Open-source group gets Sun security gift

[InfoSec News <isn () c4i org>]

http://msnbc-cnet.com.com/2100-1001-958679.html

By Stephen Shankland 
Staff Writer, CNET News.com
September 19, 2002, 1:27 PM PT

SAN FRANCISCO -- Sun Microsystems has donated new cryptography
technology to an open-source project at the heart of many secure
transactions on the Internet.

Sun's "elliptic curve" technology is involved in the process of using
keys to encrypt and decrypt information for electronic transactions.  
Such encryption lets people buy products online, for example, while
shielding their credit card number from prying eyes. The Santa Clara,
Calif.-based server seller donated the technology to the OpenSSL
project, a programming group that makes an open-source version of the
Secure Sockets Layer (SSL) encryption system.

Elliptic curve cryptography will enable secure communications with
devices that don't have as much calculating power as most desktop
computers, said Whitfield Diffie, Sun's chief security officer and a
pioneer of the Diffie-Hellman "public key" cryptography method used
today in SSL and other encryption systems. Diffie spoke Thursday
during a news conference at the SunNetwork conference here.

"Small gadgets are the most obvious place to use it," Diffie said, but
once the technology is built, it likely will spread farther. "The
deployment schedule is on the order of several years to a decade
unless something comes along in the interim. I would conjecture that
by 2010 or so, this will be widely used."

Current encryption technology is based on mathematics developed in the
17th and 18th centuries, Diffie said. "Elliptic curve cryptography
brings it forward into the mathematics of the 19th century," he said.

Diffie exhorted companies to build security into computing services
from the start, not patch it on at the end, and announced Sun products
to help in that plan. In combination with software and hardware
companies, Sun announced a partnership to build a "perimeter security"  
product that handles problems at the boundary of corporate computing
networks and the public Internet. The product will filter out
undesired network traffic, detect intrusions and screen for viruses.

Sun also announced a secure Web server, the software that delivers Web
pages across the Internet. Because Web servers typically are very
public, they're a particular target for attacks over the network.

The increasing reliance on computer-based records compared with
paper-based records makes good computing security essential, Diffie
added. "Ten years ago, probably you'd have been OK if you lost your
computer files and you had your paper records," but no longer.

Diffie's cryptography work didn't always sit well with U.S. government
agencies that wanted to keep control over computer security, he said.  
Today, the government recognizes that there needs to be a
collaboration with the private sector. Reinforcing the point, Diffie
shared the stage with Richard Clarke, President Bush's special advisor
on cyberspace security, who unveiled on Wednesday a public-private
sector plan to increase computing security.

"The government tried to regulate cyberspace. By the time (the
policies were) written and published and commented on, the technology
would have moved on," Clarke said. "We recognize that the government
neither owns nor operates most of the critical infrastructure in the
U.S."

Sun long has been concerned with security and frequently jabs its
nemesis Microsoft for only recently putting a high priority on the
subject.

Sun touted its Trusted Solaris, a 10-year-old version of its flagship
operating system. Trusted Solaris assigns security "labels" to
computer users and the resources they need, such as files.

Trusted Solaris was developed initially for the government to
accommodate security needs such as varying degrees of information
secrecy, said Rama Moorthy, a product line manager in Sun's network
security group. Now, though, business customers also can benefit, Sun
is moving Trusted Solaris features to the regular version of Solaris,
she said.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.