ECC and/or NSA Suite B?

> On 11/24/06, Matthew S. Hamrick <[hidden email]> wrote:
>
>> Um... what products? For new products, the US DoD now requires Suite
>> B, not FIPS 140 for SBU.
>
> Correct, but Suite B is not an evaluation & certification program.
> It's a subset of FIPS-certifiable algorithms that NSA has selected for
> certain purposes.  Implementations of Suite B algorithms still must be
> FIPS 140-2 certified.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

> -----Original Message-----
> From:
> Matthew S. Hamrick
> Sent: Friday, November 24, 2006 3:25 PM
>
>
> On Nov 24, 2006, at 11:43 AM, Ron Teitelbaum wrote:
>
> > What has Sun contributed to OpenSSL?  I guess my question is this:
> > If there
> > are version of ECC that are developed and patented by Sun that have
> > been
> > given to the OS communities, either directly or through the OpenSSL
> > license
> > then can we use their implementation?
> >
>
> Yes.
>
> > I wouldn't want to post any code that is not open source in our
> > library
> > which would includes IDEA, MDC2 and RC5.
> >
>
> Some people use SSL with RC5 and many banking applications rely on MDC2.
>
> > If we find that ECC is only available to government users then I
> > suggest we
> > do not include it in our repository, the risk would be too great.
> >
>
> Why?

>ECC and it's related technologies may be patented, but
> in general not copyrighted. An implementation of an ECC cryptosystem
> may be copyrighted, even if it is not patented. By using an open
> source license, the copyright holder of the implementation may
> describe rights under which third parties may copy the implementation.
>
> So...
>
> Even if someone has a copyrighted implementation, you may still be
> able to use it as part of OpenSSL, if that implementation has been
> licensed under the appropriate open source license. (look at Borzoi,
> for instance.) But... if even an open source implementation is put in
> a product and sold, this is a clear violation of patent. Things get a
> little murkier when you're including encumbered technology outside of
> a commercial product. However... if the patent holder issues a
> royalty-free, non-commercial license (as is the case for IDEA) then I
> would guess it's okay to produce and distribute an implementation, as
> long as you don't violate the terms of the non-commercial license.
> Since the Squeak community is not a commercial entity, I think
> there's a justification here...

>
> In short... many patent-holders have explicitly granted third parties
> the right to a royalty-free non-commercial license. In these cases it
> might be useful to include this technology in the repository, but
> possibly make a default Squeak image without it. (As it's entirely
> possible that someone may include Squeak in a commercial product.)
> But the reason you would not want to include encumbered technology in
> a default squeak image is not because the Squeak community could get
> in trouble, but because it would require people who want to use
> Squeak commercially to understand (and possibly remove) code that
> implements the encumbered technology.
>
> > Ron
> >
> >> -----Original Message-----
> >> From: Cerebus [mailto:[hidden email]]
> >> Sent: Friday, November 24, 2006 2:36 PM
> >> To: [hidden email]; Cryptography Team Development List
> >> Subject: Re: RE: [Cryptography Team] ECC and/or NSA Suite B?
> >>
> >> Certicom also holds patents on a number of ECC things (like almost
> >> all
> >> of ECMQV and things like point compression).  NSA has licensed
> >> Certicom's ECC patents en masse for anything done on US Gov't
> >> contract.
> >>
> >> There's a patent letter on the SECG website:
> >>
> >> http://www.secg.org/
> >>
> >> Part of the problem right now is that ECC work is a bit divided,
> >> which
> >> has made standardization a bit of a pain.
> >>
> >> -- Tim
> >>
> >> On 11/24/06, Ron Teitelbaum <[hidden email]> wrote:
> >>> Forgot the link:
> >>> http://www.sun.com/emrkt/innercircle/newsletter/0304cto.html
> >>>
> >>> Ron
> >>>
> >>>> -----Original Message-----
> >>>> From: Ron Teitelbaum [mailto:[hidden email]]
> >>>> Sent: Friday, November 24, 2006 2:25 PM
> >>>> To: 'Cryptography Team Development List'
> >>>> Subject: RE: [Cryptography Team] ECC and/or NSA Suite B?
