S-boxes are the only cryptographic structure that is fundamentally non-attackable (make them bigger or use them more intelligently to defeat parallelism/analysis).

2) TSC uses block-based and stream ciphers just like anything else. For example, KG-75s, CORNFIELD MCM, etc. There are even TSC approved software packages that you can install on a standard PC to create secure links. These are all commercially developed products, Motorola, Harris-Intersil, etc. (but are CCI, so you can only get them through a

SELinux?

[core plexus]

I guess you've never heard of SELinux [nsa.gov].

Alaska's favorite scientific instrument [alaska-freegold.com]

Twit

[ScrewMaster]

Hey, that's really funny. Ha. He'd better hope we don't collapse in disarray or his nation's economy will probably disintegrate from having to stand on its own feet without a few hundred billion in U.S. Foreign Aid propping it up.

Re:Asswipe!

[ScrewMaster]

No, not when the remaining criminal gun usage is directed against common folk who no longer have the capacity to defend themselves or have any rational deterrent. Who do you think are the recipients of most "gun crimes"? You've probably never been in a serious situation where an adequate self-defense would save your life. I hope you never do, because if you survive it your belief system will undergo some radical changes.

Samuel Clemens said it best: Better to keep one's mouth closed and be thought a fo