Encryption software kingpin RSA Data Security, with patents on its cryptography algorithms due to expire in September of the year 2000, said today it will support elliptic curve cryptography (ECC), a rival technology to its own algorithms that it has badmouthed in the past.
Although RSA had earlier signaled its intent to support elliptic curve, next week's announcement at RSA's annual user conference puts a timeframe of mid-1998 on adding ECC to version 4.0 of its flagship BSafe toolkit. Next month about 50 key developers will begin testing a beta version of BSafe 4.0, RSA's general-purpose cryptography toolkit.
Scott Schnell, RSA's vice president of marketing, said BSafe 4.0 will support three versions of elliptic curve cryptography (ECC) that are winding their way through standards bodies IEEE and ANSI.
"We are offering robust implementations so some vendors can bring product to market over the next couple of years or experiment with how to apply elliptic curve in the future," Schnell said. Also new in version 4.0 will be support for x9 encryption standards for online financial transactions. Existing support for RSA's algorithm, Diffie-Hellman, and the government's Digital Signature Algorithm (DSA) will be retained.
Michael Zboray, a network security analyst for Gartner Group, called RSA's support for elliptic curve "a smart business move."
"Implementing these kinds of cryptographic solutions is not a natural thing for most developers," Zboray said. "Relying on the facts that RSA and Certicom have experienced cryptographers and experienced coders who understand how to implement cryptography in software means developers will make fewer mistakes than if they hired someone off the street."
Using a tested toolkit also reduces the likelihood of undiscovered bugs and resulting security holes, Zboray added.
Elliptic curve cryptography is generally regarded as faster and requiring less processing power than RSA algorithms. For those reasons, ECC encryption, which scrambles data using complex mathematical functions, is attractive to software developers targeting devices with limited memory or processing power, including smart cards, cellular phones, and other devices.
Separately, RSA rivals Pretty Good Privacy and Certicom today announced separate deals in which their crypto algorithms are being used in products. Those announcements follow newcomer Meganet's announcement last week that it's now shipping its full line of cryptography products.
Infowave announced today that it will use Certicom's Security Builder cryptographic toolkit to create software based on Windows CE for wireless, mobile computing devices.
In PGP's announcement, Electronic Commerce Systems said it is incorporating PGP into its NetVAN service and products for Internet-based electronic data interchange (EDI).
Electronic Commerce provides secure network services, called value-added networks or VANs, for Net-based EDI. Using the Internet instead of secure private networks for EDI, which involves using forms to automate computer-to-computer transactions without any human intervention, cuts costs.