Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Operating Systems BSD

OpenSSL Gets Cryptography Gift From Sun 217

Kataire writes "C|Net posted this story about how Sun Microsystems' has donated 'elliptic curve' encryption technology, (developed by Whitfield Diffie of Diffie-Hellman public key fame) to the OpenSSL project. This potentially means better encryption for lighter-weight systems such as PDAs."
This discussion has been archived. No new comments can be posted.

OpenSSL Gets Cryptography Gift From Sun

Comments Filter:
  • Great! (Score:4, Funny)

    by mdechene ( 607874 ) on Thursday September 19, 2002 @05:11PM (#4292673)
    Now I can keep my pesky roommates out of my palms oh-so-full social calendar.
    • Re:Great! (Score:4, Funny)

      by Soko ( 17987 ) on Thursday September 19, 2002 @05:13PM (#4292709) Homepage
      Now I can keep my pesky roommates out of my palms oh-so-full social calendar.

      You mean right now you let *your* palm *date* your friends? Ewww....

    • Re:Great! (Score:5, Interesting)

      by Darkforge ( 28199 ) on Thursday September 19, 2002 @06:22PM (#4293222) Homepage
      Actually, there is a real use for widespread heavy-duty crypto, even on a PDA: encrypted money tokens.

      If strong encrypted money tokens were to be implemented on a wide scale for, say, Palm PocketPC, Zaurus, and maybe a special purpose StrongARM device, you could expect to see a cheap widespread secure electronic payment mechanism that you can use for micropayments.

      Aside from the novelty of buying lunch with your PDA, this could be the next step towards truly secure electronic transfers. You can say goodbye to corporate privacy violations when you can pay for your online goods with secure anonymous electronic cash.

      Imagine paying your peers in a P2P system for MP3s/OGGs/whatever. Providing fat bandwidth for P2P would be a potential money-maker, not merely a labor of love. Throw in an anonymizing protocol and you're selling MP3 bandwidth online securely and untraceably; the RIAA couldn't shut you down, because there'd be no way to figure out who you were.

      That's the power of widespread strong crypto, especially in small devices.

      • Re:Great! (Score:3, Interesting)

        I don't know if you guys remember, but PayPal started off as a Palm App [thenakedpc.com]. It started as a solution for the bane of business lunches - having no money or just $20 bills and having to split, and then having to remember everything. So you could beam folks money adn it would show up in yur account. The problem is synching up the money, what if you reset your Palm before you synch the money to your account (I lost my $5 that way). They quickly realized that the amount of money in splitting a check wasn't as big as the big boy of trying to pay over the Internet, and they switched their model pretty quickly to that, quite successfully I might add.
    • by hendridm ( 302246 )
      > Now I can keep my pesky roommates out of my palm's oh-so-full social calendar.

      Actually, this can be taken in more than one way, especially since "palm" isn't capitalized.
  • This isn't the encryption scheme mentioned previously, when Slashdot reported that a distributed project has almost "broken" the scheme, is it?
  • by bsharitt ( 580506 ) <bsharitt AT gmail DOT com> on Thursday September 19, 2002 @05:13PM (#4292708) Homepage Journal
    Sun is basically "arming the rebels" so they can better fight Microsoft. Even though they may have other motives, it's nice of them anyway.

    • Sun should watch out for blowback from these rebels. Look what happened when the US CIA funded, armed, and trained Saddam Hussein and Usama bin Laden.

      In all seriousness, if the open source desktop succeeds, who is more likely to profit, Sun or Dell?

    • Do you really have to see a conspiracy in everything? Or is it out of fear for posting on here that you have to say something negative before you can say anything positive about any issue?
    • by Billly Gates ( 198444 ) on Thursday September 19, 2002 @06:20PM (#4293208) Journal
      "Sun is basically "arming the rebels""

      No. I think it this move was designed to improve Apache's security and make it a greater e-commerce tool on solaris( and unix). Sun relizes that more sun webservers use apache then Iplanet so they are donating the code to openssl since apache uses it by default. And not to just attack Microsoft. However I do question the timing since newly discovered ssl flaw recently in IIS/IE is making headline news and CIO's nervous.

