Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Turns To Commercial Software For Encryption

Posted by simoniker on from the chinese-government-buys-certicom dept.

Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."

5 of 264 comments (clear)

  1. Re:FUD by jdhutchins · · Score: 4, Insightful

    You can bet that NSA demanded the source code. I don't think they'd trust something they can't see the source to for their security. As for them buying a closed-source or open-source, to them it doesn't matter, they'll get the source anyways.

  2. Re:Huh? by randyest · · Score: 5, Insightful

    Being the NSA doesn't guarantee you can develop the best technology in every security-related area. If another company or research institute happens to come up with a technology that's remarkably better than anything else like it and patent it first (such as the ECC mentioned in the article), the NSA should and does license it. That is, they buy the the rights to use the technology that someone else spent a lot of time and effort to develop (maybe even more than the NSA put forth in this field) .

    It's not like the NSA is buying a binary encryption software package they can't decompile, or shipping the secrets up to Canada for encrypting. This isn't a security concern. The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it. The NSA can do anything they want with ECC now, including grant sub-licenses without approvasl from Certicom. The only restriction is to require a minimum level of ecryption field size (encryption strength), which isn't a problem for NSA:

    This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

    --
    everything in moderation
  3. This is for the more discerning crypto customer by vt0asta · · Score: 5, Insightful
    "If you want to build an NSA-approved product, they want this in there."
    All that means, is like DES back in the day, if you want to have something NSA approved you pick this. I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need. NSA has government customers that want protection, and instead of giving them the super secret good stuff, they find something off the shelf and give them this. This Certicom Corp. ECC is the new algorithm to study, because if it's NSA endorsed it's "probably" years ahead of the public domain state of the art, and is "probably" resistant to some pretty sophisticated crypto analysis techniques.
    --
    No.
  4. Re:Privatization by Anonymous Coward · · Score: 5, Insightful

    on one hand, you have a crackhead who could get all the drugs he wanted legally and privately, but for some unexplicable reason bought his dope illegaly on the street through someone who could (and did) dime him out.

    on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license

    You're wondering why the NSA didn't just go ahead and use Certicom's patented ECC implementation and keep it a secret? Because they're a lot bigger than Rush freakin' Limbaugh, and it only takes one employee to speak up and say, "we knew someone else patented this but we used it anyway" before someone gets in a lot of trouble.

    No one wants that kind of a black eye. If that scandal broke, the manager who gave the go-ahead to implement the Certicom solution without licensing it would probably find himself reassigned to a communications post in Afghanistan.

    And one thing about the US government... no matter how hard they try to keep things under wraps, they're just not very good at it. There are just too many nosy journalists and authors poking around... everything comes out sooner or later :) (For examples, see the SR-71, spy satellite imagery, Predator UAVs, the TIA project, etc. and the number of times Tom Clancy has been accused of espionage for incorporating published projects into his work.)

  5. Re:FUD by randyest · · Score: 4, Insightful

    Who the hell in their right mind is going to license this from the NSA?

    Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.

    Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.

    --
    everything in moderation