New leadership at security developer Ntru CryptoSystems Inc. is hoping a new services and consulting strategy will help mitigate the damage caused by problems with the companys core encryption algorithm. Once one of the premier cryptography companies in the United States, Ntru in the past six months has undergone a nearly complete face lift, replacing its CEO, moving away from its main business of licensing its cryptographic algorithms, slashing its staff by a third and placing many of the remaining employees on part-time status.
The changes at Ntru stem from issues surrounding the companys main intellectual property, the NtruEncrypt algorithm. The algorithm is the heart of the companys Neo security tool kit line and is the basis for the Ntru public-key cryptosystem. Last fall, the company discovered there were problems with the parameters it had been recommending to customers to improve bandwidth when using the algorithm. Specifically, the problems caused random messages to fail to decrypt.
As a result, someone could mount whats known as a chosen ciphertext attack, which gleans small amounts of information from each failed decryption. Over time, the attacker would be able to amass enough data to decrypt an entire message, which would call into question the security of every other message encrypted using that key.
Although Ntru discovered the problem with the algorithm on its own, several groups of security researchers found the same weakness at roughly the same time and notified the company.
The problem was an obscure one—affecting just one in 1 trillion messages—but it was serious enough to compel Ntru to disclose it to all its customers and partners while the companys engineers began working on a new tool kit. Ntru executives maintain the problems didnt cost them any customers, and several customers contacted by eWEEK refused to comment on the issue. But, unfortunately for Ntru, the security community tends to have a long memory when it comes to such issues.
“The technology was perceived to be better, but its not good enough to overcome the objection that no one gets fired for buying RSA [Security Inc.products],” said one person close to Ntru.
“We got a new tool kit out, and weve written some papers on this problem,” said William Whyte, director of cryptographic research and development at Ntru, based in Burlington, Mass. “I think everyone understands that this is how things go. