NSA Turns To Commercial Software For Encryption

Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."

FUD

[ChozCunningham]

Shouldn't we demand an open source solution? ;)

Re:FUD

[jdhutchins]

You can bet that NSA demanded the source code. I don't think they'd trust something they can't see the source to for their security. As for them buying a closed-source or open-source, to them it doesn't matter, they'll get the source anyways.

Re:FUD

Or at least an American solution!! It is national security and all (although I don't see Canada plotting to take over the world in the near future.)

Re:FUD

[quadelirus]

I stated this in another post, but I've got a link now:

The NSA is not lisencing software, it is lisencing the right to use Certicom's ECC cryptosystem. Cryptosystems now are usually known even when proprietary to allow mathematicians and cryptographers the ability to test the security of it. (The RSA cryptosystem for instance is thoroughly explained on RSA's web-site, but you would still need a lisence to use the algorithm in a program)

I found a tutorial by Certicom on their ECC cryptosystem here.

PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.

Re:FUD

[AKnightCowboy]

PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.

Well, before they just used it and didn't bother asking for permission. This isn't that big of a deal. The only thing out of the ordinary is they asked before using it. Nothing is stopping the NSA from ignoring a license for anything. Who are you going to call, the BSA to battle the NSA? Licensing applies to corporations and individuals.. governments can choose whether to obey them or not. We'd like for them to obey them, but who watches the watchers?

Re:FUD

[randyest]

I'll take that bet aginst you. The NSA didn't demand the source code, they wrote the source code. Note that NSA is not buying some software tool, they are licensing a patented encryption concept. The NSA will implement this ECC encryption technology in many different ways, on their own:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

Re:FUD

[quadelirus]

Agreed, I was just saying comparing the cryptosystem to source code is like comparing the laws of physics to a car. A car uses the laws of physics, but if you could license someone had a patent on the laws of physics, talking about making a cheaper car (aka OSS car) means nothing when the NSA is licensing the laws, not the car.

Ok, ok really really bad analogy, but a lot of people seem to be confusing encryption with software. Software uses encryption, encryption does not use software, it is math, just like 2+2.

Re:FUD

Yes, it's almost certainly a case of them just licensing patents covering ECC. Licensing crypto code is pointless for any organization with competent programmers who know cryptography, and the NSA is probably among the top employers of such people in the world.

Certicom has quite a few patents. They don't cover all usage of ECC, only some specific techniques. I can't quite remember whether they were only applicable in the US/Canada (Certicom is Canadian) or whether they had European and Japanese patents as well, as it's been a couple of years since I looked into this, but any patents anywhere are a hindrance to the widespread adoption of a technology if there are viable alternatives.

ECC cryptosystems are well-known and well-studied, although they can't yet be considered as established as older systems such as RSA.

I think the NSA may have specific interest in using patented technologies; once again, although security through obscurity is not sufficient, as long as many ways of using ECC are patented, now that the RSA patents have expired, it is likely that the "mainstream" will deploy RSA except where the smaller key lengths of ECC are a great enough advantage, and thus a large portion of the people studying attacks on cryptosystems are likely to focus on RSA as opposed to ECC.

Another theory is of course that the NSA has already found weaknesses in RSA. Of course RSA is simple enough that any weaknesses would likely be significant new mathematical discoveries and it would be sad for such discoveries to be hidden...

Re:FUD

[Darth+Fredd]

Actually, yes. The NSA has its own linux distro here (previously submitted to /. but, of course, thrown away).

I haven't gotten a chance to run it yet, but it looks pretty decent.

[offtopic]All you genius slashdotters out there, the NSA has a slew of scholarships for very smart people. I'm shooting for one, and you can, too! For more information, go to the NSA website, or to your local college jobfair![/offtopic]

Re:FUD

[Blue+Stone]

" This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use."

Who the hell in their right mind is going to license this from the NSA?

The NSA - You Can Trust Us Not To Implement Backdoors(TM).

Re:FUD

[randyest]

Who the hell in their right mind is going to license this from the NSA?

Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.

Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.

Re:FUD

[madpierre]

I wonder if they paid SCO a licence fee?
If they didn't ...
I bet SCO don't file a suit against these guys.

Re:FUD

just like 2+2.

Dammit! You just gave away their encription technique.

Re:FUD

(The RSA cryptosystem for instance is thoroughly explained on RSA's web-site, but you would still need a lisence to use the algorithm in a program)

RSA's patent expired quite a while ago. You don't need a license to use the RSA algorithm.

Re:FUD

[Kenja]

They don't need to demand the source code. They just need to copy it over. Unless the deveopler has his tin foil hat on.

Re:FUD

[jemfinch]

The RSA cryptosystem for instance is thoroughly explained on RSA's web-site, but you would still need a lisence to use the algorithm in a program

No. That patent expired in (iirc) October 2001.

Jeremy

Re:FUD

Seems all those antiterrorist laws put US IT crypto companies at a disadvantage.

Norway, and Germany and others, have these algorithms for free (Mathematical = non patentable for the rest of the world).

Ease of use is why you would buy off the shelf.
Open source has everything, but its look and feel moves faster than windows upgrades, meaning open source will never hit the 'certified' lists.

Sounds like this is one easy to use package, that has passed common criteria testing.

Re:FUD

[d_strand]

Of course it matters! If they aren't given access to the code they'll

a) Write the software themselves
or
b) Use an open-source solution

You imply they'll get whatever source they want wether the owner likes it or not, and that is just not true.
They (NSA) are not above the law. The only way for them to get the code against the owners' will would be to steal it. That would be incredibly stupid since that means people would get fired if the theft was ever discovered, and the agency would be fined ridiculous sums in a court of law.

Re:FUD

[quadelirus]

Oh ok, well at the time of some software I wrote a couple of years back you still needed the lisence. Didn't know the patent had expired, but still in the case of this new cryptosystem, I would assume that the patent is newer.

Thanks for pointing that out.

OSS ECC? ECC vs AES

[draziw]

Are there any OSS projects that support elliptic curve cryptography? What makes ECC so much better vs AES with a key size of 256?

--
Have you sent a check to SCO today?

See?

Nobody trusts software developed by the NSA!

What about license abuse?

[MongooseCN]

What if a company is suspicious of the NSA not following the license it was given? It's not like the government is going to let a commercial company into the NSA to audit all its computer systems. I suppose it will all be done on the honor system.

Re:What about license abuse?

[croddy]

the government doesn't need to care about licensing costs. the government buys extra, and more extra.

Re:What about license abuse?

[leerpm]

I doubt the company cares much. The publicity and market attention they will receive from this deal will be more than enough to compensate for any licensing wrongdoings.

Re:What about license abuse?

[randyest]

The NSA practically can't not follow the license -- it's world-wide and allows granting sub-licenses, and is only restricted to use above a certain security level. The NSA would have to use relatively insecure implementations of the technology to violate the license, and I think that's unlikely:

Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that the National Security Agency (NSA) in Maryland has purchased extensive licensing rights to Certicom's MQV-based Elliptic Curve Cryptography (ECC) intellectual property. ECC is becoming a crucial technology for protecting national security information.

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256. Outside the field of use, Certicom will retain all rights to the technology for other industries that require the same levels of security, including state and local government agencies. Certicom will continue its policy of making its intellectual property available to implementers of ECC under normal commercial terms on a non discriminatory basis.

Re:What about license abuse?

[Excen]

Exactly. Who would they possibly sell this to besides government? Financial institutions and other governments. They would only implement something if it were as safe as humanly possible, and this is a big stamp of approval for an obscure cryptographical technique.

Public key vs. symetric

[autopr0n]

You can't really compare symetric key systems like AES with public key systems like ECC or RSA. With a symetric system you need keey your key secret, with public key you have two keys (encryption and decryption), and you only need to keep one of them secret. The other you can distribute far and wide.

A lot of times, people will create symetric keys and then use public key systems to distribute them.

Re:Public key vs. symetric

Another "applied cryptography" reader offering up his infinite wisdom. Thanks!

Privatization

[mr100percent]

Oh come on, I know Bush's administration is all for privatization and turning to the private sector and all, but this?

The NSA's job is to make secure codes for government use, and break other people's codes. So they licensed someone else's code, but why are they announcing it for intra-government use? The obvious question is, Can't they roll their own?

Then again, I'm sure this is just spin, the reality SHOULD be much different. Or else someone should just be living in a van down by the river.

Re: Privatization

[Black+Parrot]

> The NSA's job is to make secure codes for government use, and break other people's codes. So they licensed someone else's code, but why are they announcing it for intra-government use? The obvious question is, Can't they roll their own?

Probably just means that they've discovered how to crack it, so now they want everyone else to use it.

Re:Privatization

[paranoidsim]

I don't think this is about privatization. I think this is about the NSA being overloaded with more important things to worry about. Such as the "War on Inanimate Objects", namely, Terrorism. For instance, look at their new hires figures jump from roughly 100/yr, to over 1000. They are busy, they are upgrading, and they are worrying about processing the loads of new data from monitoring an exponentially higher amount of data then they were accustomed to only a few years ago.

Re:Privatization

[espo812]

Oh come on, I know Bush's administration is all for privatization and turning to the private sector and all, but this?

I believe that the technological divide between the NSA and the private sector has been shrinking over the years. I also don't think they would have selected this product if they didn't have good reason to. I suspect that this product was probably developed with some degree of NSA involvement, either contract work there or by former contractors/employees. And, low and behold, as I RTFA it says:

Certicom has worked with the NSA, based at Fort Meade, Md., on several classified projects in the past, and this agreement is essentially an outgrowth of that work, officials said.

So, it appears to have a lot of NSA involvement in the development. Actually, RTFAing a bit more closely it appears NSA is licensing the algorithm from Certicom. So they may not even be using the code from Certicom, they could be developing all the systems in house. Clearly, they wouldn't make a move like this without thoroughly analyzing the algorithms involved.

So what comes out is a solution that was produced much cheaper than a similar inhouse effort, and this will save the tax payers money (which sounds good to this poor college student.) I have to say I'm surprised at the Agency going after a commercial product for classified purposes, but I'm sure they have good reasons.

Re:Privatization

Hypothetical:

You're the premiere intelligence agency in the world. When you need to secure data, you use algorithms that nobody else in the world knows about, designed in secret by some of the greatest mathematical geniuses there are.

When you need to secure an email you're sending to someone not in the agency, you can't (not to mention don't) use your hidden good stuff, because the recipient doesn't have the algorithm. So, you use something publicly available.

Re:Privatization

[harriet+nyborg]

"Can't they roll their own?"

good point mr100percent. something don't be adding up here.

the NSA employs more mathmeticians than any other organization in the world. they can grow their own and roll their own.

the thing is they usually bogart it.

what i don't understand is why the NSA just doesn't pinch from someone else's bag - i mean who's gonna know it? they're the friggin's NSA - the government, they can do anything... and only traitors and slanderous villians would criticize the government.

it's an anti-rush limbo problem: on one hand, you have a crackhead who could get all the drugs he wanted legally and privately, but for some unexplicable reason bought his dope illegaly on the street through someone who could (and did) dime him out.

on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license.