> >>>>
> >>>> I'm not sure I understand this since SUN released ECC to the public
> >>>> domain.  I'll get an opinion on it:
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: [hidden email]
> >>>>> [mailto:[hidden email]] On Behalf
> >> Of
> >>>>> Matthew S. Hamrick
> >>>>> Sent: Friday, November 24, 2006 2:07 PM
> >>>>> To: Cryptography Team Development List
> >>>>> Subject: Re: [Cryptography Team] ECC and/or NSA Suite B?
> >>>>>
> >>>>> Keep in mind, however, that products violate patent restrictions,
> >> not
> >>>>> implementations. Otherwise OpenSSL would not be able to include
> >> IDEA,
> >>>>> MDC2 or RC5.
> >>>>>
> >>>>> With all the discussion of FIPS 140, I had assumed that most
> >> everyone
> >>>>> on the list is working on government contracts. Otherwise, why
> >> bother
> >>>>> with it?
> >>>>>
> >>>>> The NSA negotiated a blanket US Federal Government deal for
> >>>>> Certicom's patent portfolio for use in ECDSA, ECDH and ECMQV.
> >>>>> So...
> >>>>> if you're a federal government agency, you get to use these
> >>>>> algorithms without having to pay Certicom anything extra. So... if
> >>>>> part of what you're hoping to do is to create an ECC
> >>>>> implementation
> >>>>> that can be used by a federal agency, then you can do so without
> >> fear
> >>>>> of the Certicom lawyers. Now... the moment the implementation gets
> >>>>> used in a commercial product, then you've got issues.
> >>>>>
> >>>>> On Nov 23, 2006, at 10:24 PM, Cerebus wrote:
> >>>>>
> >>>>>> Is anyone working on Suite B stuff?
> >>>>>>
> >>>>>> Rijndael is there, but it probably should be subclassed as AES
> >> proper
> >>>>>> if only to lock down the blocksize to 128 bits and the keysize to
> >> the
> >>>>>> allowed 128 & 256 bits.
> >>>>>>
> >>>>>> SHA256 is there, but it doesn't extent to cover the rest of the
> >> SHA2
> >>>>>> family (SHA384 and SHA512).  SHA384 is part of Suite B.
> >>>>>>
> >>>>>> Is anyone working on ECDSA, ECDH & ECMQV?  (Well, given that
> >>>>>> ECMQV
> >> is
> >>>>>> more heavily patent-encumbered in the US, I can understand if
> >>>>>> it's
> >>>>>> left by the wayside).
> >>>>>>
> >>>>>> If not I might take a crack at a couple of pieces.
> >>>>>>
> >>>>>> -- Tim
> >>>>>> _______________________________________________
> >>>>>> Cryptography mailing list
> >>>>>> [hidden email]
> >>>>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >>>>>> cryptography
> >>>>>
> >>>>> _______________________________________________
> >>>>> Cryptography mailing list
> >>>>> [hidden email]
> >>>>> http://lists.squeakfoundation.org/cgi-
> >> bin/mailman/listinfo/cryptography
> >>>
> >>>
> >>> _______________________________________________
> >>> Cryptography mailing list
> >>> [hidden email]
> >>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >>> cryptography
> >>>
> >
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Krishna Sankar
> Sent: Friday, November 24, 2006 3:09 PM
> To: 'Cryptography Team Development List'
> Subject: RE: Re: [Cryptography Team] ECC and/or NSA Suite B?
>
> You wrote :
>  >
> > 1) I love crypto, and building an ECC implementation would
> > teach me a great deal about it;
> >
> > 2) It gives me a reason to learn Smalltalk, something I've
> > toyed with a dozen times in the past but never made progress
> > at because I had nothing concrete to work on; and
> >
> > 3) It would just be fun.  I'm weird that way.
> >
> > But the last thing I want to do is run afoul of Certicom (or
> > cause others to run afoul of them).
> >
> > So, advice?  Should I press ahead?
> <KS>
> Same reason for me to get involved as well ! Interest in crypto as
> well as a good reason to work on Smalltalk.