      Something like this may have an impact in e-commerce purchasing decisions. .NET has made alot of hype and headway into the ecommerce market because its so easy to write a vb.net ecommerce site these days. In VB.NEt you can declare a subroutine as a webservice or applet(never used it but seen it)and it instantly becomes a servlet. This is something Sun has to fight. Windows Developers are really rallying upon .NET because thats all they know. Same reason why SQL-Server is getting popular. With palladium security will be a non issue so who knows what will happen. I do not see how sun could fight this unless use the more open TCPA [trustedpc.org] standard. At least that one is not owned by Microsoft like palladium.

      • However I do question the timing since newly discovered ssl flaw recently in IIS/IE is making headline news and CIO's nervous.
        Personally, I think the timing is just loverly. Not only is the hole patched pronto and openly, but the machinery is being put into place so that Apache on Solaris (and others of course) can actually be trusted.
        At this point I'd be extremely leery of the ultimate security of Microsoft software.

      • by AntiTuX ( 202333 ) on Thursday September 19, 2002 @10:44PM (#4294678) Homepage
        okay, I know this is a personal thing, but it's iPlanet, not Iplanet, or IPlanet. I used to work there, and it drove me nuts when someone would misspell it.

        I'll probably get modded out of commision for this, but I just really get tired of misspellings.
        Even though I was on the netscape side, and got laid off, I'm still loyal to iPlanet. They gave me my start in the IT world (head Sysadmin for iPlanet Learning Solutions), and I can't thank them enough for it.
    • sun's been arming the rebels for decades. where have you been sport?
  • I hate you bastards..get my curiosity flowing, now I get the waste the rest of the work day reading this [amazon.com] I encrypted something on my pda once..then tossed it out. Rather unorthidox method of the onetime pad cypher, I know, but hey.
    • Actually not so unorthodox. PGP's shred function did exactly that to securely delete files. Now, if you toss the PDA out, that's pretty radical security. Makes a whole new case for disposable devices.
  • by questionlp ( 58365 ) on Thursday September 19, 2002 @05:16PM (#4292736) Homepage
    Although I use and keep up with the BSD side of things, but I think this affects the entire open source community as a whole, including xBSD, Linux, Apache+SSL, and gobs of other software that utilizes SSL for security.

    Nonetheless, it is great to see Sun contributing back to the community.

    This does bring up one question in my mind though... could this be used in SSL acceleration cards to improve the effiency of the SSL 'processor' (i.e.: keep the same performance level while reducing the amount of power necessary)?
  • newlmsy akhtswnd whss adna nwsufaclanw!

  • Another fine donation by Sun. Congratulations to them for the offering.
  • by afidel ( 530433 ) on Thursday September 19, 2002 @05:23PM (#4292804)
    Since there is no known weakening from quantum computers of elyptic curve cryptosystems EC's may well be better for long term cryptography, even on supercomputers. Since it is pretty well known that the massive parallelism of quantom computers will greatly increase the ability of future systems to factor large numbers more traditional cyphers will be under more pressure.
    • by Anonymous Coward
      there is no known weakening from quantum computers of elyptic curve cryptosystems

      Huh? "Using the Quantum Computer to Break Elliptic Curve Cryptosystems" [nec.com]
    • by jbrandon ( 603700 ) on Thursday September 19, 2002 @05:52PM (#4293024)
      That's just not true; Shor's algorithm transfers quite nicely to solving what is essentially the discrete log problem in a group. IOW: Elliptic curve cryto is not any safer. See This [nec.com]
    • by jacobb ( 93907 )
      You are wrong, wrong, wrong . plain and simple.

      In fact, it has and can be easily shown that by solving "the factoring problem" (as it's oh-so-vulgarly put) or the discrete log problem of classical public key cryptosystems, one solves EC's. The problems are extensions of one another, and the solution to one is trivially deducible from the solution to another.
      your statement was like saying "unlike Webster's Dictionary, the Oxford English Dictonary has no words in it" - pure and utter nonsense. gibberish.