Re:Privatization

on one hand, you have a crackhead who could get all the drugs he wanted legally and privately, but for some unexplicable reason bought his dope illegaly on the street through someone who could (and did) dime him out.

on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license

You're wondering why the NSA didn't just go ahead and use Certicom's patented ECC implementation and keep it a secret? Because they're a lot bigger than Rush freakin' Limbaugh, and it only takes one employee to speak up and say, "we knew someone else patented this but we used it anyway" before someone gets in a lot of trouble.

No one wants that kind of a black eye. If that scandal broke, the manager who gave the go-ahead to implement the Certicom solution without licensing it would probably find himself reassigned to a communications post in Afghanistan.

And one thing about the US government... no matter how hard they try to keep things under wraps, they're just not very good at it. There are just too many nosy journalists and authors poking around... everything comes out sooner or later :) (For examples, see the SR-71, spy satellite imagery, Predator UAVs, the TIA project, etc. and the number of times Tom Clancy has been accused of espionage for incorporating published projects into his work.)

Re:Privatization

[thdexter]

No use reinventing the wheel, I guess. You could ask why they use Linux or OpenBSD or FreeBSD or anything instead of making their own secure-by-default OS.

The issue here that caught my glance was that it's a Canadian company, which seems curious, considering that the DoD doesn't much outsource work.

Re:Privatization

[Bishop]

The NSA has used a mix of commercial and inhouse cryptography for a long time. For example DES and RSA.

The only thing remarkable about this deal is that it is with a Canadian company.

Re:Privatization

[pVoid]

Uhh... why is this interesting?

It's blatantly ignorant of the principles of cryptography which state that knowing the algorithm and implementation, or even part of the clear text should not compromise your security.

Re:Privatization

[AJWM]

It's probably a Canadian company because of the bizarre laws governing crypto in the US (although they're not as bad as they used to be). Same reason that a lot of OSS crypto projects, OpenBSD, etc are nominally HQ'd in Canada or other places outside the US.

Re:Privatization

[IM6100]

Are you going to bleat the bit about 'security through obscurity' now?

The NSA has a large body of in-house coding expertise. They really don't have to rely on J Random Hacker to find their bugs.

Re: Privatization

[God!+Awful+2]

Probably just means that they've discovered how to crack it, so now they want everyone else to use it.

Yeah, that was my immediate reaction when I saw the article. Not that I actually believe that, but it makes for a good conspiracy theory.

-a

Re:Privatization

[Guppy06]

But the basic principles of security in general is to not share any information with anybody else unless you have to. Just because you can't see how the information could be useful doesn't mean nobody else can. Security through obscurity may not be worth much, but it sure as hell doesn't hurt.

Re:Privatization

I don't think you fully understand the principles behind cryptography.

The knowledge of an algorithm brings absolutely nothing to the game.

-pVoid

Re:Privatization

"The obvious question is, Can't they roll their own?"

If one reads this with an open mind, it can be seen that the licensing of this technology by no means declares that they did not "roll their own". Perhaps they are simply DingTRT by licensing a technology someone else developed first and acquired patents for.

Re:Privatization

[tigersha]

The NSA ARE the ones who decides if the bizarre laws apply or not and I seriously doubt that they will boycott themselves...

Re:Privatization

[AJWM]

You misunderstood my point. It's because of the crypto regs that companies (or open source projects) that want to sell/give away strong crypto set themselves up in Canada rather than the US.

Re:Privatization

except that other people can't use it against you if you developed it inhouse with sufficient peer review as to believe that it truely is secure.

Its not "lets achieve security through obscurity", its "lets keep slashdot users from writing posts that we can't understand."

i bet that if no one knew about ROT13 (or how to decipher it) except the NSA, they'd keep it to themselves just so someone else wouldn't use it

Re:Privatization

[crucini]

When national security is at stake you don't hand any advantages to the enemy. Military cryptosystems are kept secret for lots of good reasons. It doesn't mean they're vulnerable. The NSA's ciphers probably receive at least as good peer review within the huge agency as any public cipher receives from academic peers.

John Walker supplied the Soviets with keylists for the KW-7 crypto machine, but until they got a KW-7 (via the North Korean capture of the Pueblo) they couldn't use those keys. I think the NSA/military follows this rule: make the algorithm strong, then treat it as if it were weak. Defense in depth.

Re:Privatization

[fijimf]

While I agree that eventually everything comes out, the US government when they have a mind to things can stay under wraps for quite some time. Though by now we know all know the Aurora exists, but over the past 15 operational years, no one has ever seen one. And the National Reconnaissance Office existed for 3 decades while nary a journalist knew they existed.

While the parent was modded as funny, I really believe it's more likely than not that NSA really may be promoting it because they have it cracked.

Huh?

[nepheles]

How is this remarkable? The NSA picks a proprietary solution where there is not even an Open-Source competitor. Surprise, surprise. I don't mean to troll -- but can somebody explain how this is interesting?

Re:Huh?

This is a clue that the NSA, which some geeks would assume have super cryptographic powers, are actually lagging behind the software industry. Its more that they chose a commercial package over in-house stuff. It has nothing to do with open source really.

Re:Huh?

[AllUsernamesAreGone]

It isn't a troll, but perhaps you're asking the wrong question.

Instead of asking why picking a commercial solution when no open one exist is remarkable, ask why it is remarkable that the NSA have selected a commercial solution instead of developing their own version of it.

Re:Huh?

What makes you think there are weren't any other competitive bids, from OS or otherwise?

You think the Agency has something against OS software (never mind that little SELinux thing, sound familiar?)? That Openssl and Openssh aren't in use there? If you do, I'd love to see why you think so. I can tell you right now, you're wrong.

Re:Huh?

[VertigoAce]

According to the summary, what's interesting about it is that they didn't use their own proprietary solution. I don't see any mention of an open source solution in the summary. From the article, the significance seems to be that anyone who creates something that is NSA-approved must go through Certicom.

"They were very interested in getting the best IP out there, and we own a lot of the patents in this area," said Tony Rosati, director of marketing at Certicom, based in Mississauga, Ontario. "If you want to build an NSA-approved product, they want this in there."

Re:Huh?

[randyest]

Being the NSA doesn't guarantee you can develop the best technology in every security-related area. If another company or research institute happens to come up with a technology that's remarkably better than anything else like it and patent it first (such as the ECC mentioned in the article), the NSA should and does license it. That is, they buy the the rights to use the technology that someone else spent a lot of time and effort to develop (maybe even more than the NSA put forth in this field) .

It's not like the NSA is buying a binary encryption software package they can't decompile, or shipping the secrets up to Canada for encrypting. This isn't a security concern. The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it. The NSA can do anything they want with ECC now, including grant sub-licenses without approvasl from Certicom. The only restriction is to require a minimum level of ecryption field size (encryption strength), which isn't a problem for NSA:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

Re:Huh?

[Ogerman]

The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it.

Until you wake up and realize that allowing the patenting of mathematics is total BS.. (which is why most countries don't allow it)

Mathematical truths, techniques, etc. are discoveries, not inventions. And, of course, as many posters mentioned, it is highly likely the NSA had at least some independent but classified prior art to begin with. Those guys aren't exactly slackers.

End software patents NOW!

Re:Huh?

[randyest]

I see what you mean, and I agree in some cases that patents are bad. Patents for obvious things, especially, bother me a great deal (Amazon 1-click checkout, common commerce methods ported to the web getting patents, etc).

However, I'm not sure that I'd go so far as to say anything mathematical shouldn't be patentable. In particular, this is an application of mathematics, not just pure math. I don't think you can come up with a new way to solve a pure math problem, or a new way of expressing an equation, and get a patent on it. You have to have an application of some sort. And that's not neccessarily a bad thing (nor necessarily a good thing either; I concede that a key element in a good patent system is a clueful patent office and patent examiners, which the US seems to be lacking.)

We could argue that ECC is a discovery rather than an invention just as easily as we can for any other technological advancement. In my opinion, it shouldn't matter which it is (because you can always argue the opposite, and being a philosophical argument, we lack a sufficiently omniscient arbiter to make the final call for us), rather patents should be awarded based on the individual merit of the invention or discovery. Whether you invent or discover (even by chance) shouldn't matter as much as how obvious, useful, or clever the invention or discovery is. i.e. Edison just kept trying every substance he could find until he discovered that tungsten made for a decent lamp filament. Does that mean Edison didn't deserve a patent for the light bulb?

Here is a list of some recent US patents of mathematics. Some are clearly nonsense that don't deserve a patent. Some, on the other hand, might be clever, useful applications that aren't obvious. I don't think we can throw them all out just because they have a mathematic basis.

Recent U.S. patents related to Mathematical Logic:

6,241,672: Method and apparatus for optically imaging solid tumor tissue
6,236,435: Apparatus and method for displaying and demonstrating a camcorder
6,233,480: Methods and apparatus for optically imaging neuronal tissue and activity
6,226,296: Metropolitan area network switching system and method of operation thereof
6,196,226: Methods and apparatus for optically imaging neuronal tissue and activity
6,161,031: Optical imaging methods
6,152,684: Method for operation of hydraulic turbine
6,119,012: Method and system for dynamically and periodically updating mobile station location data in a telecommunications network
6,081,921: Bit insertion approach to convolutional encoding
6,003,765: Electronic cash implementing method with a surveillance institution, and user apparatus and surveillance institution apparatus for implementing the same
5,999,182: Computational architecture for reasoning involving extensible graphical representations
5,995,624: Bilateral authentication and information encryption token system and method
5,976,825: Drug screening process
5,963,739: Method for verifying the total correctness of a program with mutually recursive procedures
5,924,128: Pseudo zero cycle address generator and fast memory access
5,910,898: Circuit design methods and tools
5,902,732: Drug screening process measuring changes in cell volume
5,877,967: Site and workspaces layout process employing MDS and a PDI formula in which density is calculated using a unit lattice superposed over circumscribing-convex-hulls
5,867,649: Dance/multitude concurrent computation
5,860,154: Method and apparatus for calculating effective memory addresses
5,845,639: Optical imaging methods
5,841,674: Circuit design methods and tools
5,787,432: Method and apparatus for the generation, manipulation and display of data structures
5,778,150: Flexible procedural attachment to situate reasoning systems
5,768,381: Apparatus for key distribution in an encryption system
5,758,152: Method and apparatus for the generat

Re:Huh?

[Ogerman]

However, I'm not sure that I'd go so far as to say anything mathematical shouldn't be patentable. In particular, this is an application of mathematics, not just pure math. I don't think you can come up with a new way to solve a pure math problem, or a new way of expressing an equation, and get a patent on it. ... We could argue that ECC is a discovery rather than an invention just as easily as we can for any other technological advancement.

