Securing government communications with ECC
By Jim Alfred
When the federal government requires an improvement of security or interoperability -- and no acceptable industry standards or solutions exist at the time -- the National Institute of Standards and Technology (NIST) will develop a Federal Information Processing Standard (FIPS). FIPS is a stringent security requirement that specifically relates to products that include encryption as a security feature. In order to win business within the government market, vendors must meet FIPS requirements.
NIST issued the FIPS 140-2 standard to coordinate the requirements and standards for cryptography modules produced by private sector vendors. This standard covers both hardware and software components. It specifies that 11 security areas must be met by a cryptographic module used inside security systems that collect, store, transfer, share and disseminate "sensitive but unclassified" information. As a result, FIPS 140-2 has become the undisputed security standard within the government sector; not only in the U.S., but also in other countries.
Even though it is imperative that agencies adhere to FIPS 140-2 standards, there is another level of security that they need to be aware of because of the federal government’s Crypto Modernization Program. In February 2005, the National Security Agency (NSA) announced a recommended set of advanced cryptography algorithms known as "Suite B" to take the place of legacy systems using 3DES symmetric algorithms, the SHA-1 hash algorithm and 1024 RSA/DSA/Diffie-Hellman asymmetric algorithms.
Suite B was developed for use in next generation encryption products to protect both "sensitive but unclassified" as well as "classified" communications. Suite B, which has also been approved by NIST, specifies Elliptic Curve Cryptography (ECC) algorithms and curves for public key applications.
The main advantage of ECC is its efficiency. To deliver solutions with 128-bit security as recommended by NIST, the NSA recommends using security products containing AES-128, SHA-256 and ECC-256. To deliver NIST-level security, products containing the RSA algorithm would have to use a whopping 3,072 bits of information.
By contrast, ECC provides the most security per bit, requiring less power consumption and producing less heat. Beyond the benefits of stronger security, ECC also enables significant operational benefits relating to bandwidth and memory requirements for constrained devices. That’s why the ubiquitous Blackberry used by many government employees today chose ECC-based security years ago. Other government suppliers are also using ECC-based security solutions for applications ranging from battlefield communications to homeland security to digital passports to federal ID smart cards.
Achieving both FIPS and Suite B standards often requires extensive re-coding and can take 8-12 months of development time. The financial burden is also high, with the cost of validating a cryptographic module ranging from $50,000 to $100,000. This significant investment of money and time can severely impact return on investment (ROI), strain resources and delay the release of new products.
As systems integrators, product vendors and solutions providers look to provide stronger security and meet FIPS and Suite B standards, commercial security providers, such as Certicom, can deliver intuitive programming, high-performance code and quality documentation to help them achieve their goals in the shortest possible time.
Jim Alfred is the Director of Product Management for Certicom Corp. He can be reached at: .
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/680-1
