Upward Curve

Nurtured and developed at Sun Labs, Elliptic Curve Cryptography (ECC) is fast becoming a critical industry standard for Internet security.

February 5, 2007- What was once a novel concept is rapidly making the transition to competitive necessity. Elliptic Curve Cryptography (ECC), an open, powerful security technology developed extensively by Sun Labs, is now implemented in core products from major technology vendors—including Sun, Microsoft, and Red Hat—as well as Open Source organizations and projects such as Mozilla/Firefox and OpenSSL/ Apache. It has also been endorsed by the National Security Agency (NSA) as the public-key technology of choice for protecting sensitive but unclassified U.S. Government information (More information).

"Elliptic Curve Cryptography is at the tipping point of widespread adoption," said Greg Papadopoulos, Executive Vice President and Chief Technology Officer at Sun. "For customers, ECC means efficient security. For vendors serving those customers, it means easy interoperability. More than that, with ECC, you don't have to choose between performance and security. Simply put, it's fast and strong and small enough to fit on any net-connected device. What's more it can accommodate enormous volumes of secure transactions."

Representatives from Sun, Microsoft, Red Hat, Certicom, and the NSA are participating in a joint panel at the RSA 2007 conference, describing how the widespread adoption of ECC technology marks a significant shift for the security industry.

Rock-solid Security for Lightweight Devices

ECC is an alternative to RSA, the primary public-key technology in use for providing secure communications over the Internet. Invented in 1985 by Victor Miller and Neal Koblitz, ECC provides the same degree of security as RSA with approximately one-eighth the key size, making it especially useful for small, mobile devices that are limited in power, CPU performance, memory, or bandwidth.

After languishing for several years, ECC technology caught the attention of the Next-Generation Cryptography Team at Sun Labs in 2001 as a means of addressing the growing security requirements of the new generation of lightweight devices such as cell phones, PDAs, laptops, sensors, and wireless transducers.

"We could foresee that with the growing e-commerce, wireless, and mobile markets, there would be more lightweight devices connected to the Internet and security would become a greater concern,"said team leader Sheueling Chang-Shantz, a Sun Distinguished Engineer.

The team, which included fellow engineers Hans Eberle, Vipul Gupta, and Nils Gura, implemented ECC crypto libraries and security architectures for various platforms (ranging from small sensors to high-performance Web servers); created a common hardware architecture for accelerating ECC; and made open source contributions of ECC code to the Firefox browser and OpenSSL, which powers the market leading Apache Web server.

Sun engineers also led the standardization of ECC in HTTPS, the dominant protocol for handling secure transactions over the Internet. This open specification, published as RFC 4492 is being implemented by leading vendors of UNIX, Windows, and Linux systems.

Specifically:

• Sun has implemented ECC in its Sun Java Web Server 7.0, Java 2 Standard Edition (Java SE) 6.0, and Niagara 2 processors

• Microsoft has included an implementation of the IETF ECC specification in Internet Explorer and Internet Information Server in Windows Vista

• Red Hat is supporting ECC in its Linux distribution

In addition, Sun, Microsoft, and Red Hat have initiated a multi- vendor ECC interoperability forum to help ensure seamless interoperability among the ECC-enabled products from each vendor. In the process, Sun has been joined by several other companies and organizations, including VeriSign, RSA, Certicom, and open source organizations and projects (including OpenSSL, Mozilla, and Apache) working together to make sure that when customers purchase ECC products from different vendors the products will all be interoperable.

Sun's research in ECC has resulted in many awards and distinctions, including best paper awards at ASAP 2003, Hot Chips 2004, and PerCom 2005. And Sun's results are quoted by other ECC vendors and research organizations to promote the technology.

For More Information

Additional details about Sun's use of and advocacy for ECC technology, along with information about Sizzle, the world's smallest secure Web server, and the ECC-enabled versions of Open SSL and Mozilla/Firefox, can be found on the Sun Labs Next Generation Crypto Project Web site.

# # #