The difference is that patents on mathematical techniques or software algorithms are a distinct limitation of free speech, whereas patents relating to physical inventions are only a limitation of manufacturing rights. Ultimately, it could be argued that all invention has a mathematical basis, but software patents are unique in that they are unembodied. Because anyone can create software, software patents directly infringe on personal freedoms, in the same way that patents on literary style would.

someone to take blame

[lanswitch]

When there are problems, it's easy to sue a company and put the blame on them. It's almost impossible to sue the Open Source movement.

Re:someone to take blame

[Waffle+Iron]

When there are problems, it's easy to sue a company and put the blame on them.

That's right. Now if terrorists crack the launch codes and launch our missiles against our own cities, we'll be able to sue Certicom to recoup our losses.

Re:someone to take blame

[lanswitch]

No, but the nsa can then say that they trusted a fine company, instead of trusting some "open source movement". when a government needs to ensure things, it also needs to cover its ass. and a company looks more trustworthy than something like an international group of loosely-associated programmers.

Re:someone to take blame

[Xerithane]

That's right. Now if terrorists crack the launch codes and launch our missiles against our own cities, we'll be able to sue Certicom to recoup our losses.

So that is why the NSA chose a Canadian company!

FINALLY ...

[Tensor]

The NSA is doing something smart. BUT wouldn't OSS be a better way to go ? and ... after finally deciding on using commercial software, isnt it ironic that the NSA is using Canadian software for this ? so not only commercial but foreign

Re:FINALLY ...

[Egonis]

I am from Mississauga, Ontario - where Certicom resides, and am feeling two emotions:

- I am happy to see a local business score a large contract in my hometown
- I am confused as to how the American Government ever approved a purchase of an external Intellectual Property

I'm sure alot of Americans will have disagreements on this one!

Re:FINALLY ...

[EvilSS]

Yea, it's really bizarre. You would think there was some kind of draconian regulations on cryptography in the US that encourages companies that develop crypto to not reside here. hrm....

Re:FINALLY ...

Licencing a Canadain software product is hardly high risk. Do you think Canada has plans to take over the US or something?

Re:FINALLY ...

[ratfynk]

Since when is Canada a foreign country. The Monroe doctrine applies to the North as well? Or is this policy not still enforced with economic means? If Canada can do a better job supplying software then what's the difference. Just cause Redmond cannot be trusted to write good code doesn't mean it cannot be done!

Re:FINALLY ...

[SparafucileMan]

Well, the Toronto Stock Exchange has a habit of hosting some of the more risky and illegeal companies of the world that are looking for funding--in fact if you're the government looking for, say, some mercenaries to hire, or a mercenary company looking to develop the mine you just nabbed, Toronto is the place to be. A great deal of backwater business flows through that exchange that has nothing to do with Canada.

Re:FINALLY ...

[simcop2387]

also thanks to ITAR its illegal to bring it in or out actually....

Become an International Arms Trafficing criminal and tell the US government that ITAR is wrong

Re:FINALLY ...

[simcop2387]

The monroe Doctrine didn't deal with trade, it delt with imperialism and colonization in the western hemisphere

http://usinfo.state.gov/usa/infousa/facts/democr ac /50.htm

Re:FINALLY ...

[ratfynk]

Same thing for Ferengies! Explain the New World order in terms other than economics. There is no difference when economic policies are used as a weapon. That is the fundimental tenet of the Monroe Doctrine. War is to avoided if economic leverage is usually cheaper. The 54.40 or fight crowd thought economics was not enough.

"Living next to the US is like sleeping next to an Elephant" In the case of software the Elephant has eaten too much grass and smoked too much crack!

Re:FINALLY ...

[Tensor]

ROFL ... VERY good point. I guess crypto export regulations bit them in the ass huh ? :)

Re:FINALLY ...

[EvilSS]

Actually, Yes.

Re:OSS ECC? ECC vs AES

[espo812]

What makes ECC so much better vs AES with a key size of 256?

I'm sure a small ammount of googling could tell you this, but comparing ECC to AES is like comparing apples to oranges. ECC is a public key algorithm, and AES is a symmetric key algorithm. Thus, you would have to look up the fundamental differences between public and private key algorithms to find the differences between ECC and AES.

The difference between ECC and algorithms like RSA, for example, is that elliptic algorithms can work with smaller keysizes, and this should have been noticable from the slashdot post that points out the commercial product uses a smaller keysize than the equiviliant strength RSA key.

Hexadecimal translation.

[Thinkit3]

That's 3C00h, for the RSA equivalent. It would be much more elegant to list numbers that are binary aligned in hexadecimal--decimal is ugly in these cases.

Re:OSS ECC? ECC vs AES

[daserver]

GnuPG can use DSA which is ECC. And as the other one said you can't compare sym. crypto with asym. crypto.

Canadian code?

[tessaiga]

What's with the NSA tapping a Canadian company to do their classified encryptions? Most government research labs (Lincoln, Draper, Sandia ...) won't even consider hiring non-US employees for security purposes.

Re:Canadian code?

[Timesprout]

Its pretty obvious. The strange pronunciation required for Canadian variables makes the code more difficult to comprehend and so creates an additional level of obfuscation and thus greater security.

Re:Canadian code?

Strange pronunciation eh?

Re:Canadian code?

Well, the U.S. Government also uses Entrust products (they are a Canadian security company, with close relations to Nortel). It is not a big deal. You can get source for these commercial products and verify that they do what they say they do, with no back doors. It is not like you are blindly trusting them.

Also I didn't see any indication that NSA is using this for all their encryption needs. It isn't likely that they are. They certainly have their own ciphers (remember "Skipjack"?).

Re:Canadian code?

Same reason why us Canadians have to train your marines, build your weapons, design your space station components, conduct your military operations in the Gulf, and overall clean up all your messes. CUZ WE'RE ON TOP.

If true it sends a signal. No quantum computer now

[j_dot_bomb]

If true it sends a signal. They currently dont have a quantum computer (and therefore expect no one else does or will in a reasonable amount of time). However I do remember seeing a standard created to do a form of digital signatures only with conventional encryption (which is not in general "breakable" by quantum computers like "hard problem" public key cryptography).

Where's the money

[DNS-and-BIND]

Gosh, I bet this had nothing to do with the fact that NSA insiders held a lot of Certicom stock.

Nah, that kind of thing never happens. It's tinfoil-hat thinking. It's as unlikely as the President sexually abusing one of his interns.

Re:Where's the money

Uh... FUD?

Re:Where's the money

Gosh, actually, I bet that it has to do with the fact that Certicom had the most secure design and implementation of an ECC cryptography algorithm. (It mentions in the article that Certicom had worked on classified NSA projects before, so I'm sure the folks at NSA knew what they were getting.)

In fact, officers on government contracts are quite explicitly prohibited from dealing with companies in which they are invested, and our management has made that abundantly clear. It's okay to have friends at the company, but if you have any investments in it, you'd better get yourself transferred to another contract.

Re:Where's the money

If you had refered to bush instead of clinton youw ould be at +5 Insightful right now. Please try again.

Re:Where's the money

[bmac]

Eh, no. The NSA basically have the best
mathematicians in the world, so they
knew what they were getting *way* before
they bought it. And the fact that they
made O(2n) dollars off their shares only
further testifies to their intelligence
(no pun intended).

-bmac

Re:Where's the money

It's as unlikely as the President sexually abusing one of his interns.

Having a gob full of cock is hardly sexual abuse.

Re:Where's the money

[DNS-and-BIND]

Bzzt wrong, a man of power cannot have sex with a woman underneath him in the power structure. It's automatically abuse...there's no such thing as consent. Go brush up on your women's studies and come back when you've reeducated yourself.

Re:Where's the money

[DNS-and-BIND]

Jeez, there's ways around that, you know. Man, if you actually work for the government, you should know what I'm talking about. Good, honest graft...there's nothing like it.

Size of key

[ptaff]

...the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits.

Brute-force decoding of these schemes is not recommended for the faint of heart, but I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?

Re:Size of key

[espo812]

I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

Because breaking RSA does not involve brute forcing the bits, it involves factoring huge ass numbers into primes. Look up the differences between symmetric and asymmetric (or private and public) key cryptosystems.

Re:Size of key

[inburito]

Maybe because discrete logarithm problems in ordinary number groups are much easier to solve than in elliptic number groups.

As a matter of fact, discrete log problem for ordinary numbers has been improving steadily whereas Elliptic curve group discrete log techniques have not seen significant improvement in the past 20 years. This difference accounts for today's reduced key-size requirements for elliptic curves.

Re:Size of key

[LT+Grant]

If you look back at Dr Chris Monico's work at cracking ECC-109 you can get some more background on the equivalences and how they match up and how the two are compared and how they are very different. 109 took a lot of computational time (biggest ever so far I believe), and this is vastly bigger, as if I remember correctly ECC encryption doesn't grow linearly, but exponentially. The code used to crack ECC-109 has been somewhat improved in ECC2-109 based mainly on things Dr Monico saw in 109 and based on some research he and I did regarding a paper by Teske of Waterloo.
Hope that is informative.

Re:Size of key

[MrChips]

If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?

Obviously a 4 bit keyspace does not offer any real security. If you can reduce 1024-bit RSA to 4 bits, you've broken RSA.

Re:Size of key

[inburito]

But they are both public key cryptosystems!

And yes, they both pretty much involve brute forcing the bits to try to crack the message. It just happens that ecc problem is lot harder than large number factorization (computationally and conceptually too). If you know how to factor huge ass numbers without brute forcing let the nobel committee know as you may be eligible for next year.

Re:Size of key

how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

They use math. Bruteforcing an RSA key 15360 bits long takes about the same amount of work as an ECC key 512 bits long.

If I can reduce a RSA 1024 bits to a new method using only 4 bits, how can my way be as secure?

Security of these algorithms (assuming they aren't fundamentally broken) is measured in time. The two measures of an algorithm are a) how long it takes to check one possible key, and b) how many possible keys there are. If your new algorithm has equivalent security to ECC-523 and RSA-15360, then that means each operation takes an extraordinarily long time--too long to be feasible for use.

Re:Size of key

It would help you to understand if you were better at math then you are now.

Re:Size of key

[caluml]

They use math. Bruteforcing an RSA key 15360 bits long takes about the same amount of work as an ECC key 512 bits long.

And who has done this, and when did they time it?

Re:Size of key

[damiam]

There are many algorithms for factoring large numbers without brute-forcing every conceivable possibility. Obviously, there are none fast enough to damage RSA's security (at least, none that are publicly known).

Re:Size of key

[espo812]

If you know how to factor huge ass numbers without brute forcing let the nobel committee know as you may be eligible for next year.

