Slashdot Mirror
OpenSSL Gets Cryptography Gift From Sun
Kataire writes "C|Net posted this story about how Sun Microsystems' has donated 'elliptic curve' encryption technology, (developed by Whitfield Diffie of Diffie-Hellman public key fame) to the OpenSSL project. This potentially means better encryption for lighter-weight systems such as PDAs."
Now I can keep my pesky roommates out of my palms oh-so-full social calendar.
Karma: Not Particularly Funny.
Sun is basically "arming the rebels" so they can better fight Microsoft. Even though they may have other motives, it's nice of them anyway.
I hate you bastards..get my curiosity flowing, now I get the waste the rest of the work day reading this I encrypted something on my pda once..then tossed it out. Rather unorthidox method of the onetime pad cypher, I know, but hey.
Finally, math books without any of that base 6 crap in them.
Although I use and keep up with the BSD side of things, but I think this affects the entire open source community as a whole, including xBSD, Linux, Apache+SSL, and gobs of other software that utilizes SSL for security.
Nonetheless, it is great to see Sun contributing back to the community.
This does bring up one question in my mind though... could this be used in SSL acceleration cards to improve the effiency of the SSL 'processor' (i.e.: keep the same performance level while reducing the amount of power necessary)?
newlmsy akhtswnd whss adna nwsufaclanw!
You can't judge a book by the way it wears its hair.
Since there is no known weakening from quantum computers of elyptic curve cryptosystems EC's may well be better for long term cryptography, even on supercomputers. Since it is pretty well known that the massive parallelism of quantom computers will greatly increase the ability of future systems to factor large numbers more traditional cyphers will be under more pressure.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
This isn't the encryption scheme mentioned previously, when Slashdot reported that a distributed project has almost "broken" the scheme, is it?
/. article was a pointer to Schneier's Sept 2002 Crypto-gram about an academic weakness in AES.
If you mean the recent article in the last week. No.
The recent
It's academic in that it is not possible to break (at present time, and oh the next hundred years) in real-life.
Has anybody noticed a trend lately of large corporations or companies making offers to the public source movements. Is this a play between them for notice, or are they finally starting to figure out that it's better to play nice with open source than fight against it?
.. and that they have given a irreversible distribution right for free software, so that its usable on free software but not for proprietary software unlicensed by SUN.
Or... was that a rather evil thought? I'm not sure anymore, I'm so blinded by my zealotism.
I don't know, I wrote the anwser in my pda but the encrpytion is too rough, can't get back in.
Finally, math books without any of that base 6 crap in them.
could this be used in SSL acceleration cards to improve the effiency of the SSL 'processor'
Unlikely in presently deployed accelerator cards, since AFAIK most (Rainbow CryptoSwift and nCipher) are based on custom hardware chips (FPGA and the likes) which do mainly RSA key setup which is the really slow part of establishing a SSL session. I believe several of the cards do not even do any symmetric (i.e. RC4, 3DES) acceleration because it isn't worth it.
I read the article, but "technology" was the only thing I read was "donated". WTF does that mean? Did they give them reference code with a GPL (or whetever the OpenSSL library uses)? Did they give up patent rights to the method? The article didn't explain just what the OpenSSL folks got.
Method of processing duck feet
Supposedly, this offers encryption with less computational demand. And, supposedly, it's not going to be in use for 5 to 10 years.
If that's the case, my quesion is this: Why bother? Moore's law says that in the 10 years that it will take to get this implemented, CPU's will be *64 times faster* than they are today.
Just think: "Wow! With this new encryption technology, encrypted 100 megabit networking only takes 0.05% of my processer instead of 0.1%!"
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
but since they are modular, we could also use them for traditional pgp style encryption, no? instead of symmetric keys, you could use a public key.
SSL and PGP (or preferrably the newer OpenPGP) standard both use a hybrid scheme which uses both asymmetric and symmetric encryption algorithms.