      All ECC's are (in boiled-down essence), is a Discrete Log problem on a cubic whose solutions are confined to a torus. (i.e. 'elliptic curve').
      while it's true that the keysize needed for secure ECC is much, much smaller and increases much much more slowly than either DL (discrete log) or IF (integer factorization) [both of which are essentially exactly the same] systems, this has to do with the way the field is set up and how the keys correspond.

  • what about the Taniyama-Shimura conjecture? If openSSL would include that with elliptic curves we could solve Fermat's last theorem on our PDA's...
    • but since they are modular, we could also use them for traditional pgp style encryption, no? instead of symmetric keys, you could use a public key.

      • but since they are modular, we could also use them for traditional pgp style encryption, no? instead of symmetric keys, you could use a public key.

        SSL and PGP (or preferrably the newer OpenPGP [openpgp.org]) standard both use a hybrid scheme which uses both asymmetric and symmetric encryption algorithms.

        If you mean could elliptic curves schemes (ECDLP, ECDSA, ECDH) be used in OpenPGP as well as SSL/TLS; then yes as long as it was added to the OpenPGP standards [ietf.org] which I don't think includes ECC yet but has spaces reserved for future ECC use.
    • I didn't think it was a conjecture anymore since Andrew Wiles proved it.
  • so now do we hate sun or love sun ?
  • by phorm ( 591458 ) on Thursday September 19, 2002 @05:30PM (#4292864) Journal
    Has anybody noticed a trend lately of large corporations or companies making offers to the public source movements. Is this a play between them for notice, or are they finally starting to figure out that it's better to play nice with open source than fight against it?
    • My guess is that they benefit by being able to offload development of key libraries to willing, competent developers. Why should Sun waste time on their own crypto library when there's the OpenSSL group writing and debugging code and there are many more trying to find weaknesses in it?

      The gesture isn't alturistic, I'm sure. Still, everyone benefits. Sun gets kudos for helping a project that is held highly by everyone else, and the project gets another algorithm under its hood.

    • You know the old saying: If you can't beat them, join them?

      Well, any corporation can be beat if they screw up. Sun's stock hovers around 3 and Oracle is scraping by at 9. MSFT would have gone down with them had they not been aggressively buying their own shares to prop up the price. ( I fear they too will tank in time--yay)

      Rather, open source developers can't be beat. You can't sue them, fire them, or force them one way or another. If one gets disgruntled about life and everything, five more rise to the occasion (with appropriate amount of bickering--but no ones dies of bickering... ni! ni! ni! ).

      This, I think, is a perfect case of: Since they (the Corps) can't beat us (the OS Devs) they're joining us.

      I just hope we don't jump on the bandwagon wholesale. Their evil ways are insidious, promising riches and glory,capitalism style, but lead straight down the Road to Perdition to the Bankruptcy Court.

      Harken thee: inspect the mouth of the gift horse. (translation: watch your back OSS)
    • by Anonymous Coward
      It is about compromising complementary businesses.

      Sun's views their business as servers, and big iron, places where linux is not really making such strong inroads. Mega-servers are still dominated by big iron.

      So, having as much client competition as possible makes sense. So, good crypto on the client increases client competition, and weakens Microsoft's hold on it.

      All Sun really needs is for linux to be a serious client competitor. Then the focus shifts to the server, where Sun dominates other companies.

      You could see Microsoft use this strategy when they maintained rights to DOS after licensing to IBM. They licensed DOS to all hardware manufacturers, to make them compete. Hardware became a tough business, and Microsoft got a monopoly.
    • it's all strategy (Score:3, Insightful)

      by g4dget ( 579145 )
      Companies give software away for many reasons: PR, establishing standards, driving competitors out of the market, and hurting competitors financially are among them. Sharing development efforts may be as well, but usually is not. Sometimes such strategies are combined with "dual licensing schemes", where open source is used to gain a foothold in a commercially meaningless part of the market to prop up a product that otherwise wouldn't be competitive.

      Not all such gifts are useful for the recipient, and some are genuinely harmful to the interests of open source users. So, do look a gift horse in the mouth, or you may be stuck with large vet bills otherwise.

      This one seems harmless if it is on unpatented technology, or if the patents are free for use by open source.