What like the General Number Field Sieve? Let them know for me, but I doubt they'll be too interested.

Re:Size of key

[Metex]

Ugh this is actually pretty easy to calculate,
for the rsa key in order to find the approximate number of keys possible you use the simple equation 2^k / (ln 2^k) this gives you an 'approximation' for all possible primes you can have in k-bits.

As for the ECC system I cant remeber the exsact computation off the top of my head to calculate key space but it has a much higher key concentration per bit added to key. not as high as a symetric cryptographic system with a 2^k keyspace but pretty high up there.

As for your reduction useing a ratio it wont work out since they both use diffrent keyspaces.

Re:Size of key

[bluGill]

You don't brute force either system. Useing the best known mythods to break encryption today (which in the case of both RSA and ECC is not brute force) breaking a 512 bit ECC key is about the same effort of breaking a 15360 bit RSA key. Note that breaking a 512 bit symetric key (something like AES, blowfish, modified to use a 512 bit key) is more effort than breaking either one.

I'm not sure I belive the difference is that great. RSA type encryption has had a lot of effort put into breaking it, ECC gets less attention (though it is getting more). If ECC got as much attention as RSA did from the mathamatical world, the difference in efforts to break them would be a lot closer.

Note that both ECC and RSA are NP-complete, meaning that if there is a generic way to break one, in essentially no time (no matter how big the key is), that algorythm can be easially modified to break the other. There is a lot fo debate in CS about such problems and if such an algorythm exists. Anyone using either must be aware that there is no proff that you can't break it trivially.

Re:Size of key

[inburito]

Yes, there is the general number field sieve, but still for all practical purposes you're brute forcing. Complexity is reduced to something like O(exp((c*(logn)^(1/3)*(loglogn)^(2/3))) where n is the length of number in bits.

Re:Size of key

[jareds]

Note that both ECC and RSA are NP-complete

This has not been proven, nor is it even commonly believed to be true.

Re:Size of key

[NCamero]

Conceptually I suspect the large effective key size difference is due to this.

RSA is the multiplication of 2 numbers, which in a way is like the Pythagorean solution to a circle. The answer of the private key is a circle that passes through a known point.

The Elliptical curve equations is more like knowing the private key is an ellipse passing through the known point.

I am not a cryptographer, but I have read the equations of both types of crypto, and I formed that opinion.

Re:Size of key

[joeblarnystone]

The best known means for solving the Discrete Log Problem over an EC is much slower then the best known means for factoring integers. This is why they can claim that a 512 bit ECC key is equivilant to a 15630 bit RSA key. The time it would take to solve both problems is equivilant.

Re:Size of key

[You're+All+Wrong]

"but still for all practical purposes you're brute forcing."

NO!

Brute force means that you're obliged to try all possibilities.

fuckload of computation != brute force.

NFS doesn't even really have the concept of "all possibilities".

YAW.

Re:Size of key

[You're+All+Wrong]

The first mention of 15360 bits that I saw was w.r.t. an equivalence of ~570 bits in ECC. If so, then 512 bits ECC is closer to 12000 or 13000 bits of RSA. However, that 15360 is a _round number_, and so
almost certainly an approximation.
The ~570 came from a Certicom white paper, IIRC.

However, 13000, 15360, what's the difference? It's outragiously uncrackable given all current knowledge of algorithms.

YAW.

Re:Size of key

[avorpa]

You're missing the point entirely. If it were just about key density you'd never get a ratio like they say: 2^15360/(ln 2^15360) > 2^15346, so no key density for 512 bit ECC will get you equivalent security.

The reason they come out the same is that you don't break either system by brute force. There are factoring techniques (ie, techniques for breaking RSA) that run in about
exp(2 log(n)^(1/3) loglog(n)^(2/3)).
For 15346 bit RSA, this works out to about 2^256 (that 2 was pretty rough, so this isn't too precise).

For ECC, the best methods we have take about n^(1/2), so 512 bit ECC is about as hard as 15346 bit RSA. Of course, people may discover a flash new method for breaking ECC (in fact, some people think they will soon), that would make 512 bit ECC barely any better than 512 bit RSA. But with today's methods the comparison is pretty accurate.

Re:Size of key

[thogard]

RSA is NP-complete only if the keys were 1:1 which is not true. For every public key, there are several private keys that work and for every private key, I suspect there are several public keys that work as well. That would imply that there are other sets of keys that migth be able to encrypt/decrypt the same message the same way. Until the relationship of these other keys is well studied, RSA can not be proven to be NP-complete.

Re:Size of key

[jemfinch]

Brute-force decoding of these schemes is not recommended for the faint of heart, but I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

It's because the problem being solved is completely different.

The key here (ha!) is that when you see a 512 bit symmetrical cipher, you've got to brute-force a 512 bit key, which means you'll try 2**511 keys on average before cracking the ciphertext. But when you see a 512 bit RSA key, that means you have just have to factor a 512 bit composite number into its two prime factors before cracking the ciphertext. That's hard, but not nearly as hard as exhaustively testing the keys in a 512 bit keyspace.

Jeremy

Re:Size of key

Actuially, RSA can be broken in polynomail time. The core problem is factoring a large number that is a product of two primes into the two primes that generated it. This problem can be solved in polonomial time, but the exponent is freeging huge.

Re:Size of key

[jareds]

I don't believe you. Cite?

Canada

[nuggz]

FWIW I'm Canadian.

Canada has many exceptions to US restrictions. This makes sense. It is cheaper to work together, and we do in many military and space applications.
Our interests are basically very similar, and both countries are generally trustworthy of each other.

The only conflict are on specific policy issues.
It also matters which government is in power in each country.

There have been quite a few times where state and provincial officials have banded together to fight both federal governments.

Plus if it works well, why shouldn't they use it?

Re:Canada

[Kenneth]

In fact, from what I've heard, Cheyanne Mountain in the U.S. is a co U.S. Canada venture, and the militaries of both countries use it.

It IS actually suprising to me that the NSA is licensing this. It wouldn't be hard for them to simply demonstrate that they had it first. Whether they really did or not is immaterial.

Moreover I'm rather shocked that the NSA wouldn't have something better. That IS really all they do. It leads to one of two conclusions. The NSA is falling way behind, or the NSA there is a hidden flaw in the algorithm, and the NSA wants people to think there isn't and use it so they can read their stuff.

This isn't an issue of "open" vs "closed"

[NotQuiteSonic]

The algorithm they used is patented and very much open for criticism. It would need to be fore NSA to choose it. Think of it like RSA where the algorithm was patented as well (many open source applications use RSA now, since the license has expired).

Dr. Scott A. Vanstone is a professor at University of Waterloo, so it is kind of neat to see one of my profs in the news (I knew about the company, but they haven't had much going for them for a while). He teaches Coding Theory (CO 331) and is the Executive Director of Centre for Applied Cryptographic Research

Re:This isn't an issue of "open" vs "closed"

[You're+All+Wrong]

I thought that the patent only applied to specific moduli?
However, AFAIK there are strong moduli and weak moduli,and proving strength is extremely hard. So you could chose to use your own modulus, at risk of not being as strong, but without having to pay royalties.

YAW.

Re:This isn't an issue of "open" vs "closed"

[Mysticalfruit]

You should see if you can get him todo a slashdot interview... oh wait, you'd never get a response from the slashdot staff ;-)

Damn!

[MMC+Monster]

I guess rot-13 just isn't good enough anymore. (Am I the only one to think "Wow, how the mighty have fallen!" when I read this?)

Re:Damn!

[R0]

ebg13'f tbbq rabhtu sbe zr :)

Re:Damn!

Xabj jung? V'z jvgu lbh 99%.

Re:Damn!

[petabyte]

ubarfgyl, V qvqa'g frr gung bar pbzvat. Ab ernyyl, qvqa'g frr vg ng nyy :C

Attention to the knee-jerkers!

In case you didn't catch the hint in the article, this is significant because NSA chose an EXTERNALLY developed encryption solution over an INTERNALLY developed solution. This has NOTHING TO DO WITH OPEN SOURCE SOFTWARE. Please save your comments like "what about SSH/GPG/SSL?" for some other discussion.

Thanks.

Re:OSS ECC? ECC vs AES

either way, thats one BIG god damned number

This isn't software, it's patents.

[Garin]

As far as I understand the deal, this has nothing to do with licensing software. They couldn't have gone with an OSS version (or "roll their own") as so many suggest because they're not licensing just software, they're licensing patents.

You'll note that they've also got sublicensing rights on those patents. There could be a software component to this deal, but as far I can tell it appears that this is mainly about patents.

Re:This isn't software, it's patents.

[MisanthropicProggram]

In a way, it's kind of comforting that the NSA is actually buying the rights and not just taking the technology. They could just take/use the technology and who would be the wiser?
Assuming of course that this isn't some PR scheme to mislead the pulbic. Which reminds me, I need to go and buy more aluminum foil to make more hats.

Re:This isn't software, it's patents.

[Garin]

Well, the nice thing about it is that they've paid for the rights to the patent, including sublicensing. The NSA could whip up their own implementation of it and distribute that software as some kind of standard. Who knows?

For all we know, the sublicensing agreement for the use of the specific parts of the patents may be absolutely up to the NSA (they seem to suggest as much from the Certicom press releases..? Anyone know more?)

If that is the case, the NSA might very well release an open source version that the world can use and modify to their heart's content. They're not stupid, and they know that the world will not use a closed-source implementation of an algorithm.

Re:This isn't software, it's patents.

[quadelirus]

They can't whip up their own implementation because its not the software that is lisenced but the algorithms itself. I mean, yes they could whip up an implementation of Certicom's ECC and distribute the software, but that would be illegal. Its not a software patent, its a patent on the mathematics behind the software. Just like SSH uses RSA. RSA has a patent, you pay for (or are given rights to) RSA. SSH probably has some license agreement with RSA. RSA gives out license to their cryptosystem pretty freely I think (see a section of the MindTerm license agreement below)

Again let me stress: It's not programming being licesned here. Its a very very difficult to come up with piece of mathematics. OSS or Proprietary implementations of the code would still require a license from Certicom. Now could we put our minds to it and come up with a different type of ECC encryption-possibly, but that takes more mathematics than I have, or most slashdotters probably have. It's the reason people like Rivest, Shamir, and Addlement get payed top dollar, because they are some of the brightest mathematicians in the world, and were able to come up with one simple algorithm (and it is simple) and prove that it was secure. It isn't like solving a programming problem, its completely creating from scratch a new way of doing something, almost reinventing the wheel.

13. RSA LICENSE

MindTerm contains code implementing the RSA algorithm which is patented and
subject to licensing in certain countries (e.g. the United States). It is
therefore illegal to use MindTerm (for ANY purpose, even non-commercial)
without proper licensing from RSA in these countries. We have been in
contact with RSA on this matter and might be able to provide a licensed
version of MindTerm for non-commercial use, and, for a fee, for commercial
use, should we reach an agreement with them. More information will appear
here when available.