If you mean could elliptic curves schemes (ECDLP, ECDSA, ECDH) be used in OpenPGP as well as SSL/TLS; then yes as long as it was added to the OpenPGP standards which I don't think includes ECC yet but has spaces reserved for future ECC use.
The article reads as if using ECC for small devices is a novel concept. That isn't the case- Certicom is 15 years old, and has done ECC for handheld and embedded devices for at least 4-5 years. It has some solid encryption researchers (Scott Vanstone, for example) and a bundle of patents. Most Palms out today use Certicom's ECC, although newer versions are using RSA. And while Certicom is probably the best known company promoting ECC, I know of several other companies in Japan, Korea and Germany that sell their own implementations of ECC.
OpenSSL is not the child of OpenBSD, nor a cousin of OpenSSH. OpenSSL is an independant project.
OpenSSH is a baby of openBSD, and OpenSSH depends on OpenSSL.
The Eliptic curve stuff was donated to OpenSSH team, not the OpenSSL group. So dreaming about this in your ssl accelerated card of the future is a bit silly. However, if openSSH team open sources the tech, and that tech is under bsd lisence, then maybe it will work its way down into the chip makers crypto designes.
It isn't a lie if you belive it.
I can see this as a positive step to secure the network end to end, from the server room down to the smallest of devices, the PDA.
As it stands now, having a wireless network could be a blessing. Information available at your finger tips. PDAs have never been a strong focal point for security in my experience. It will be great to see a network that can be truly encrypted end to end.
Now if only the user friendliness of this made it so that even the ordinary citizen could use it.
Doesn't most hand-helds have more than enough processing power for encryption?
Most high end PDAs do for file encryption, but as increased demand for WTLS (Wireless TLS), "wireless speed" encryption for high speed GPRS/Bluetooth/802.11/1X networking applications. Applications like online wireless betting or online wireless reservations need better (read: quick) security in PDAs and mobile phones, which have less powerful processors.
You know what that tells us, right?
:)
The NSA can already crack it.
OpenSSL is written by the OpenBSD people
Not quite.
OpenSSL is maintained by OpenSSL core members: Ralf S. Engelschall, Ben Laurie, Mark J. Cox, Dr. Stephen Henson, and others developers.
OpenSSH was written by OpenBSD members (Theo de Raadt, Niels Provos, Markus Friedl, Dug Song, and others). OpenSSH uses OpenSSL as a cryptographic library source (it is highly optimized for many processors).
No... But there is a distributed project out there working very hard to crack it - but so far elliptic curve encryption holds out...
By the way, Ars Technica has a team working hard on this project, and they I'm sure they'd like some help... ;-)
My opinions may have changed, but not the fact that I am right! =)
...given that it was invented by NeXT?
Sorry, Ellipitic curve cryptography was invented independantly by Neal Koblitz, Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM.
(Source)
If they are so *&*^ serious about security? The slapper worm has been out for quite a while now, and Sun's cobalts run a REALLY old version of OpenSSL. Sun's last patch was released almost a month ago, for a CGI vulnerability. They've been asked dozens of times about the OpenSSL patch, and won't even give customers the courtesy of a "We're going to have one by X" response. CobaltOS is just a flippin' rebuilt RedHat OS; it isn't hard to patch!
Not all such gifts are useful for the recipient, and some are genuinely harmful to the interests of open source users. So, do look a gift horse in the mouth, or you may be stuck with large vet bills otherwise.
This one seems harmless if it is on unpatented technology, or if the patents are free for use by open source.
'elliptic curve' encryption technology, (developed by Whitfield Diffie of Diffie-Hellman public key fame)
Elliptic curve cryptography was indepentantly
invented by Neal Koblitz, Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM.
(Source)
Whitfield Diffie is Sun's chief security officer, and co-invented public-key cryptography.
Hotel California?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
I know the keys used for ECC are generally smaller, but that seems like a fairly minor consideration even for PDAs
ECC uses smaller keys, which is suitable for very small networked devices like network appliances, that use cheap (<$1) 8-bit microprocessors with very small amounts of NVRAM.
