RSA to strut elliptic curve encryption

Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

January 12, 1998, Issue: 771
Section: News

RSA to strut elliptic curve encryption

Charlotte Dunlap

San Francisco -- RSA Data Security Inc. will announce tomorrow trials of a new encryption technology, called elliptic curve, with both Netscape Communications Corp. and Microsoft Corp. during its annual Security Conference here, according to sources close to the companies.

Elliptic curve is a next-generation cryptography that encrypts messages more efficiently by employing shorter key lengths, observers said.

RSA has been bashing the new form of cryptography for months and telling customers the technology is still new and not proven.

Now, in a turnaround, RSA is embracing elliptic curve. But it is treading softly in the new markets, which could cannibalize current RSA cryptography products used by most of its current customer base.

Unlike its competitors who are designing the new algorithm for a variety of platforms, RSA is targeting its technology at a limited market-developers creating devices with low-end memory and chip designs, including cellular telephones and pagers.

"The clear win for using elliptic curve cryptography is [for use] in very processor-limited and memory-limited devices, where you're not trying to comply with certificate-based standards, such as SET and S/MIME," said Scott Schnell, vice president of marketing for RSA, Redwood City, Calif.

VARs were cautiously optimistic about elliptic curve, but said RSA is limiting the market artificially.

"That's because they have a significant licensing base that will become disenfranchised if RSA responds with competitively priced elliptic curve," said Bill Ferguson, president, Arundel Group Inc., Monte Sereno, Calif.

RSA also is limiting its recommendation of the technology's use because, "the signature verification process ends up being very slow when using elliptic curve with private, closed systems," said Schnell.

Competitors disagree.

"Traditionally, elliptic curve has been thought of as very slow," said Philip Deck, president and chief executive of Mississauga, Ontario-based Certicom Corp. "Even though it uses smaller key sizes, people have had trouble getting it to perform fast, but our technology runs hundreds of times faster [than RSA's cryptographic algorithm]," he said. Certicom provides cryptographic technologies.

Certicom's 160-bit elliptic curve cryptosystem is said to offer speed and efficiency advantages over RSA's 1,024 bits due to smaller key lengths and faster computation.

"The strategy [RSA] has taken is to cast as much fear and uncertainty around the technology, and they've done a lot of people a disservice," Deck said.

Separately, Network Associates Inc., formerly McAfee Associates, outlined its own technology strategy to CRN.

Over the next 12 months, the Santa Clara, Calif.-based company will expand its current portfolio of products to include a more complete security solution, including firewall software, authentication and digital certificates, and biometrics including retina and thumb-print identification capabilities.