And in case you are wondering, the base RSA algorithm is simple:

e,n = public key
d,n = private key

W = message

W^e mod n = C
W = C^d mod n
(the equals sign in W = C^... is actually a congruency sign)

See how simple that is? But try to come up with an algorithm of comparable security. I stress again Its not a source (so no OSS) its an algorithm.

Re:This isn't software, it's patents.

[Garin]

Uh yeah. That's kinda my point that you're explaining to me there, and you appear to be contradicting yourself.

They've licensed the patent, not the code. The algorithm. No source. No binaries. "It's just an algorithm" as the folks as RSA are fond of saying. They are allowed to use the math. There is probably no programming involved here, as you state yourself. How many times can it be said?

It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see fit. Thus, they may be able to choose to implement those magical algorithms with their own source code, and then license that implementation out to other people (possibly even in an open-source fashion?)

Now who would trust the NSA's implementation of a particular algorithm in a closed binary? Hopefully nobody. So my hope is that they've licensed this to use as a service to the US as a whole (well within the mandate of the NSA, and relatively inexpensive at $25 million). Ideally, this means that they'll say "Alright kids, here you go: you can now use this shiny new algorithm for your PK stuff. Here, we'll even throw in a reference implementation. No need to thank us, just keep using that encryption, and Stay In School."

Perhaps wishful thinking?

Still, as I said before, the NSA is full of very smart people, and they know that if they want an encryption standard to be widely accepted, it has to be freely available. AES is a great example of that. Perhaps the NSA took a look at Certicom's work and said, "Well, these Canadian chaps have pretty much nailed it. Maybe instead of running a big fancy competition like we did for AES, let's just bite the bullet and pay off Certicom and use that for our PK component."

Re:This isn't software, it's patents.

[ScrewMaster]

Try screen wire (the kind you use for your back porch in the summer.) Works great as a Faraday shield, keeps the mosquitoes out, is much less noticeable than Reynolds Wrap and lets the fresh air in.

Re:If true it sends a signal. No quantum computer

However, maybe that's what they want people to think.

They have a huge budget, spending a couple million or perhaps 10s of millions for the purpose of making people believe they don't have quantum compute abilities is a good investment on their part. It just makes everyone complacent, they think the NSA is behind....

This is very speculative and conspiracy minded, but I think it's worth consideration...

-jazzfunk (not logged it)

georgewellian fuddite corepirate nazis have a lot

to hide.

unfortunately for the felonious execrable, there's no longer anywhere to hide the details of their greed/fear/ego based misdeeds.

you can continue to pretend, but it doesn't help.

nothing against encryption. you'll need it to avoid the unending 'inspection' of yOUR inf. buy the corepirate nazi storm troopers, & their felonious cronIEs upon capitollist hill.

I can't think of a subject

(Greets to DSD) Commercial encryption will be used only on circuits of zero to very limited intelligence value; short duration. Those big old gray boxes will not be replaced in my lifetime.

For the conspiration.

[futant138]

NSA had to do this to ensure they could decrypt all the intelligence that the Canadians gather and sell back to our government. Long live Echelon!

Don't poopoo about it, sling poopoo at it.

Blame Canada?

[Hoser+McMoose]

Hey, Certicom is a Canadian company, so maybe the song isn't out of place here?

Re:If true it sends a signal. No quantum computer

[dAzED1]

How on EARTH did you come to that conclusion? Are you saying that if they had a quantum computer they should just throw their hands up in the air for anything else, and not get it as tight as possible? Or that if they have a single quantum computer, that they would necessarily have hundreds of thousands (if you can make one, then you can make millions?), and therefore would be able to distribute classified documents/transmitions with ease? It would be pointless if the same capability didn't exist on both ends, you know.

No, all this means is that they want something with better encryption. Even if they had a dozen fully functional "quantum computers" that were able to do spectacular computations in an instant (ah, that lovely superposition...) that wouldn't mean that they should just suddenly give up and use weak encryption. Better that only a few people in the world could break it with ease, than that anyone with $100k could build a sufficient cluster to do it quickly...

Shhh!

Shhh, don't give it away! Those silly Americans still think that Tim Hortons is just a donut shop! We'll show them all when our Canadian army of Tim Hortons employees (aka secrete military commandos) storms the White House!

Re:If true it sends a signal. No quantum computer

You don't have the slightest fucking idea what you're talking about. Quantum computers have absolutely nothing to do with public key cryptography anyway, and there's no correlation at all between ECC and whether the NSA has one.

Re:OSS ECC? ECC vs AES

[daserver]

correction DSA is not ECC.

Re:OSS ECC? ECC vs AES

[quadelirus]

In cryptography it's usually not a program that gets lisenced, but an algorithm (or cryptosystem). My guess would be that ECC has the copyright or patent or whatever you get on their algorithm which would make it illegal to write a program using elliptic curve cryptography (or at least their algorithm) without permission from the company. I once wrote a project that used the RSA cryptosystem for education purposes and I had to obtain permission from RSA legal to use the cryptosystem. (However it might be public now...)

Also between AES and ECC. My guess would be ECC is much more secure than AES. If a 512-bit key for ECC is the equiv of a 15360-bit key in RSA that sounds extremely secure. As far as the last time I checked a 4096-bit RSA key was virtually unbreakable in any normal time span by even the fastest supercomputers built.

Finally what the other replies to your question have been, about comparing apples and oranges: AES is a symmetrical key, meaning, the key that encrypts also decrypts.

Public/Private Key encryption deals with two keys, the public key is freely available to anyone becuase when a message is encrypted with the public key it can not be decrypted with the public key. It must be decrypted with the private, or secret key.

Obligatory Joe comment

"It is pronounced 'zed'. Not 'zee', 'zed'!"

Amazing how narrow minded readers can be..

[KD7JZ]

NSA supports such a broad variety of applications for encryption that there isn't even anything remarkable about this annoucement. They have to have encryption that can deal with data streams from 2.4kb to multi-hundreds of megabits. They have to have solutions that will only be used by US government, solutions that will be shared with a variety of allies, solutions that they know will
be compromised as soon as they are fielded.

It's really no big deal.

This is for the more discerning crypto customer

[vt0asta]

"If you want to build an NSA-approved product, they want this in there."

All that means, is like DES back in the day, if you want to have something NSA approved you pick this. I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need. NSA has government customers that want protection, and instead of giving them the super secret good stuff, they find something off the shelf and give them this. This Certicom Corp. ECC is the new algorithm to study, because if it's NSA endorsed it's "probably" years ahead of the public domain state of the art, and is "probably" resistant to some pretty sophisticated crypto analysis techniques.

Re:This is for the more discerning crypto customer

[thing12]

I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need.

But aren't they allowed to mine the patent office? After all they are part of the government - and patents are there only to protect inventors from each other - not to protect inventors from the govt. I've always understood that in exchange for that protection the government is allowed to do whatever they want with your patented inventions.

Re:This is for the more discerning crypto customer

[Threni]

>ECC is the new algorithm to study, because if it's >NSA endorsed it's "probably" years ahead of the >public domain state of the art, and is "probably"
>resistant to some pretty sophisticated crypto
>analysis techniques.

You FOOL! That's exactly what they WANT you to think!

Re:OSS ECC? ECC vs AES

[graf0z]

GnuPG can use DSA which is ECC.

No, DSA != ECC.

DSA and ECC both do encryption by exponentation, relying on the assumtion that the reverse function - the logarithm - is infeasible with the used keylengths. They are both called "Discrete Logarithm Systems".

But the multiplication is done in completly different mathematical contexts: DSA multiplies in the rings Z/p (that are the natural numbers modulo p, p being a prime) where ECC multiplies in suitable "elliptic curve groups over finite fields" . That are finite sets of "numbers" paired with an complicated operation called "multiplication". These "numbers" behave quiet odd.

The main practical difference is the neccessary keylength. Depending on the chosen eliptic curve, ECC keys are 4-8 times smaller than DSA keys. They get much closer to the "no attack is faster than the brute force attack"-paradigm than other public key algorithms like DSA or RSA.

Unfortunatly, huge classes of suitable elliptic curves got patented.

Google for free ECC software. There are at least some libraries published by academic research groups.

/graf0z.

Re:Great

[kfg]

"I, for one, welcome our new elliptic overlords."

Indeed, this will be a major improvement on the hyperbolic overlords we now have.

KFG

Re:If true it sends a signal. No quantum computer

[adrianbaugh]

Don't be so naive. They might be procuring this software just to make people (us, other governments) /think/ they don't have a quantum computer. People happily go on using our 2048-bit GPG keys assuming no QC exists, the NSA happily break all the crypto.

Just 'cause you're not paranoid don't mean they're not out to get you!

Why does slashcode reparent everything?

Okay, I am sure this post is as interesting as its mod suggests. But what the fuck did the author mean? Impossible to tell.

I bet if I could get to its parent it would become clear. But WTF? Clicking parent gets me nowhere.

Fuck perl, it may be turing complete, but in practice it's clear no one can write a program with good usability in that shit.

Re:OSS ECC? ECC vs AES

[Timmmm]

*cheque

Oh my God!

[Ars-Fartsica]

Next thing you know the government will contract out the manufacture of nuclear missiles!

Re:Oh my God!

[lowrez]

I think we have North Korea on this already.

"Give a man fire and he is warm for a day, set a man on fire and he is warm for the rest of his life."

Asswipe!

I'll put a cap in your ass. Shucks, you must of forgot "no guns = no gun related crimes (except by criminals)"

Re:Asswipe!

[ScrewMaster]

No, not when the remaining criminal gun usage is directed against common folk who no longer have the capacity to defend themselves or have any rational deterrent. Who do you think are the recipients of most "gun crimes"? You've probably never been in a serious situation where an adequate self-defense would save your life. I hope you never do, because if you survive it your belief system will undergo some radical changes.

Samuel Clemens said it best: Better to keep one's mouth closed and be thought a fool than open it and remove all doubt

There is a method to the madness... for sure!!!

[3seas]

We all know that the way to make documents secure does not including making them accessable via the internet or intranet or any net, regardless of encryption or key size.

For it only takes the breaking of one key document at the right time and misuse of the information found, for the NSA to then need to have someone to blame while the damages of the results would still exist.

Encryption, regardless of how big the key is, still has the possibility of someone hitting it, like the lottery.

Not to mention I read somewhere recently how an enycription string length, the longer it gets the more likely it is to be written down somewhere or placed under a less secure but easier to remember key or password.

the best insurance against getting burnt by fire, is to not play with it and even do the things that reduce the reasons anyone else would be.

Re:There is a method to the madness... for sure!!!

[thdexter]

Pretty dumb arguments.