Is eliptic curve cryptography actually faster than RSA?
Yes, which is the major advantage over RSA, more important in most applications than the storage of smaller keys. I don't know exactly but I estimate in the area of 10 to 100 times faster for "equal" level of confidence in security.
And if it IS faster, wouldn't it be much more useful for web servers than for PDAs?
Think mobile phones, or cheap network household appliances with 8 and 16-bit microprocessors with clock speeds less than 12MHz. It also means lower power comsumption which is important for most battery powered devices.
In fact, it has and can be easily shown that by solving "the factoring problem" (as it's oh-so-vulgarly put) or the discrete log problem of classical public key cryptosystems, one solves EC's. The problems are extensions of one another, and the solution to one is trivially deducible from the solution to another.
your statement was like saying "unlike Webster's Dictionary, the Oxford English Dictonary has no words in it" - pure and utter nonsense. gibberish.
All ECC's are (in boiled-down essence), is a Discrete Log problem on a cubic whose solutions are confined to a torus. (i.e. 'elliptic curve').
while it's true that the keysize needed for secure ECC is much, much smaller and increases much much more slowly than either DL (discrete log) or IF (integer factorization) [both of which are essentially exactly the same] systems, this has to do with the way the field is set up and how the keys correspond.
> Now I can keep my pesky roommates out of my palm's oh-so-full social calendar.
Actually, this can be taken in more than one way, especially since "palm" isn't capitalized.
Well Arthur, it looks like this elipse has come full circle.
JET Program: see Japan, meet intere
but so what?
a hu.ca
My crypto lib has supported [non-P1363] ECC crypto since quite sometime now. Big deal.
http://libtomcrypt.sunsite.dk
or
http://tom.i
I use ECC in the traditional ElGamal method without standard packet formats. But the idea is the same...
Tom
Someday, I'll have a real sig.
Additionally, it is very possible to accelerate SSL in hardware. In fact, the Sun project page [sun.com] itself talks about integrating ECC and SSL support into a hardware accellerator.
And there are lots of companies that sell stand-alone SSL accellerators.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Is it under a 4-clause or 3-clause BSD license? OpenSSL is _still_ under the 4-clause license, with the `obnoxious advertising clause' which says that you have to mention the developers in all advertising materials.
Not such a big deal, you might say, but there are two big problems with this: 1) It's incompatible with GNU GPL, so no straight GPL software can use OpenSSL, and 2) it causes huge practical problems.
Theses issues are a big problems for Debian, in particular.
Elliptic Curve Encription isn't 'owned' by Sun. Apple owns some pattent related to it that they got from NeXT (search for Richard Crandall). And it was invented by someone else entirely (see comments above).
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Let me think... Um, NO.
But I'm also not necessarily representative of most COBALT users. People who CAN build from source are generally not the target audience of the machine. They BOUGHT a Cobalt server as an appliance, which is what SUN markets it as. SUN says not to ever touch the CLI, as "The GUI does everything you need".
People buy a Cobalt from a big name vendor so they get the stability and resource-friendliness of Linux with (theoretically) the SUPPORT (in terms of patches and making the software easy to use and documentation) of a big name vendor.
So that's the problem.
(I love trolls who are such wizards about all this, but still post anonymously)
Whitfield Diffie is Sun's chief security officer, and co-invented public-key cryptography.
Actually, Ralph Merkle invented public-key cryptography (too). Merkle's article was SUBMITTED first, though the Diffie-Hellman article was PUBLISHED first while Merkle's was still going through the review process.
Not to disparage any of 'em. Merkle and Diffie & Hellman both invented it separately.
And for you people who follow Nanotech and/or Cryonics, yes it's THAT Ralph Merkle (who didn't invent either cryonics or nanotech, though he does much great work to advance them).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Encrypting a tightly packed transaction on a 16 MHz ARM processor won't take very long.
I think a 16 MHz ARM processor would only be in a "high end" smart phone, or a PDA and not your mass market average cell phone.
