Re: Removing Elliptic Curve
I thought the SSL cert folks were starting to push ECC as the "next big thing"?
Can open, worms everywhere.
Here's the short version: Y'need an asymmetric-encryption algorithm for authentication, and possibly for key exchange (though you can use other mechanisms for key exchange). There are currently three families of asymmetric encryption used in TLS: RSA, DSA, and the ECC algorithms.
DSA is basically only used by the US Federal government. RSA and DSA both require pretty big keys, because (in the best case) they depend on factoring for their strength, and factoring isn't all that hard. And factoring has gotten easier over the past couple of decades; some people worry there will be a breakthrough and it'll get a lot easier.
ECC asymmetric encryption gets the same equivalent strength with much shorter keys. And the ECC problems are currently harder to brute-force than factoring, and they haven't gotten easier (at least insofar as anyone has published) since they were introduced (except for some special cases that are well-known and everyone avoids).
From the late '80s until 2001, the NSA seems to have been actually trying to help improve commercial cryptography.1 In the mid-'90s they came out with "Suite B", a set of crypto guidelines.
Suite B pushed ECC strongly. Of course this raised suspicions for many people, but the arguments in favor of ECC were strong, too. And it meant that ECC has received a lot of scrutiny since.
For a long time, people have known that the ECC scheme for cryptographic pseudorandom number generation had the unfortunate (for users) aspect that any given set of parameters could have a backdoor. That's not a problem if you generate your own parameters, but if you take them from someone else, you have to trust them. And NIST published a recommended version of that RNG (Dual_EC_DRBG) with a suggested (not mandatory) set of parameters that came from the NSA. That was very likely back-doored. Of course no one used it ... oh, except everyone who used RSA Security's BSAFE software with the default configuration. The $10M payment from the NSA to RSA is probably just a coincidence.
That scandal fed the ECC skeptics / conspiracy-theorists, who worry that the NSA has backdoors for all ECC. Many experts feel that's rather unlikely, but it's a matter of contention.
Then, in August of this year, the NSA published a piece that said, hey, everyone should be paying more attention to this "post-quantum cryptography" stuff, and if you haven't moved from RSA to ECC yet, don't bother. This elicited a collective response of "WTF??!" from the community. The NSA clarified its position as "yeah, what we said before".
So: Does the NSA want people to avoid ECC because it thinks it's broken, or will be soon? Does it want people to avoid ECC because it's too hard for the NSA themselves to break? Is it playing an elaborate prank? We don't know.
What we do know is that RSA is getting weaker (faster than Moore's-Law growth in computing power), and none of the vaunted post-quantum algorithms are sufficiently well-examined to have much confidence in - and in any case they're not deployed. In many circumstances ECC is the only real choice.
Also you can get Perfect Forward Security with ECC. You can't do that with RSA key agreement, though you can with DH key agreement and an RSA signature. But again ECDH has advantages over vanilla DH (DH in a binary field).
Oh, and just recently we have RSA discontinuing the BSAFE product. What does that mean? Not clear - though it means even fewer options for a TLS implementation, particularly if you need FIPS 140-2 validation (generally because you sell to the US Federal government).
See A Riddle Wrapped in an Enigma for a much better and more detailed discussion.
1This is really complicated. The NSA has an offensive and defensive remit, because part of its mission is to make what it does harder for everyone else. That's apparently why the NSA hardened DES against differential cryptanalysis (which was then still a secret technique) in the '70s. After the Cold War ended with the fall of the USSR and the US DoC loosened its stance on commercial crypto, the NSA's IAD division under Brian Snow seems to have been legitimately concerned with improving the state of commercial crypto. 2001 changed all that, of course.