NSA Turns To Commercial Software For Encryption

Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since the announcement, Canadian Press reports that Certicom's shares more than doubled in Toronto."

FUD

[ChozCunningham]

Shouldn't we demand an open source solution? ;)

Re:FUD

[jdhutchins]

You can bet that NSA demanded the source code. I don't think they'd trust something they can't see the source to for their security. As for them buying a closed-source or open-source, to them it doesn't matter, they'll get the source anyways.

Re:FUD

[quadelirus]

I stated this in another post, but I've got a link now:

The NSA is not lisencing software, it is lisencing the right to use Certicom's ECC cryptosystem. Cryptosystems now are usually known even when proprietary to allow mathematicians and cryptographers the ability to test the security of it. (The RSA cryptosystem for instance is thoroughly explained on RSA's web-site, but you would still need a lisence to use the algorithm in a program)

I found a tutorial by Certicom on their ECC cryptosystem here.

PS. I could be wrong, but from the article it seems that "intellectual property" and "This is the first time that the NSA has endorsed any sort of public-key cryptography system." that they are not actually lisencing software but are in fact lisencing the cryptosystem. If I am wrong, I humbly apologize.

Re:FUD

[randyest]

I'll take that bet aginst you. The NSA didn't demand the source code, they wrote the source code. Note that NSA is not buying some software tool, they are licensing a patented encryption concept. The NSA will implement this ECC encryption technology in many different ways, on their own:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

Re:FUD

[randyest]

Who the hell in their right mind is going to license this from the NSA?

Uh, anyone who wants to do business with or exchange sensitive info (read: pretty much anything) with the NSA. If that's you, you'll most likely have to use this to talk to them about anything important. So, it seems logical that they've acquired the ability to grant sub-licenses -- that way you can be provided with tools to encrypt and decrypt communication that works with the NSA-specific implemntation of this patented ECC concept.

Maybe you were thinking that the NSA is going to release commercial products based on ECC? I don't think so. They'll probably leave that to Certicom and just use the licensed technology for thier own use rather than resale.

Public key vs. symetric

[autopr0n]

You can't really compare symetric key systems like AES with public key systems like ECC or RSA. With a symetric system you need keey your key secret, with public key you have two keys (encryption and decryption), and you only need to keep one of them secret. The other you can distribute far and wide.

A lot of times, people will create symetric keys and then use public key systems to distribute them.

Re:Canadian code?

[Timesprout]

Its pretty obvious. The strange pronunciation required for Canadian variables makes the code more difficult to comprehend and so creates an additional level of obfuscation and thus greater security.

This isn't software, it's patents.

[Garin]

As far as I understand the deal, this has nothing to do with licensing software. They couldn't have gone with an OSS version (or "roll their own") as so many suggest because they're not licensing just software, they're licensing patents.

You'll note that they've also got sublicensing rights on those patents. There could be a software component to this deal, but as far I can tell it appears that this is mainly about patents.

Re: Privatization

[Black+Parrot]

> The NSA's job is to make secure codes for government use, and break other people's codes. So they licensed someone else's code, but why are they announcing it for intra-government use? The obvious question is, Can't they roll their own?

Probably just means that they've discovered how to crack it, so now they want everyone else to use it.

Re:Privatization

[espo812]

Oh come on, I know Bush's administration is all for privatization and turning to the private sector and all, but this?

I believe that the technological divide between the NSA and the private sector has been shrinking over the years. I also don't think they would have selected this product if they didn't have good reason to. I suspect that this product was probably developed with some degree of NSA involvement, either contract work there or by former contractors/employees. And, low and behold, as I RTFA it says:

Certicom has worked with the NSA, based at Fort Meade, Md., on several classified projects in the past, and this agreement is essentially an outgrowth of that work, officials said.

So, it appears to have a lot of NSA involvement in the development. Actually, RTFAing a bit more closely it appears NSA is licensing the algorithm from Certicom. So they may not even be using the code from Certicom, they could be developing all the systems in house. Clearly, they wouldn't make a move like this without thoroughly analyzing the algorithms involved.

So what comes out is a solution that was produced much cheaper than a similar inhouse effort, and this will save the tax payers money (which sounds good to this poor college student.) I have to say I'm surprised at the Agency going after a commercial product for classified purposes, but I'm sure they have good reasons.

Re:Size of key

[espo812]

I wonder: how can they tell that a 2 ^ 512 possibility range is as secure as a 2 ^ 15360 probabilities scheme?

Because breaking RSA does not involve brute forcing the bits, it involves factoring huge ass numbers into primes. Look up the differences between symmetric and asymmetric (or private and public) key cryptosystems.

Re:What about license abuse?

[randyest]

The NSA practically can't not follow the license -- it's world-wide and allows granting sub-licenses, and is only restricted to use above a certain security level. The NSA would have to use relatively insecure implementations of the technology to violate the license, and I think that's unlikely:

Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that the National Security Agency (NSA) in Maryland has purchased extensive licensing rights to Certicom's MQV-based Elliptic Curve Cryptography (ECC) intellectual property. ECC is becoming a crucial technology for protecting national security information.

