September 19, 1997 6:40 PM PDT
Encryption battle shaping up
Network security firm Cylink (CYLK) today said it is licensing the elliptic curve cryptography engine from Canada's Certicom (CIC), adding new momentum to the challenge to RSA Data Security, which has dominated public key cryptography for more than a decade.
The licensing agreement allows Cylink to build the Certicom engine and other Certicom technology into Cylink's products. It means that Cylink will expand its product line based on elliptic curve cryptography, a 12-year-old encryption algorithm which is getting increasing attention.
For close to a decade, RSA has been the top brand in encryption, the arcane science of scrambling data so the wrong eyes don't see it. But RSA, with its principal patents due to expire in two years, suddenly finds its supremacy challenged.
Elliptic curve, a form of public-key cryptography that takes a different approach from RSA's, poses the biggest threat.
RSA has been buffeted in recent months. First, over the summer the Internet Engineering Task Force dropped its consideration of RSA's S/MIME protocol as a standard for secure email, at least in part because S/MIME requires using RSA's patented technology.
Second, Mastercard's top e-commerce guru, vice president Steve Mott, has been making noises about adding elliptic curve to the next version of the Secure Electronic Transactions (SET). SET 1.0, a protocol for secure credit card payments over the Internet, supports only RSA encryption.
Third, a number of big players are putting at least one foot into the elliptic curve camp while continuing to use RSA encryption. Those include Microsoft, Sun Microsystems, and Motorola, which recently took a five percent stake in Certicom.
Finally, manufacturers of low-memory devices such as smart cards, cellular phones, screen phones, and television set-top boxes are increasingly opting elliptic curve cryptography, largely because it requires fewer computations than RSA encryption. VeriFone announced in June that it would use Certicom's technology in smart card readers, a major new push for the company.
"Cryptography is computation intensive, especially with low-end processors for smart cards or other small devices that might want to create digital signature," said Jim Omura, Cylink's chief technology officer and cofounder. "Elliptic curve offers a factor of about ten in speed--that's the reason for its attractiveness.
"There's been a lot of talk lately about the SET protocol, and one of the biggest issues seems to be the amount of computation that signatures will require, so the computation-intensive issue is coming up," Omura added.
RSA is taking the challenge seriously enough that several months ago it devoted a major section of its Web site to debunking elliptic curve as a safe technology.
"It's our view that elliptic curve is pretty interesting but not ready to make a bet on," said Scott Schnell, RSA's vice president of marketing, who notes that RSA supports elliptic curve in some of its security toolkits.
"RSA has been the preferred technology because it's much better understood, easier to implement, and easier to understand if it's done correctly," Schnell added. "The math behind elliptic curve is not widely or completely understood."
But he tacitly admitted that RSA encryption won't work on low-memory devices.
"In some cases, vendors such as Motorola will use elliptic curve for specific areas," he added. "Some use it as a compromise between no security and RSA, which might not be able to meet the needs for a particular device. But nobody ships any products with elliptic curve today."
Michale Zboray, a vice president at Gartner Group who follows the security field, notes that RSA's algorithms have been tested and held up for a long time.
"In cryptography, small, simple, and old implies better," Zboray said. "If it's new, it's guilty. If it's big, it's guilty. If too many people worked on the code, it's guilty.
"Each of those have the propensity to introduce bugs of all kinds, and security bugs are more subtle than the rest," he added. "To create good security code requires a level of precision that is difficult for people to do. Small mistakes can turn into big security errors. There are no good metrics for indicating whether something is likely to be robustly secure or not."
The patents issue is a central one. Cylink marketed the Diffie-Hillman patent until it expired earlier this month, and Cylink and others claim Diffie-Hillman, which is required to work alongside elliptic curve crypto, is getting new attention from security vendors because it's free.
Ironically, RSA built its big market share in encryption algorithms by licensing them broadly and not being too greedy on terms. But it's hard to compete on price against free software.
The quiet war over encryption is complicated by an unholy alliance of players aligned against RSA. Certicom is a direct competitor, and both Cylink and Pretty Good Privacy, whose secure email protocol is outstripping RSA's at the IETF if not in the market, have been in nasty lawsuits against RSA. Cylink's has been settled, but PGP's was revived just this month.
Philip Deck, Certicom's chief executive, hints that the informal anti-RSA alliance may become more formalized.
"I think we will end up more actively coordinating with each other," Deck said, on efforts before standards bodies.