1. Making documents available via networks is no good, sure, but sometimes necessary.

2. "Encryption, regardless of how big the key is, still has the possibility of someone hitting it, like the lottery." Have you heard of somebody chancing to break an RSA-encrypted document? Have you heard of somebody brute-forcing breaking an RSA-encrypted document?

3. "Not to mention I read somewhere recently how an enycription string length, the longer it gets the more likely it is to be written down somewhere or placed under a less secure but easier to remember key or password." Are you sure you read that somewhere? Are you sure that it wasn't that you read it nowhere? It would be hard for somebody to write down this string on their arm, or anywhere: it's pretty long. The NSA is pretty unlikely to use insecure passphrases, I would think.

IHBT, IHL, HAND

Re:There is a method to the madness... for sure!!!

Encryption, regardless of how big the key is, still has the possibility of someone hitting it, like the lottery.

I don't even think the odds are comparable. Consider that there roughly 10^80 atoms in the visible universe, and there are roughly 10^154 possible combinations of 512 bits. So that means there are about 10^74 512 bit keys for every atom in the universe.

Re:There is a method to the madness... for sure!!!

For it only takes the breaking of one key document at the right time and misuse of the information found, for the NSA to then need to have someone to blame while the damages of the results would still exist.

Not to mention I read somewhere recently how an enycription string length, the longer it gets the more likely it is to be written down somewhere or placed under a less secure but easier to remember key or password.

I'll give you some hints:

1) They aren't going to use the same encryption key on every document. In fact, they aren't going to use the same key for ANY documents. Every document (or user, or whatever they're using it for) will have a different public/private key pair. This is the NSA, do you think they're stupid or something?

2) They aren't going to let their users manage these encryption keys. They're not going to give them out as sheets of paper filled with thousands of letters or numbers that their users will then have to type in. The encryption algorithm will be built in to the software or hardware that they deploy in the field, and the key will be stored in flash memory on a dongle that the user carries around. The user simply has to keep control over the key itself at all times. Since they're professional spooks and they're lives depend on it, I'm sure they'll be suitably careful to keep the key from being compromised :)

Re:There is a method to the madness... for sure!!!

[twiddlingbits]

Hang on there, the NSA has purchased rights to use the technology. We have no idea what key length they will use or if there will be classified extensions to the technology. It is also the case that certain levels of classified material may be encoded with another even more secure method. I know from working in the "black" world that different classifications get much different handling such as the EC method keys may be encoded with another method (RSA) to prevent brute force attacks. Then the attack only yields the original ciphertext which then has to be attacked again to get plaintext, assuming you can even break the first key. It has been estimated for keys like the NSA is using that even something as powerful as a supercomputer cluster will take many years to decode something by brute force (of course I guess there could be a hole that someone finds, or maybe a worldwide spare CPU cycle approach like SETI). By the time the data is decoded it is stale and most likely useless. So you don't alsways have to have a key that is infintely unbreakable, just something that takes longer than a few days. These guys at the NSA know what they are doing, they are not going to use something that is not at least as good as what they have now.

Re:There is a method to the madness... for sure!!!

[3seas]

Is that where you keep your passcodes? On your arm.

Re:There is a method to the madness... for sure!!!

[3seas]

I guess that proves beyond a shadow of a doubt that pi can never be written out all the way, not that we don't know how to do it, but physically there are not enough atoms to write it out. I guess the same goes for being able to use all possibilities of 512 bit encryption.

But since there are more possibilities than atoms in the visible universe I guess that means all the rest are in the mind.

It only takes one hit.

Waterloo reclaiming past glory

Nice to see Waterloo for once not milking its geek reputation from the 80s and doing something novel. Their football team is still a joke though. Not a good place to get laid either.

Buy Canadian

[solprovider]

Did anybody notice that the United States National Security Agency is buying encryption software from a Canadian company? Is this the same United States that refused to allow products using good encryption to be exported because they were considered military weapons?

I am not flaming Canada; I work with several Canadians and they are all nice and knowledgable people. I just noticed the inconsistencies in our policies.

Disclaimer: I am a citizen of the USA, and I hope that this trend continues. I would really like all our government agencies to use the best global software, not just our homegrown insecure proprietary systems.

Re:Buy Canadian

[Lord+Bitman]

I fail to see how "You can sell, but you can't buy" is in any way an inconsistency.

Re:Buy Canadian

Nothing illogical here - the intent of banning export of encryption is to bar such "weapons" from getting into the hands of foreigners, and no such concern would apply to the import of encryption.

Now of course one might say that the ban is utterly ineffective and thereby just puts US companies at a competitive disadvantage for sales outside the US (possibly even inside the US for international customers) and one would be right, but it wouldn't change the fact that there's nothing illogical, per se, at distinguishing between imports and exports

Re:Buy Canadian

[Detritus]

The NSA has provided encryption systems to countries all over the world. The catch is that this has been limited to the governments and armed forces of friendly countries.

You can export strong encryption if you get an export license. The U.S. Government will grant a license if they think it is in the national interest.

The United States and Canada have been cooperating in communications security and intelligence gathering for many years.

Re:Buy Canadian

Is this the same United States that refused to allow products using good encryption to be exported because they were considered military weapons?

Canada was always an exception to that rule. Canadians could import US encryption if they agreed not to export it outside of Canada or the US.

Re:Buy Canadian

[LargeMythicalReptile]

This isn't the first time by any means--the Rijndael algorithm was developed by cryptographers in Belgium, and it was chosen by the NIST over US-developed cryptosystems to be the new Advanced Encryption Standard (AES, to replace the aging DES).

From their Q&A:

14. Is NIST concerned that the algorithm is of foreign origin?

No. The complete algorithm specification and design rationale have been available for review by NIST, NSA, and the general public for more than two years. From the beginning of the AES development effort, NIST has indicated that the involvement of the international crypto community has been necessary for the development of a high-quality standard.

Re:Buy Canadian

I am a citizen of the USA, and I hope that this trend continues.

Indeed, we Canadians hope you continue to be a US citizen.

Re:Buy Canadian

[/dev/trash]

Canada is not Syria, Iran, Iraq, or any other bad country.

Re:Buy Canadian

[tgt]

What, math works differently in countries that USA don't like ? Or, dictatorship makes compilers to compile otherwise invalid programs ? There is no reason to not buying products from those but forcefully imposed embargo.

Re:Buy Canadian

[ducomputergeek]

Same reason why OpenBSD is based in canada, the export laws on encryption are much less than in the united states.

On another note, having worked as a DOD civilian contractor in the past, this looks to be a move to secure the technology for its contractors, not internal use. The stuff they are running, from what little I do know about it, is lightyears ahead of what's in the public domain or even available...

Re:Buy Canadian

[/dev/trash]

When was the last time Chretien bombed his own people or invaded his neighbor for oil?

Room for prior art on non-patented elliiptics?

[Morgaine]

Unfortunatly, huge classes of suitable elliptic curves got patented.

On what basis were the different elliptic curves considered different, to allow for the patentability of followups after the first patent was granted?

I ask this because along that dimension of "approved" non-overlapping variance there must be other elliptic curves for which there is no current patent, and if prior art is established for them then we can use that in an ECC implementation for GnuPG without fear of patent claims. Proceeding without knowing which type of variation is approved by the patent office as "different" would not have that safeguard.

Re:Room for prior art on non-patented elliiptics?

[cicadia]

I believe that it was not so much the curves themselves, but the methods for quickly finding them, which were patented.

After several attacks were published showing that large numbers of elliptic curves were too weak for use in known ECC cryptosystems, software techniques had to be developed which allowed the fast generateion of curves which are known to avoid all of the weak areas. Those methods, to a large extent, are all patented.

It's a similar problem to finding 'safe' primes for use in RSA. You can do it the slow, brute force way, or you can license a patented algorithm from someone to do it much faster.

Blame the company that provided it

This question always comes up. People think they have no one to come to, for support, warranty, etc. just because they have the *option* of doing it themselves. If you want a company behind a product, buy it through a company. Get your database through MySQL AB, and you get support. Get reportmagic through the official channels, and you get support. etc. etc. Just because you have the option of doing it yourself doesn't mean you don't have the option of paying someone else to do it.

Mod parent down x1488

Oh please shut up. It means that they can't afford to have quantum computers large enough to sign conventional messages at every location where they need to send them. In fact, the infrastructure for distributed crypt/comp barely exists between a few elite colleges.

This guy has no idea what he's talking about

Re:Mod parent down x1488

The parents reference to quantum computers I believe had only to do with cracking not doing the encryption

key strength

[TheSHAD0W]

That's quite a difference in key strength between RSA and ECC. How does ECC's key strength compare to the best symmetric cryptosystems? Is it of the same close order of magnitude? If so, that's rather impressive.

I, for one, welcome...

...our new Canadian overlords! Oh, wait, I am Canadian! Never mind...

let it be said

[mcryptic]

15,360 bits ought to be enough for everyone.

Re:let it be said

[simcop2387]

nah 5242880 (640kilobytes) should be enough for anyone :)

Re:If true it sends a signal. No quantum computer

The NSA has a legal responsibility to create/endorse secure classified crypto. If they could this ECC now, they would have to assume that someone else could and not endorse it.

Re:OSS ECC? ECC vs AES

[pyrbe]

Bouncycastle Crypto APIs support atleast Elliptic Curve DSA and Elliptic Curve basic Diffie-Hellman (according to release notes). Possible other ECC algorithms too.

Re:If true it sends a signal. No quantum computer

I meant: If they could - -break-- this ECC now, they would have to assume that someone else could and not endorse it.

How about

[NotoriousBob]

running the code through through the algorithm a thousand times. Of course, the resulting text/content will be a few hundred megs larger but I am certain it will be much more secure.

Re:How about

[dotgain]

No and no.

Encrypting shouldn't make the resulting code bigger, except for rounding the size up to the next block size of the cypher. Encrypting something over and over with the same algorithm doesn't really have a cryptographic benefit.

Wait a minute!

[smart.id]

There actually is an NSA? I thought it only appeared in movies like Triple X...

Re:Wait a minute!

[AJWM]

There actually is an NSA?

No, there's No Such Agency. Move along, nothing to see here.

(Actually, for many years even the existence of the Agency was officially not acknowledged. AFAIK most if not all of its budget is still "black", ie doesn't show up in detail in the budget bills.)

Re:Wait a minute!

[zoloto]

you sir, are correct.
black budget 100%, but the internal governing is very strict. see... without the problems of public opinion this division works efficiently and does their job well. They're the reason we're doing as well as we are. Not saying the govt. shouldn't be open, but sometimes public opinion should be stuffed back down the throat of the radical.

sometimes disclosure is a bad thing.
most times, it's not.

Re:Wait a minute!

[AJWM]

One of the benefits of being a republic rather than a democracy. We can hire representatives we trust (cough) to oversee things like this rather than exposing the details to all and sundry -- including our enemies.

The problem is just trying to hire good help these days.

So this means there's no easy way to break ECC...