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256. Outside the field of use, Certicom will retain all rights to the technology for other industries that require the same levels of security, including state and local government agencies. Certicom will continue its policy of making its intellectual property available to implementers of ECC under normal commercial terms on a non discriminatory basis.

Re:Huh?

[randyest]

Being the NSA doesn't guarantee you can develop the best technology in every security-related area. If another company or research institute happens to come up with a technology that's remarkably better than anything else like it and patent it first (such as the ECC mentioned in the article), the NSA should and does license it. That is, they buy the the rights to use the technology that someone else spent a lot of time and effort to develop (maybe even more than the NSA put forth in this field) .

It's not like the NSA is buying a binary encryption software package they can't decompile, or shipping the secrets up to Canada for encrypting. This isn't a security concern. The NSA bought the concept of ECC, and Certicom deserves to be paid fairly for it. The NSA can do anything they want with ECC now, including grant sub-licenses without approvasl from Certicom. The only restriction is to require a minimum level of ecryption field size (encryption strength), which isn't a problem for NSA:

This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2256.

This is for the more discerning crypto customer

[vt0asta]

"If you want to build an NSA-approved product, they want this in there."

All that means, is like DES back in the day, if you want to have something NSA approved you pick this. I can guarantee you that the government when it's working on it's black budget work in general and historically has no regard for paying licenses for patents, and routinely mines the patent office for anything they may need. NSA has government customers that want protection, and instead of giving them the super secret good stuff, they find something off the shelf and give them this. This Certicom Corp. ECC is the new algorithm to study, because if it's NSA endorsed it's "probably" years ahead of the public domain state of the art, and is "probably" resistant to some pretty sophisticated crypto analysis techniques.

Re:OSS ECC? ECC vs AES

[graf0z]

GnuPG can use DSA which is ECC.

No, DSA != ECC.

DSA and ECC both do encryption by exponentation, relying on the assumtion that the reverse function - the logarithm - is infeasible with the used keylengths. They are both called "Discrete Logarithm Systems".

But the multiplication is done in completly different mathematical contexts: DSA multiplies in the rings Z/p (that are the natural numbers modulo p, p being a prime) where ECC multiplies in suitable "elliptic curve groups over finite fields" . That are finite sets of "numbers" paired with an complicated operation called "multiplication". These "numbers" behave quiet odd.

The main practical difference is the neccessary keylength. Depending on the chosen eliptic curve, ECC keys are 4-8 times smaller than DSA keys. They get much closer to the "no attack is faster than the brute force attack"-paradigm than other public key algorithms like DSA or RSA.

Unfortunatly, huge classes of suitable elliptic curves got patented.

Google for free ECC software. There are at least some libraries published by academic research groups.

/graf0z.

Re:Privatization

on one hand, you have a crackhead who could get all the drugs he wanted legally and privately, but for some unexplicable reason bought his dope illegaly on the street through someone who could (and did) dime him out.

on the other hand, you have NSA could use whatever patented technique they wanted and no one would ever know, but they decide to go out and publicly annouce a license

You're wondering why the NSA didn't just go ahead and use Certicom's patented ECC implementation and keep it a secret? Because they're a lot bigger than Rush freakin' Limbaugh, and it only takes one employee to speak up and say, "we knew someone else patented this but we used it anyway" before someone gets in a lot of trouble.

No one wants that kind of a black eye. If that scandal broke, the manager who gave the go-ahead to implement the Certicom solution without licensing it would probably find himself reassigned to a communications post in Afghanistan.

And one thing about the US government... no matter how hard they try to keep things under wraps, they're just not very good at it. There are just too many nosy journalists and authors poking around... everything comes out sooner or later :) (For examples, see the SR-71, spy satellite imagery, Predator UAVs, the TIA project, etc. and the number of times Tom Clancy has been accused of espionage for incorporating published projects into his work.)

Re:OSS ECC? ECC vs AES

[pyrbe]

Bouncycastle Crypto APIs support atleast Elliptic Curve DSA and Elliptic Curve basic Diffie-Hellman (according to release notes). Possible other ECC algorithms too.

Evidence for Quantum Computer

[Markus+Registrada]

This isn't proof that they don't have a quantum computer. It's evidence that they do have, or expect to, or expect others to have soon. A quantum computer isn't magic. The best guess about the power of quantum computers, as applied to decryption, is that they can crack a 2N-bit cipher about as fast as an ordinary computer cracks an N-bit cipher.

So, when we see the NSA not just adding key bits, but adding bits and then doubling them, we see evidence of countermeasures against quantum computers. This doesn't mean they have quantum computers. Remember that they are not just guarding secrets they transmit today against attack now, but against attack ten years from now, when revelation might still be damaging.

Once we all do have quantum computers, I wonder what amusing revelations will come from cracking old ciphertexts. You can bet the NSA will keep busy at it, and so will the Brits, and the French, and the Germans, and the Russians, and the Israelis. (No doubt a few of the biggest corporations go on that list too.)