COLORADO SPRINGS, Colo. Certicom Corp., spurred by the recent licensing of its elliptic-curve cryptographic tools to the National Security Agency, is offering a tool kit for government contractors that includes multiple layers of security tools encryption, Internet Protocol Secure, Secure Sockets Layer and public-key infrastructure digital-certificate management.
The Certicom Security Architecture for Government package represents a new turn for the 20-year-old elliptic-curve specialist, after four years in which the company focused almost exclusively on software products for mobile markets, said Certicom marketing director Brendan Ziolo. The NSA prime-contractor market is just the first for which a variety of intellectual-property (IP) licensing models will be pursued. In 2005, Certicom will launch a licensing program for chip vendors.
Elliptic-curve cryptography is a public-key crypto system that leverages the difficulty of solving elliptic-curve discrete logarithms for public-key security. When the National Institute of Standards and Technology promoted the private-key Advanced Encryption Standard two years ago as a follow-on to the Data Encryption Standard, NIST simultaneously suggested moving to public-key algorithms that rivaled AES in strength. Thus far only elliptic-curve types fit the bill.
The National Security Agency the U.S. intelligence agency for signals intelligence and communications security licensed elliptic-curve patents from Certicom in October 2003. The move indicated intelligence community support for the Certicom algorithms.
Two tool levels
The Canadian Communications Security Establishment, Canada's version of the NSA, also promoted elliptic-curve algorithms hardly a surprise, given Certicom's base in Missisauga, Ontario. But Ziolo said the NSA seal of approval goes further, adding that the company expects business from NATO countries within the next few years.
Certicom is fielding two levels of tool kits this month. Security Builder GSE is aimed at general security OEMs or software developers that want to embed a Federal Information Processing Standard (Fips) 140-2 validated crypto module in their products, which could then be sold to such government agencies as the Departments of Homeland Security and Commerce. Among the applications for the more general package are common-access cards for the Department of Defense, transportation worker identification credential cards for Homeland Security and smart passports embedding elliptic-curve digital signatures. The GSE program is said to help eliminate the typical eight- to 12-month Fips validation process for crypto modules.
The second level, Security Builder NSE, targets contractors working with the NSA or other intelligence agencies to develop crypto products for even stronger classified applications (what the agency calls field-of-use products). Mike Harvey, product manager for the GSE and NSE products, said the NSA purchased royalties for Certicom source code as well as software operating under Windows or Linux.
"The original assumption was that the NSA would simply provide specs to the contractor and would pass on the rights to use elliptic-curve on a royalty-free basis," Harvey said. "But the contractors wanted more than that. They wanted a tool kit that would step them through the product development process and include the source code."
OEMs or ISVs that use Security Builder NSE normally would apply to the NSA for approval of a design and then sublicense elliptic-curve rights for a specific project. If they had not worked with the NSA before but wanted to sell into classified accounts, they could come directly to Certicom for IP rights, but at some point "they'd have to work within the NSA approval process," Harvey said.