Sun's "elliptic curve" technology is involved in the process of using keys to encrypt and decrypt information for electronic transactions. Such encryption lets people buy products online, for example, while shielding their credit card number from prying eyes. The Santa Clara, Calif.-based server seller donated the technology to the OpenSSL project, a programming group that makes an open-source version of the Secure Sockets Layer (SSL) encryption system.
Elliptic curve cryptography will enable secure communications with devices that don't have as much calculating power as most desktop computers, said Whitfield Diffie, Sun's chief security officer and a pioneer of the Diffie-Hellman "public key" cryptography method used today in SSL and other encryption systems. Diffie spoke Thursday during a news conference at the SunNetwork conference here.
"Small gadgets are the most obvious place to use it," Diffie said, but once the technology is built, it likely will spread farther. "The deployment schedule is on the order of several years to a decade unless something comes along in the interim. I would conjecture that by 2010 or so, this will be widely used."
Current encryption technology is based on mathematics developed in the 17th and 18th centuries, Diffie said. "Elliptic curve cryptography brings it forward into the mathematics of the 19th century," he said.
Diffie exhorted companies to build security into computing services from the start, not patch it on at the end, and announced Sun products to help in that plan. In combination with software and hardware companies, Sun announced a partnership to build a "perimeter security" product that handles problems at the boundary of corporate computing networks and the public Internet. The product will filter out undesired network traffic, detect intrusions and screen for viruses.
Sun also announced a secure Web server, the software that delivers Web pages across the Internet. Because Web servers typically are very public, they're a particular target for attacks over the network.
The increasing reliance on computer-based records compared with paper-based records makes good computing security essential, Diffie added. "Ten years ago, probably you'd have been OK if you lost your computer files and you had your paper records," but no longer.
Diffie's cryptography work didn't always sit well with U.S. government agencies that wanted to keep control over computer security, he said. Today, the government recognizes that there needs to be a collaboration with the private sector. Reinforcing the point, Diffie shared the stage with Richard Clarke, President Bush's special advisor on cyberspace security, who unveiled on Wednesday a public-private sector plan to increase computing security.
"The government tried to regulate cyberspace. By the time (the policies were) written and published and commented on, the technology would have moved on," Clarke said. "We recognize that the government neither owns nor operates most of the critical infrastructure in the U.S."Sun long has been concerned with security and frequently jabs its nemesis Microsoft for only recently putting a high priority on the subject.
Sun touted its Trusted Solaris, a 10-year-old version of its flagship operating system. Trusted Solaris assigns security "labels" to computer users and the resources they need, such as files.
Trusted Solaris was developed initially for the government to accommodate security needs such as varying degrees of information secrecy, said Rama Moorthy, a product line manager in Sun's network security group. Now, though, business customers also can benefit, Sun is moving Trusted Solaris features to the regular version of Solaris, she said.