    • by kevin lyda ( 4803 ) on Thursday September 19, 2002 @07:09PM (#4293541) Homepage
      sun has been contributing to free software for decades. they didn't make a big production of it, but it's been happening anyway. now yes, for the past few years they've been rather obnoxious on certain fronts, but for the most part they've done their bit.

      denegrating this contribution as if it's a new position sun isn't very fair to their company or their developers.
  • When I first got my Visor, a co-worker sent me an app he had been using to encrypt passwords and such. It was called Certicom SecureMemo. To set it up, you would drag your stylus in circles (elliptic curves), and it would generate a key based on this. Now, my question is, doesn't this imply that this technology is already implemented on Palm? Given, it's not OSS, but it is there.

    Unfortunately, I think Certicom pulled the app from their site. Nice app.
    • I'm pretty sure it does not imply this, no.

      your drawing was likely just random input.
    • My guess is that the "elliptic curves" you drew were used to create random numbers, like when you are asked to type random stuff when generating gpg keys. The elliptic curves in Diffie-Hellman are just there as part of the mathematical problem that makes the cipher difficult to decode. The curves there are huge - nothing you could draw on-screen (more like with radii on the order of 2**1024). So no, that does not necessarily imply that they used the same cipher.
    • I'm no expert, but my guess would be that the "drag your stylus about" part was almost certainly just random number generation, and the crypto just, well, plain crypto...

      Elliptic Curves refer to a set of mathematics... Here's a FAQ! [inria.fr]

    • Mod parent up - should be 5-funny.

      Unless of course s/he means it...
  • .. and that they have given a irreversible distribution right for free software, so that its usable on free software but not for proprietary software unlicensed by SUN.

    Or... was that a rather evil thought? I'm not sure anymore, I'm so blinded by my zealotism.
  • Doesn't most hand-helds have more than enough processing power for encryption? Since you don't have broadband connections, the highest possible pressure on the processor is to encrypt/decrypt 56 kbit/s. With f.ex. 233 MHz, that's around 30 MHz pr. kbyte. And if you're encrypting financial transactions the amount of data transfered is very, very small.

    The article cites that current encryption technology is based on 17th and 18th century mathematics - so is quite a lot of other things that work very well indeed. Mathematics don't deteriorate.

    Of course this is a Good Thing (tm), but I honestly don't think that many people will ever notice a difference.
    • Doesn't most hand-helds have more than enough processing power for encryption?

      Most high end PDAs do for file encryption, but as increased demand for WTLS (Wireless TLS), "wireless speed" encryption for high speed GPRS/Bluetooth/802.11/1X networking applications. Applications like online wireless betting or online wireless reservations need better (read: quick) security in PDAs and mobile phones, which have less powerful processors.
  • I read the article, but "technology" was the only thing I read was "donated". WTF does that mean? Did they give them reference code with a GPL (or whetever the OpenSSL library uses)? Did they give up patent rights to the method? The article didn't explain just what the OpenSSL folks got.

  • Supposedly, this offers encryption with less computational demand. And, supposedly, it's not going to be in use for 5 to 10 years.

    If that's the case, my quesion is this: Why bother? Moore's law says that in the 10 years that it will take to get this implemented, CPU's will be *64 times faster* than they are today.

    Just think: "Wow! With this new encryption technology, encrypted 100 megabit networking only takes 0.05% of my processer instead of 0.1%!"

    • Wrong. Moore's Law states that (barring physical laws), the number of transistors on a square unit of substrate will double every 6 months. The number of transistors does not necessarily have a linear correlation to clockspeed.
      • and by the same token, clockseed does not necessarily have a linear correlation to performance :)

      • You're half right, half wrong. Moore's law DOES deal with transistor count. However, it says that it will double every 18 months, not every 6 months. (originally, it was 24 months, but later revised.)

        In practice, however, the actual computational power has been doubling about every 18 months as well.

        As evidence, look at where we were 10 year ago: The big, bad processer to have was a 33 MHz 486. Today's high-end processers have MORE than 64 times the computational power of the 486 of a decade ago - and there's no indication that we're not going to keep on track for another decade.

      • Wrong. "Moore's Law" is more accurately called "Moore's observation" - "You know, transistor density in ICs seems to have been doubling every 18 months."

