Certicom Throws Elliptic Curve

Thirteen years after Neal Koblitz and Victor Miller, working independently, both devised a public-key system using groups of points on an elliptic curve for discrete-log cryptosystems in 1985, Certicom Corp. (San Mateo, Calif., www.certicom.com) has harnessed the technology and helped apply it to some of the most security-dynamic inventions in the world.

In June, RDM Corp. (Waterloo, Ontario, www.rdmcorp.com), a research development and manufacturing company, announced that the U.S. Government’s Department of Treasury completed the first-ever payment over the Internet. When that transaction used RDM software to issue a digitally signed electronic check, the company that developed the encryption used, Certicom Corp., had entered into the big market.

To ensure that electronic transactions are reliably encrypted, RDM uses Certicom’s elliptic curve cryptography (ECC) to effectively encrypt the e-mail message carrying the electronic checks between the Treasury and payees, and between the payees and their banks.

Jay Hussey, a spokesman for RDM, says issuing checks electronically follows all of the same laws the traditional paper-check system does, while saving time and money on printing, enveloping and postage.

Although RDM may consider this to be the most substantial use of ECC to date, Certicom has been licensing the technology since the first quarter of 1997. Infowave Wireless Messaging Inc. (Burnaby, British Columbia, www.infowave.net) has been on board with Certicom since January when it began to use ECC to secure its wireless messaging client/server software suite for Windows CE.

3Com Corp. (Santa Clara, Calif., www.3com.com) will be using the technology for its connected organizer and computing platform. "One of the nice things about Certicom is that they catered to our needs; they did the work for us, and their crytographers helped us," says Joe Sipher, PalmPilot product manager for 3Com Corp. "Security is clearly an important aspect when entering the computing enterprise, and ECC met all of our requirements."

Likewise, GlobeSet (Austin, Texas, www.globeset.com) signed on with Certicom in May to use ECC technology in GlobeSet’s entire product line for secure Internet payment transactions. Sterling Commerce Inc. (Dallas, www.sterlingcommerce.com) integrated the technology with its Connect:Conceal product line to provide high-performance digital signatures for authentication, data integrity and nonrepudiation.

Analysts say secure e-commerce remains a large concern for companies conducting business over the Internet. This concern was highlighted just last month when a researcher from Lucent Technology Inc.’s Bell Labs (Murray Hill, N.J., www.bell-labs.com) unit discovered a hole that enables the decoding of Internet sessions under some circumstances. These sessions were protected by the Public Key Cryptography Standard (PKCS), which includes Secure Sockets Layer (SSL), the data encryption scheme from RSA Data Security Inc. (San Mateo, Calif., www.rsa.com) that is used by most Web browsers such as Netscape Navigator and Microsoft Internet Explorer.

The experimental hack also revealed how difficult it would be to successfully hack through SSL, because of the measures the researcher had to take before achieving success. Although the hole has been patched, the incident still raised questions.

While RSA is still supportive of its home-grown SSL technology, it is hesitant about ECC. "RSA does not currently recommend deploying commercial products based on elliptic curve technology except in certain special cases," states a release from RSA, which counters that more time needs to be taken to examine ECC. Meanwhile, RSA has just announced the shipping of BSAFE 4.0, a security component suite for adding encryption to existing applications. One of the headlining features of BSAFE is ECC encryption.

While not all analysts and vendors agree that ECC is the strongest form of encryption, none have refuted performance benefits associated with ECC, including RSA. Michael J. Wiener, a senior cryptologist for Entrust Technologies Inc. (Richardson, Texas, www.entrust.com), says this is because of the code itself. He comments, "The main advantage that elliptic curve cryptography has over other public-key algorithms is that its digital signatures and encrypted symmetric keys are shorter."

According to 3Com’s Sipher, 169 bits of Certicom’s ECC technology is the security equivalent of 1,024 bits from RSA. That adds up to a nearly 83 percent longer bandwidth when using RSA. "We evaluated the RSA stuff," says Sipher, "and we felt at the time [January] that RSA was not with the curves at all."

For now it’s not clear when ECC will make it into mainstream products. Craig Beilinson, Microsoft Corp. Internet Explorer product manager, says the company hasn’t committed to the technology yet, but the option has not been ruled out. "We are investigating elliptic curve technologies for future versions of our products," he says.

Like Certicom, RSA has its support in the government as well. In June, the Social Security Administration was granted a waiver to use commercial software products incorporating RSA encryption technology. One reason the federal government has been reaching to private crytographers such as Certicom and RSA is because 90 percent of the browsers on the market do not support the Federal Information Processing Standard cryptography algorithms.

In July, IBM Corp. announced that it was working with CyberCash’s ICVerify unit (Reston, Va., www.cybercash.com) to develop and market an Internet payment process. The new process will use SSL rather than ECC, the encryption used by RDM’s Internet check system.