ECC makes a big difference for low cost mass market microprocessors. Think 8 or 16 bit, less than 12 MHz on average. 1024 bit RSA encryption can take up to 1 minute in such environments.
No. OpenSSL was originally SSLeay written by Eric Young.
Tom,
Your library is nice, it is portable C with tons of algorithms implemented. Test vectors. Most algorithms even have decently optimized implementations which is a plus.
But you lack protocols which are necessary to securely implement applications.
Using 3DES or AES is stupid if the application developer uses ECB (Electronic Code Book) mode of operation because it's faster and simpler. The application developer doesn't know that you need a HMAC to ensure intergity. What about replay attacks? Cut-and-paste attack?
I don't think you even have secure message padding for RSA implementation.
You have an interesting library of algorithms, but its is AFAIK lacking the "glue" to make it more useful than OpenSSL (which is ported and tested on many platforms, and heavily optimized assembly).
So to develop secure applications I will continue to use OpenSSL rather than LibTomCrypt. It is less work for me, simple as that. If you expand your work, that will end my complaints, and we'll both be happy.
Peace.
Well I agree I lack protocols support but that isn't to say I lack the basic algorithms. I have chaining mode wrappers [OFB,CFB,CTR,CFB] for the ciphers, etc..
In fact unlike the CryptLib and OpenSSL design my library is fully modular which means the OFB code for instance is not tied to one cipher. If you examine CryptLib [and from what I have seen of OpenSSL] they have implemented one OFB [etc] routine per cipher....
I agree though that protocol support is a good idea but thats not a be-all either.
Most protocols don't fully specify your PRNG/RNG source or how you should lock memory, store things on disk, etc...
In otherwords you can comply with say PKCS #1 and still have an insecure application.
Also unlike OpenSSL my library builds out of the box on virtually every GCC platform without configuration or patching. It even works on my Gameboy Advanced without changes!!!
In the long run I agree. I do plan on adding things like PKCS #1, P1363, etc... but in the short term I am more interested in getting mature, well documented primitives.
Tom
Someday, I'll have a real sig.
I think a 16 MHz ARM processor would only be in a "high end" smart phone, or a PDA and not your mass market average cell phone.
What would a "mass market average cell phone" need with fast public-key encryption? Can't it just authenticate with the cell tower, grab a symmetric key, and then just encrypt voice with AES[1] based on that, possibly grabbing new symmetric keys during non-talk time? Wouldn't the more advanced "Burning Cell Phones" that run apps other than voice and simple games be essentially PDAs with a fast processor anyway?
Think 8 or 16 bit, less than 12 MHz on average.
So you're talking half the power of a GBA. (The GBA is 32-bit with a 16-bit data bus, clocked at 16 MHz.) How does RSA computation scale with respect to keylength?
[1] Yes, AES been theoretically attacked down to 96-bit, but 96-bit is still considered quite "strong" for symmetric encryption. It has taken nearly four years, and one of the world's biggest clusters still hasn't broken a 64-bit key.
Will I retire or break 10K?
There is a saying that in cryptography, there are three types of elliptic curves: the insecure ones, the inefficient ones, and those that have been patented by Certicom.
I wonder which curves can be used with the code offered by Sun.
I didn't think it was a conjecture anymore since Andrew Wiles proved it.
Back in the '60s, it had been invented at GCHQ by James Ellis for use by the British Secret Service. Unfortunately, due to the Official Secrets Act, Ellis was forbidden to publish or discuss his discovery.
The organisation that Ellis worked for, CESG, are on-line - you can check out their site here.
Here's a link to a page explaining their input into Public Key Crypto.
I'd first heard about Ellis' work in Simon Singh's book, The Code Book. James Ellis seemed to be a very quiet, modest person. It's a shame that his name isn't to the forefront when we think of Public-Key crypto. Credit where it's dueAlison
"It is a miracle that curiosity survives formal education." - Albert Einstein
http://research.sun.com/projects/crypto/Frequenly
It includes technical information and answers questions some people had about licensing.