    • Computing needs electricity which is limited resource in mobile devices. Thus having anything to use less computing increases the battery life.
      • Right, but we keep making individual transistors smaller and smaller, letting them use less and less power. Of course, CPU manufacturers tend to simply add more transistors and/or increase the frequency to make up for the power savings.

        Look at the newest, fastest Athlons - they produce less heat than considerably older versions. Why? Smaller manufacturing process. And that's going to keep on going...


    • Supposedly, this offers encryption with less computational demand. And, supposedly, it's not going to be in use for 5 to 10 years.

      I know the article was a bit low on facts (and more of a big ad for Sun), but you really need to do some Googling before you post. In fact, ECC is used for key agreement and sometimes authentication but almost never encryption.

      If that's the case, my quesion is this: Why bother? Moore's law says that in the 10 years that it will take to get this implemented, CPU's will be *64 times faster* than they are today.

      It makes a big difference. Public key operations are slow by nature. When you decrease the keylength, not only do you have fewer bigint multiplies to perform, but the real key is that you are multiplying smaller numbers. Keep in mind that in 10 years you will also need to use longer keylengths to be secure.

      Just think: "Wow! With this new encryption technology, encrypted 100 megabit networking only takes 0.05% of my processer instead of 0.1%!"

      Maybe in 10 years your networking apps will require 64 times as much bandwidth. Anyway, it's a moot point since no one uses ECC for encryption. ECC is used mostly for key agreement, where practical key lengths are limited by how long you want to make the user wait. A Diffie-Hellman operation with a conservative key length could take as much as 5 seconds of CPU time on a Pentium 2. The equivalent ECCDH negotiation might take only 1 second. Surely that's a significant enough difference.

  • The article reads as if using ECC for small devices is a novel concept. That isn't the case- Certicom is 15 years old, and has done ECC for handheld and embedded devices for at least 4-5 years. It has some solid encryption researchers (Scott Vanstone, for example) and a bundle of patents. Most Palms out today use Certicom's ECC, although newer versions are using RSA. And while Certicom is probably the best known company promoting ECC, I know of several other companies in Japan, Korea and Germany that sell their own implementations of ECC.
    • Ah, the magic word: "Patent"

      ECC algorithms have all sorts of submarine patents and prior art that have prevented widespread adoption. Sun's donation does not change that.

      Too bad, coz ECC is way cool. I did a digital signature app with Certicom ECC that resulted in 42-byte signatures.
  • I can see this as a positive step to secure the network end to end, from the server room down to the smallest of devices, the PDA.

    As it stands now, having a wireless network could be a blessing. Information available at your finger tips. PDAs have never been a strong focal point for security in my experience. It will be great to see a network that can be truly encrypted end to end.

    Now if only the user friendliness of this made it so that even the ordinary citizen could use it.
  • by Anonymous Coward on Thursday September 19, 2002 @05:57PM (#4293057)
    You know what that tells us, right?

    The NSA can already crack it. :)
  • If they are so *&*^ serious about security? The slapper worm has been out for quite a while now, and Sun's cobalts run a REALLY old version of OpenSSL. Sun's last patch was released almost a month ago, for a CGI vulnerability. They've been asked dozens of times about the OpenSSL patch, and won't even give customers the courtesy of a "We're going to have one by X" response. CobaltOS is just a flippin' rebuilt RedHat OS; it isn't hard to patch!
  • by plcurechax ( 247883 ) on Thursday September 19, 2002 @07:06PM (#4293519) Homepage
    'elliptic curve' encryption technology, (developed by Whitfield Diffie of Diffie-Hellman public key fame)

    Elliptic curve cryptography was indepentantly
    invented by Neal Koblitz [washington.edu], Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM.
    (Source [certicom.com])

    Whitfield Diffie is Sun's chief security officer, and co-invented public-key cryptography.
    • by Ungrounded Lightning ( 62228 ) on Thursday September 19, 2002 @09:50PM (#4294419) Journal
      Whitfield Diffie is Sun's chief security officer, and co-invented public-key cryptography.

      Actually, Ralph Merkle invented public-key cryptography (too). Merkle's article was SUBMITTED first, though the Diffie-Hellman article was PUBLISHED first while Merkle's was still going through the review process.

