NSA Licenses Certicom IP
Industry darling
Certicom Corporation announced today that it is licensing it's MQV / ECC IP to the
NSA. In english... this means that the US's communications security organization, the National Security Agency, now has the rights to use and sublicense the use of products that implement
Menezes-Qu-Vanstone (MQV) key establishment using Elliptic Curve Crypto (ECC) primitives.
The agreement gives the NSA a worldwide non-exclusive license with the ability to grant sublicenses for foreign and domestic rights to use Certicom's intellectual property relating to the MQV key establishment with ECC over GF(p) where p is a prime > 2^256.
Though the
press release announcing the agreement at Certicom's web site does not explicity mention it, it can be implied from other statements that the scope of the agreement is limited to agencies of or companies developing products for the US federal government. There is mention in the press release that Certicom retains the rights for applications outside the field of use proscribed by the agreement including state and local governments.
Previous stories here on Cryptonomicon.Net have indicated our respect for Certicom's technology, but have questioned the business' ability to deliver on the promise of their intellectual property.
The Cryptonomicon.Net editorial board is pleased to see agreements like this from Certicom, and hope that it leads to enhanced market share in the increasingly difficult crypto technology market.
Beyond the license fee paid by the NSA, the agreement will allow NSA customers in the US federal government to use ECC technology without negotiating a seperate license from Certicom. Presumably federal agencies will have an easier time negotiating with the NSA than with Certicom. This should make products that use of ANSI X9.63 with MQV/ECC more attractive to government customers. If this leads to increasing availablity of ECC related products, Certicom should see some direct benefits as commercial customers seek to license IP embedded in products moving from the governmental to COTS markets.
To be sure Certicom needs more deals like this to be a long-term success, but this is definitely a move in the right direction.
Attacking a Shark with a Piano
The usually insightful
Linux World Magazine site is running an editorial by James Turner entitled "
Now Is the Time to Finally Kill Spam - A Call to Action." In this opinion piece, Mr. Turner proposes a simple way to eliminate spam... register all email users and force them to digitally sign all email.
The editorial board thought about this one a bit and decided we wanted to respond to the idea. Matt Hamrick provides the "official" response...
Before I start, I should probably mention that I've the utmost respect for Mr. Turner, and in fact our paths have crossed a couple of times at various Unix / Linux events. I don't think he's a registration-Nazi and does bring up a good point in his editorial.
What I see to be the crux of his complaint is that here he is, a skilled and experienced Internet technologist, and he's losing the battle against spam. If he's having such problems, then we can only guess at the problems encountered by mere mortals. Something needs to be done, and requiring digital signatures on email is as good a thing as any.
I agree that spam is a problem, and that's where we diverge.
Several people (myself included) have proposed a system to eliminate spam by requiring email users to digitally sign emails and have either clients or mail servers reject emails with improper signatures, or signatures of suspected spammers. At first glance the idea sounds great. However, problems occur as we examine the recommendation in detail.
There are five fundamental problems: a) can you convince everyone to use a digital signature aware client? b) can you convince everyone to use the same "parameters" such as RSA with SHA1, etc.? c) can you convince everyone to use the same set of root Certification Authorities? d) Who manages the black-ball list? and e) what about the cost?
Getting People to Use Modern Email ClientsFor years I have begged the people around me to use PGP or get a S/MIME certificate from VeriSign. I provide email services to a small group of friends and family, and it has always made me uneasy about sending email passwords in the clear. I was very happy to see a raft of new clients that either supported PGP directly or support PGP as a plugin. And I'm not partisan, so I was even happy when I noticed that Outlook Express and Netscape Navigator could be made to use S/MIME without a plugin.
The bad news is, however, that support for security features is spotty at best. Having used Microsoft's and Entrust's tools with Outlook, I can tell you that while they are better than a root canal, they might not be better than a regular filling. Common problems encountered by my coworkers and I made interoperability problematic. So... there's still a little bit of work to be done to make the common clients more stable with respect to S/MIME functionality.