[Urkki]

...known to NSA I mean. Why would they license it if they knew of some weakness in it...

Hmm...

Or maybe there *is* a suble weakness, leading to an "easy" way to break ECC. And NSA is licensing this to give it undue creidibility, so more people start using it, while NSA can easily (compared to RSA or whatnot) read everything encrypted with it...

UKUSA

[trolman]

NSA gets a lot of freedom from US LAW by going across the boarder to a UKUSA signee in this case Canada vs in house or a US company. Just look at the Interception Capabilities for a sample of how the various signees co-operate to avoid each others laws.

Evidence for Quantum Computer

[Markus+Registrada]

This isn't proof that they don't have a quantum computer. It's evidence that they do have, or expect to, or expect others to have soon. A quantum computer isn't magic. The best guess about the power of quantum computers, as applied to decryption, is that they can crack a 2N-bit cipher about as fast as an ordinary computer cracks an N-bit cipher.

So, when we see the NSA not just adding key bits, but adding bits and then doubling them, we see evidence of countermeasures against quantum computers. This doesn't mean they have quantum computers. Remember that they are not just guarding secrets they transmit today against attack now, but against attack ten years from now, when revelation might still be damaging.

Once we all do have quantum computers, I wonder what amusing revelations will come from cracking old ciphertexts. You can bet the NSA will keep busy at it, and so will the Brits, and the French, and the Germans, and the Russians, and the Israelis. (No doubt a few of the biggest corporations go on that list too.)

512 bits?

[jrockway]

How is a 512 bit key equivalent to a 15,360 bit key? If you "only" have 512 bits, then you have to try 2^512 keys. If it's 15360, then you have to try 2^15360. 2^15360 is A LOT bigger than 2^512. So they're not equivalent. This is sort of irrellevant because 2^128 bit keys are still out of reach these days (i.e. if every computer in the world [every known computer; the NSA could probably break this?] worked on generating keys, the message would come out way after the Universe ended. That's a problem if you want to know what the message says :)

Re:512 bits?

[damiam]

If it's 15360, then you have to try 2^15360.

No, you don't. You have to find the factors of a prime number of that length. That leaves significantly less than 2^15630 possibilities, especially if you're using a decent factoring algorithm.

Re:512 bits?

[JKR]

You're assuming brute force attacks; a 512 bit key for one algorithm might be harder to crack than a 15360 bit key in a different algorithm, because of flaws or limitations in that algorithm.

Jon

Re:512 bits?

[dasmegabyte]

Agreed. For example: when testing for primeness, you don't have to test any even number. You don't have to test any number ending in 5. You don't have to test any number whose digits add up a number evenly divisible by 3 (meaning number is divisible by three as well). Combine these three rules and you've trivially whittled your number from testing 2^512 keys to testing fewer than a third of them, and you can whittle it much smaller if you're better at math than dasmb.

Re:512 bits?

> How is a 512 bit key equivalent to a 15,360 bit key?

It's the estimated amount of time it takes to break a code in comparison to another crypto system, using the latest cryptanalysis trix.

> If you "only" have 512 bits, then you have to try 2^512 keys. If it's 15360, then you have to try 2^15360. 2^15360 is A LOT bigger than 2^512. So they're not equivalent.

Sure they are. It just mean that the keyspace in Prime based systems are less effective nowdays in comparison to ECC. If you had studied cryptografy - you would know.

> This is sort of irrellevant because 2^128 bit keys are still out of reach these days.

Ever heard of weak keys? Select a bad 128 bit key for RC4 and i can break it in a milisecond.

(Someone who HAVE spent time on Sci.Crypt)

Re:Europeans, mod this up!

[AceM2]

Amusing show of how long-time slashdotters (meaning the people with mod points) are biased though.

jesus

Now why didn't they just go to sourceforge and type in "crypto" and use some open source program. I mean i'm all for national security and not being killed by terrorists, but not when it impedes the development of the work some guy did in his garage 2 years ago and published it on the web. I mean nothing is as good as open source, not even living.

and just to add, this is FUD FUD FUD

buying a product they created

It's a bit ridiculous that the NSA is now paying to license a cryptosystem that was co-invented by Victor Miller, who works for them. Well, IDA, same different.

Certicom only came up with a few optimizations and went ahead and got a bunch of patents.

Tech Support:?

[Boyceterous]

NSA: We had a problem with this message. Could you please decode it for us?
Certicom Tech Support Person: Just a moment...got it...here it is.
NSA: Thanks very much. BANG!
RIP.

Restrictions on field of use, royalties, etc.

[Adam+J.+Richter]

It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see fit.

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use.

The "field of use" is not specified in any of the links provided by the slashdot article (and is probably confidential), nor are the parameters of the sublicensing, such as how much, if any, royalties NSA has to pass upstream. It is also worth noting that the users within "the limited field of use" are further slighty restricted, although I don't know enough math to understand how important the restriction is:

The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2**256. [exponent notation changed to get through slashdot filters]

Re:Restrictions on field of use, royalties, etc.

[Garin]

Oh, absolutely you're right. There may be strange undisclosed limitations that specifically limit sublicensees to be US or Canadian corporations (say), and that these sublicensees may not themselves sublicense under any conditions.

In that case, it would kill any GPL hopes right away.

By "appears" I mean exactly that. It seems to me, on first reading, that they're allowed to do pretty much whatever they want with the (GF(p), p > 2**256) instance of ECC, and that naively I would read that that is the only restriction. At least, this is what I'm hoping is the case.

uplink anyone?

[hitmark]

i recall that in uplik this kind of encryption was used (in name that is) to protect comunications to mainframes and other highsecurity systems...

Re:uplink anyone?

[FxChiP]

Very good recollection, but in Uplink, it's "Elliptic Curve Cipher", but it's basically the same name. Probably not the same process -- decrypting an Elliptic Curve CIPHER in Uplink is a matter of finding two numbers that are exactly the same and setting them both to 0 somehow. (yes, this process is explained in-game, and no, it can't be done by hand)

It was used in Mainframes, Banks, and to some extent LANs (Uplink v1.2+ I believe - starting from Project Nakatomi). ARC also used voice analysis on their mainframe.

Sure it's off-topic, but eh.

Re:YHBT (NT)

[ChozCunningham]

You are being facetious. I will ignore it and thank you. We are both jackasses. I hope you get it. Then I will pretend ther was a victory for somebody somewhere, like anybody who is literate, the next time you almost talk/type and think instead.

Readers: This is not a flameblait. It is off-topic, but ther is no bait. Just flame. So try harder if you are going to give it a negative score. Or even think about this thread, and se if there is something of merit in any of these many posts that might raise them to a nice fat "0" rating. Insightful+ but flamebait-? Kharma+ but Trolling-? Who knows...

Sun and ECC

[pmsyyz]

Sun likes Elliptic Curve Cryptography. They have helped add it to Mozilla's Network Security Services and to OpenSSL.

cracked

theres a crack for this system already...

joke.

Re:Not to burst your bubble, but .....

[ScrewMaster]

Cutting-edge military-grade crypto uses neural implants to measure how your brain processes various stimuli as part of the input term to a challenge/response protocol.

So you're saying that the NSA is a Borg operation.

gotcha...

[quadelirus]

ah, I understand now, I thought when you said release as OSS you were assuming releasing a program that does the same thing without the lisence. Apologies for the misunderstanding, I didn't rightly understand your verbage which is entirely my fault.

didn't mean to be redundant, and it may have clarified for other blockheads like me who read your post wrong, or took the wrong meaning somehow. (I got no sleep last night, so my brain isn't exactly on par at the moment... I neeeeed caffiene)

Just a Wild Guess, But...

[Nom+du+Keyboard]

Just a wild guess, but what are the chances that NSA developed this secretly years ago and either planned to, or already does, use it. When the civilian cryptography sector finally caught up with them and actually patented the algorithm, NSA had to license it or stop using it. It wouldn't be the first time NSA has been shown to be far ahead of publicly known cryptographic knowledge. Differential Cryptology comes to mind.

Re:Just a Wild Guess, But...

When the civilian cryptography sector finally caught up with them and actually patented the algorithm, NSA had to license it or stop using it.

Wrong. Classified patents exist to cover this situation.

SELinux?

[core+plexus]

I guess you've never heard of SELinux.

Alaska's favorite scientific instrument

Re:If true it sends a signal. No quantum computer

[emmons]

The NSA has the responsiblity to do whatever it deems necessary to secure classified info while at the same time be able to comprimise everyone else's. There is very little else that we know about the NSA, however, so any speculation about it's actions and motives are purely that.

My opinion is this: I'd say that they decided that this particular algorithm would work well for them and since they have the funds to buy and use pretty much watever then want, they bought it. I also think that it's generally safe to assume that the NSA is 5-10 years ahead of the private sector when it comes to technology related to breaking encryption, based on historical record. I don't doubt the possibility that the NSA has the technology to produce quantum computers for the purpose of breaking encryption, but of course nobody can say for certain that it does. There are no other governments in the world with either the access to the latest private sector technology and research, or the funds that the US government has. Though seemingly narrow-minded and arrogant, I think that it's resonable to assume that no other government could develop such technology before the US government, or if it did, without the US government's knowing about it.

Twit

[ScrewMaster]

Hey, that's really funny. Ha. He'd better hope we don't collapse in disarray or his nation's economy will probably disintegrate from having to stand on its own feet without a few hundred billion in U.S. Foreign Aid propping it up.

didn't they say...

[xmple]

Didn't the governement say that a 128 bit encryption was enough for encrypting your private information? Must have heard it wrong then. - "Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds." (don't know the author)

Re:OSS ECC? ECC vs AES

What are you talking about DES is dirt simple 56bit block cipher. The only components of it are a key which is broken in a key schedule of multiple keys, some substituition functions and some permutation functions. By composing the keys, the substituition and permutation encryption is achieved. There is no floating point math -- no logarithms -- just look up tables, keys and permutations.

Re:Humans, mod this down

10 - ???
Somehow this all seems to work.

11 - Profit!
We have more money and power than everyone else.

Not so funny after all..

[BenitoM]

See some links on CryptoAG, a Swiss company that marketed crypto equipment with US government-specified back doors:

http://jya.com/nsa-sun.htm

512bits

[Duncan3]

512bit ECC is exactly as strong as the thumb knuckle on your right hand, because that's what the NSA will remove if you don't tell them your key. They don't brute force keys they brute force YOU.

And ECC is _VERY_ heavily encombered by patents, that's why none of us are using it yet out here in the real world, we can't. They could have used RSA for free, so you should be upset with their irresponsible use of tax dollars.

The chart is interesting tho...

Re:FUD, but whose?