      Not to disparage any of 'em. Merkle and Diffie & Hellman both invented it separately.

      And for you people who follow Nanotech and/or Cryonics, yes it's THAT Ralph Merkle (who didn't invent either cryonics or nanotech, though he does much great work to advance them).
  • by ocie ( 6659 ) on Thursday September 19, 2002 @07:51PM (#4293781) Homepage
    Well Arthur, it looks like this elipse has come full circle.
  • but so what?

    My crypto lib has supported [non-P1363] ECC crypto since quite sometime now. Big deal.

    http://tom.ia hu.ca

    I use ECC in the traditional ElGamal method without standard packet formats. But the idea is the same...

    • Tom,

      Your library is nice, it is portable C with tons of algorithms implemented. Test vectors. Most algorithms even have decently optimized implementations which is a plus.

      But you lack protocols which are necessary to securely implement applications.

      Using 3DES or AES is stupid if the application developer uses ECB (Electronic Code Book) mode of operation because it's faster and simpler. The application developer doesn't know that you need a HMAC to ensure intergity. What about replay attacks? Cut-and-paste attack?

      I don't think you even have secure message padding for RSA implementation.

      You have an interesting library of algorithms, but its is AFAIK lacking the "glue" to make it more useful than OpenSSL (which is ported and tested on many platforms, and heavily optimized assembly).

      So to develop secure applications I will continue to use OpenSSL rather than LibTomCrypt. It is less work for me, simple as that. If you expand your work, that will end my complaints, and we'll both be happy.

      • Well I agree I lack protocols support but that isn't to say I lack the basic algorithms. I have chaining mode wrappers [OFB,CFB,CTR,CFB] for the ciphers, etc..

        In fact unlike the CryptLib and OpenSSL design my library is fully modular which means the OFB code for instance is not tied to one cipher. If you examine CryptLib [and from what I have seen of OpenSSL] they have implemented one OFB [etc] routine per cipher....

        I agree though that protocol support is a good idea but thats not a be-all either.

        Most protocols don't fully specify your PRNG/RNG source or how you should lock memory, store things on disk, etc...

        In otherwords you can comply with say PKCS #1 and still have an insecure application.

        Also unlike OpenSSL my library builds out of the box on virtually every GCC platform without configuration or patching. It even works on my Gameboy Advanced without changes!!!

        In the long run I agree. I do plan on adding things like PKCS #1, P1363, etc... but in the short term I am more interested in getting mature, well documented primitives.

  • License? (Score:4, Interesting)

    by rweir ( 96112 ) on Thursday September 19, 2002 @08:51PM (#4294095) Homepage Journal
    Is it under a 4-clause [gnu.org] or 3-clause BSD [gnu.org] license? OpenSSL is _still_ under the 4-clause license, with the `obnoxious advertising clause' which says that you have to mention the developers in all advertising materials.
    Not such a big deal, you might say, but there are two big problems with this: 1) It's incompatible with GNU GPL, so no straight GPL software can use OpenSSL, and 2) it causes huge practical problems [gnu.org].

    Theses issues are a big [debian.org] problems [debian.org] for [debian.org] Debian [debian.org], in particular.
  • Elliptic Curve Encription isn't 'owned' by Sun. Apple owns some pattent related to it that they got from NeXT (search for Richard Crandall). And it was invented by someone else entirely (see comments above).
  • sun labs (Score:3, Informative)

    by Anonymous Coward on Thursday September 19, 2002 @09:12PM (#4294196)
    Sun has a pretty good site with some informative documentation and a link to OpenSSL's cipher downloads [sun.com]
    1. http://research.sun.com/projects/crypto/
  • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Friday September 20, 2002 @01:35AM (#4295332) Homepage
    There is a saying that in cryptography, there are three types of elliptic curves: the insecure ones, the inefficient ones, and those that have been patented by Certicom.

    I wonder which curves can be used with the code offered by Sun.
  • A FAQ by Sun is at
    http://research.sun.com/projects/crypto/FrequenlyA skedQuestions.html [sun.com]

    It includes technical information and answers questions some people had about licensing.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.