Another option may be to force everyone to use the same client. With Microsoft and AOL's market share, we may be seeing something like that already. Still, it's unlikely that the whole net will switch over to a particular email client just for S/MIME or PGP support.
Public Key Parameters?Everyone knows there's one de-facto standard for digital signature production, right? It's RSA with MD5. Oh... wait... there are those problems with MD5 collisions that were discovered a couple years back, so we better make it RSA with SHA1. Well... if we're doing SHA1, maybe we should do RSA with SHA256. Or heck, we'll have problems importing to various countries if we use RSA, so why not just use DSA? It can effectively only be used for digital signature production, after all (unless we start looking closely at the El Gamal crypto-system, but that's a different argument.) What about Elliptic Curve? What if there's a follow-up to TWIRL and factoring becomes radically easier than we had thought? Maybe ECDSA is something to think about. Or maybe Rabin-Williams... or...
The point is, there are several good algorithms out there. Elliptic Curve has always been a darling of the "constrained computing" crowd. If you're going to be doing RSA on a small device, you might also think about doing Rabin-Williams. No one algorithm is "the best" for all situations.
And what happens if the world standardizes on a set of parameters for an algorithm and that algorithm is then 'broken'? We might not get panic in the streets, but there is a likelihood that there would be some illicit spam.
Who are the Certifiers?In the early 90's there was a standard presented called
PEM (Privacy Enhanced Mail.) For the most part it was an acceptable standard, and is not all that different from the first version of S/MIME. The real think that killed PEM was it's reliance on a national PKI. The authors of the standard truly believed that the PTT (Post Telephone Telegraph) systems in each country would implement a PKI and certify key holders.
The response from national governments was a large question mark. Those governments who understood the proposal responded with a yawn. Free speech advocates in the US were convinced that this was to muzzle dissent on the Internet. The fear being that if everyone had a key issued from a national PKI, they might make it a requirement to use that key to logon making it very difficult to say politically unpopular things with anything resembling anonymity.
Who manages the black-list?There are several existing anti-spam systems that collect lists of email addresses and IP Addresses of known spammers. These so-called 'black-lists' are used to filter email entering the system. If an email comes from a mail server that's known to be promiscuous enough as to allow a spammer unregulated access, then guess what, it's marked as spam and deleted. The problem is that large ISP like Earthlink/Mindspring has been marked in several of these black-lists. Now there are several domains I can't send email to from my Earthlink account.
Cryptonomicon.Net was recently implicated as a spam source. What happened? The IP address we use for our email server was in the same Class C block as someone who was sending spam. What was the result? Some well-meaning people in vermont black-listed the whole Class C. Whose Class C was it? It happened to be a class C used by EV1 (Everyone's Internet,) a popular hosting service. Over a thousand domains were blacklisted improperly that day.
What's my point? I guess my point is that there's more to blacklisting than the database. You've got to have policies, appeal procedures, and you've got to have a staff that won't succumb to social engineering.
And what about the cost?Virtually no-one I know will go through the process of generating a key and getting it certified. S/MIME certificates from Verisign are a non-zero expense, and they prove only that one's email address is associated with a private key's owner. Certifying one's identity in the way that people think about identity is considerably more expensive. Mr. Turner talks about this being a $10 expense. I'm not sure where he's getting his numbers. In the mid-90's I was part of a PKI deployment team that was dealing with a popular brick-and-mortar infrastructure player (I can't name the company, but they have offices just about everywhere in the western hemisphere, and you would certainly recognize their name.) The idea was that they would use the local government issued ID to register (enroll) a user in a PKI for an online commerce application. Their cost per certificate was somewhere around $150.
And as we've seen, ID checking is not the only expense. People like email because it is an efficient and inexpensive method of communication. There are other electronic means of communication: EDI, TELEX, etc. But they are not inexpensive. The reason we have the mail system we have now and not something like Compuserve or MCIMail is that security took a back seat to cost.
James Turner, I feel your pain, but I don't think universal adoption of digital signature technology is going to help us here.