[tchdab1]

Given the secretive nature of the organization, it's possible (I have no proof or even inuendo) that the NSA is licensing technology that they themselves developed independently, perhaps even prior art.
They could have determined that this is the preferred technology to use publically at this time, and then require the license in order to operate with it in the public domain.
James Bamford's more recent review of the NSA documented an employee's discovery of public-key cryptography prior to Diffie's. They can't patent an invention without public disclosure (I presume), and they can't avoid licensing patented technology without proving prior art, which they must be reluctant to do - they would need to disclose when they discovered it. So, if all this presumption is true, from now on they'll be forced to license technology they they themselves created in order to keep the lid on their capabilities.

Re:Europeans, mod this up!

Don't forget canadians too ... Remember on the show "Who wants to be a millionare" the guy didn't know what our flag looked like.

Americans are STUPID

That's such utter BS.

[pr0ntab]

1) S-boxes are the only cryptographic structure that is fundamentally non-attackable (make them bigger or use them more intelligently to defeat parallelism/analysis).

2) TSC uses block-based and stream ciphers just like anything else. For example, KG-75s, CORNFIELD MCM, etc. There are even TSC approved software packages that you can install on a standard PC to create secure links. These are all commercially developed products, Motorola, Harris-Intersil, etc. (but are CCI, so you can only get them through a controlling agency like the NSA).

3) encryption that's neither stream nor block, neural implants?

heh. hardly. maybe in a testing lab at NRL in a decade. heh.

Re:If true it sends a signal. No quantum computer

[SamIIs]

I think you misunderstand the comment. I understood that JDotBomb was saying that any agency that had a quantum computer (therefore able to break RSA type encryption in a blink) wouldn't be spending money on or trusting an RSA system. They'd be using one of the encryptions that aren't broken by the tool that quantum.

-Sam

Re:FUD, but whose?

[funkdancer]

Very interesting! Now where's my mod points... That would have been a +1 insightful if I had one; they'd rather pay for the license than reveal when - or if ? hehe - they had the technology.

Aw shucks, man!

You forgot the deal about how you're supposed to own two cars and an SUV, and drive it to the 7-11 down the corner (located 0.1 miles away) instead of walking.
Hey, in case some euros think I'm joking, some places down here in florida don't even have sidewalks! If you do walk, people driving by stare at you like you're some freak or convict and maybe they even honk their horns and/or scream incomprehensibly at you. Talk about freaky!
America. Love it or leave it. Heh, as soon as I get enough $$ I'm outa here. A nice island in the Caribbean awaits...

WAAAAA

NSA + Commercial software?!?! We're all gonna die!!!!!!!!!!!!!1221 WAARRRGHHH!!

Familiar...

[yiantsbro]

I remember this movie...Sandra Bullock played in it right?

Nothing new

[HermanAB]

The old faithful DES was made by IBM and the current AES is Rijndael by a Belgian company no less - not even American...

Ummm, well

[Sycraft-fu]

No. Part of being a counrty based on the rule of law is that even the government must obey the law. You might notice that a deceant part of constitutional law is laying out things the government may not do. Now there are, of course, many politicians and agencies that try to ignore this, and try to be above the law, but it can blow up on you.

So say the NSA does take this patented technology and use it without a liscence. Certicom discovers this. Well, then they'll take them to court. Yes, government agencies can be taken to court for some things.

It is much easier, safer, ultimately cheaper, and also the legal way, to simply liscence the technology.

Re:Ummm, well

[AKnightCowboy]

So say the NSA does take this patented technology and use it without a liscence. Certicom discovers this. Well, then they'll take them to court. Yes, government agencies can be taken to court for some things.

It is much easier, safer, ultimately cheaper, and also the legal way, to simply liscence the technology.

All I'm saying is, how would you know? How would Certicom know? The NSA's entire existence is built on secrecy. Snitches don't survive long there (professionally or otherwise I would imagine).

Re:Ummm, well

[Sycraft-fu]

Becuase they use public contracters. It's not like the NSA does everything in house, they have normal companies like IBM and so on make stuff for them.

Re:OSS ECC? ECC vs AES

[dasmegabyte]

Unfortunatly, huge classes of suitable elliptic curves got patented.

Unfortunate? For whom? For the people who spent long hours doing the extensive research which led to the development of advanced encyption systems? Or for the people who read the papers and attended the conferences and say "Great idea...think I'll make the same thing for free in the name of Openness!"

Encryption is not like a 1-click pattent or library compression. It's hard, expensive and risky to devote your time to coming up with the next great encryption algorithm. And I am glad that we have agencies like the NSA to help offset this cost. It means there might be jobs somewhere for some of us to sit around and think about stuff rather than have to sell our talents like consultant whores.

Free Software is all well and good, but some things are worth paying for. Right?

ECC, pah-leese

[wwwgregcom]

Elliptic curve? Really? My TI-83 can easily graph elliptic curves. The NSA needs to get on the ball here, any pre-calc student can crack their new crypto!

Now who wants to put this into y= form for me?

Re:ECC, pah-leese

[fishbowl]

"Elliptic curve" does not refer to the same thing as an ellipse graphed in the XY plane.

If you're serious, and you have parameters, you can plot an elliptic curve on xy or r-theta
with something like y = sqrt(Ax^3 + Bx^2 + Cx + D).

But that just lets you visualize a given curve in R. The rabbit hole goes a lot deeper when you learn that the curve can be mapped to the complex plane any other algebraic closure. And it really gets interesting when you learn that it maps to a Riemann surface.

I almost understand what I've said so far, but my mechanics trail off sharply around "Complex plane". But if you can get the TI-83 to plot a Riemann surface, good for you.

Re:If true it sends a signal. No quantum computer

[wirelessbuzzers]

No, it absolutely does not mean that.

First of all, if the NSA could break this by whatever means, then it would indicate that they think nobody else can.

Second, it could mean they've broken RSA, and so don't want to use it.

And quantum computers don't break ECC as far as I know.

Can they now GPL it?

[ikekrull]

Since they have the right to sublicense it, can they put this in NSA Secure Linux as GPLed code?

rot-26

[jfisherwa]

-- note: you must download a suitable rot-26 decoder to view the message below --

rot-13 is severely antiquated, my friend. rot-26 is the encryption for the future!

-- end of transmission --

Depends on the algorithm, not key length

[Kjella]

This isn't proof that they don't have a quantum computer. It's evidence that they do have, or expect to, or expect others to have soon. A quantum computer isn't magic. The best guess about the power of quantum computers, as applied to decryption, is that they can crack a 2N-bit cipher about as fast as an ordinary computer cracks an N-bit cipher.

RSA (and I believe also Diffie-Hellman) is instantly broken if you can factor a large enough prime. Basicly you have a public pair (n,d) and if someone can factor n=p*q, you're screwed. Elliptic curves I don't know anything about, so I can't say, but I imagine it would be more resistant.

As for symmetric crypto, you're right. As far as I know, quantum computers wouldn't really help much here, at least not more than that we could increase key length correspondently.

Kjella

Heh

Sam Fisher won't be happy.

Interesting story

I worked for a company that produced a very large software package and programming libraries. One of the US TLA's wanted a liscence for the whole dealie.. without identifying themselves. The sales guys told us the actual transaction went down in a hotel room, for a briefcase full of money or some other liquid asset. This, I was told, is SOP for a lot of these guys.

What I'm wondering is why the NSA even let it be known they were interested. Something smells rotten here, in a big way.

Re:FUD, but whose?

[bezuwork's+friend]

... They can't patent an invention without public disclosure ...

I think you're basically right. The Patent Office has whole art units who examine secret applications. It has been a while since I worked at the PTO, but from what I remember, they examine a case for as long as they can in secret and then stop. I think this would be up to allowance and just before issue, the issuance of the patent waiting for the classified status to be lifted. As I recall, allowed applications are classified for 1 year at a time, and this status can be renewed indefinitely.

There was an amazing case some 4 years ago, probably. It was likely discussed on /. as well. It was a guy's patent which finally had been made public - some 65 years later.

Just found the patents (there are two). The inventor was William Friedman. His patent Cryptographs was filed in 1936 and issued in 2000. His patent Cryptographic system was filed in 1933 and issued in 2000.

On the other hand, the government sometimes screws up, it seems. Around 1965 or so, IIRC, the CIA was developing a dart gun. The 'bullet' was a needle-shaped item made from powderized metals held together with a water soluable bonding agent and was also impregnated with poison. It was made with a center of gravity off to one end so that it flew stably without needing to spin. When it entered a person, the 'bullet' dissolved, leaving little or no evidence and the person died of the poison. For some reason, the CIA filed for a patent on the gun, and it issued. From an article I once read, the CIA was a bit worried over the potential exposure.

Applications filed with the PTO are subject to being classified for security purposes. However, this has been successfully fought in court in some cases, though. I recall that a man succeeded in this for an invention which I believe enabled communication by modulating phase angles.

sigh... Americans...

[axxackall]

Here some educational correction specially for Americans (others can just ignore it as they already know it):

There is no such thing as a bad or good country. There is such thing as a bad goverment or a bad goverment policy.

By the way, US goverment is not any better than Syrian or Iran goverments. Last two years proved that finally, if someone had any doubts before.

Re:sigh... Americans...

[Bob+Uhl]

By the way, US goverment is not any better than Syrian or Iran goverments.

We willingly harbour terrorists? We torture our citizens? We suppress peaceful protests? We have no respect at all for civil rights?

We're not perfect (although, so far as I can tell, Colorado has every other polity on the globe beat), but we're far better than elsewhere, particularly Syria & Iran, which are far worse than elsewhere.

Re:sigh... Americans...

[/dev/trash]

proved it how?

Norad & missle defence

[nuggz]

Yes NORAD is very intertwined.
Which is why the missle defence debate is raging in Canada.

The fear is that if we don't go along, it will break NORAD, and we won't have the same level of integration with respect to North American Airspace.

The other is that we'd be supporting something that could lead to a new arms race. Which is something we'd like to avoid. Particularly since missle interceptors and such don't work all that well, and would not protect against weapons using serious countermeasures.

What I think will happen is that Canada will support missle defence, Bush will get thrown out in the next election. Someone with a clue will realize that it is just too expensive to build this missle defence system, that likely won't work anyway.

Re:Norad & missle defence

[Kenneth]

Speaking of missile defense.

Has it occured to anyone that to a lay person, that a missile defense system and an asteroid defense system could look very much alike?

After thinking about it for quite a while, I really see only one use for an missile shield. A front for an asteroid shield. Nothing else I can think of really makes sense. The threat isn't from missiles anymore, it doesn't give us leverage anywhere since everyone else knows that missiles arent where the threat lies. All I can think of that makes sense is as a front for a different project.

If you remember, a few years ago, Clinton tried to build an asteroid defense system. There was virutually no public support. There IS enough support for a missile defense system that it might go through. If my hunch is correct, it won't be a missile shield, but an asteroid shield, and the government is just lying to get us to get us to pay for it.

Of couse I could be wrong, but that's what my gut tells me.