>
> Just as a POV, it is Ok to develop ECC. It gives us a leg up for our
> cryptography portfolio. Naturally we would need to figure out the legal
> issues before making it part of the system; but we would need to do that
> anyway. So your efforts (if you choose to do so ;o)) will not be wasted.
>
> I have been looking at the SHA code towards developing the SHA512
> and would welcome you help. We can learn collaboratively ! I was waiting
> for
> the holidays to be over before starting in earnest.
> </KS>
>
> Cheers & happy holidays (Just came back from a grueling Black Friday
> shopping (er .. carrying bags for the better half ...)
> <k/>
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Matthew S. Hamrick
> Sent: Friday, November 24, 2006 3:28 PM
> To: Cryptography Team Development List
> Subject: Re: [Cryptography Team] ECC and/or NSA Suite B?
>
> I have a SHA256 implementation kicking around somewhere. It's
> licensed under a BSD license, so it's unlikely to be useful for this
> project. But... feel free to look at it.
>
> http://minnow.cc.gatech.edu/squeak/3253
>
> On Nov 24, 2006, at 12:09 PM, Krishna Sankar wrote:
>
> > You wrote :
> >>
> >> 1) I love crypto, and building an ECC implementation would
> >> teach me a great deal about it;
> >>
> >> 2) It gives me a reason to learn Smalltalk, something I've
> >> toyed with a dozen times in the past but never made progress
> >> at because I had nothing concrete to work on; and
> >>
> >> 3) It would just be fun.  I'm weird that way.
> >>
> >> But the last thing I want to do is run afoul of Certicom (or
> >> cause others to run afoul of them).
> >>
> >> So, advice?  Should I press ahead?
> > <KS>
> > Same reason for me to get involved as well ! Interest in crypto as
> > well as a good reason to work on Smalltalk.
> >
> > Just as a POV, it is Ok to develop ECC. It gives us a leg up for our
> > cryptography portfolio. Naturally we would need to figure out the
> > legal
> > issues before making it part of the system; but we would need to do
> > that
> > anyway. So your efforts (if you choose to do so ;o)) will not be
> > wasted.
> >
> > I have been looking at the SHA code towards developing the SHA512
> > and would welcome you help. We can learn collaboratively ! I was
> > waiting for
> > the holidays to be over before starting in earnest.
> > </KS>
> >
> > Cheers & happy holidays (Just came back from a grueling Black Friday
> > shopping (er .. carrying bags for the better half ...)
> > <k/>
> >
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Cerebus
> Sent: Friday, November 24, 2006 4:02 PM
> To: Cryptography Team Development List
> Subject: Re: Re: [Cryptography Team] ECC and/or NSA Suite B?
>
> On 11/24/06, Matthew S. Hamrick <[hidden email]> wrote:
> > Actually, they're distinct sets. FIPS-140 supports ECDSA, but not
> > EQMV or EQDH.
>
> DH, ECDH, MQV, and ECMQV key establishment is covered in FIPS 140-2
> Implementation Guidance, section 7.1.
>
> http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf
>
> (Don't ask me why this is under CSRC's 140-*1* directory, but it *is*
> the 140-2 guidance.)
>
> > Another thing to note... FIPS-140 supports ciphers that are insecure.
> > Namely, DES.
>
> Not since 19 May 2005, when DES was formally withdrawn.  DES is no
> longer allowed.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Cerebus
> Sent: Friday, November 24, 2006 5:48 PM
> To: [hidden email]; Cryptography Team Development List
> Subject: Re: RE: [Cryptography Team] ECC and/or NSA Suite B?
>
> On 11/24/06, Ron Teitelbaum <[hidden email]> wrote:
> > I already wrote the smalltalk version of SHA256, which works great but
> is
> > slow.  We need the slang code now.
>
> There's a couple of things that are really slow.  I've not had enough
> patience yet to let Diffie-Hellman Group 2 keys finish generating on
> my PB G4.
>
> 1024-bit RSA keys generate in a couple of seconds, though.  Why the
> difference?
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography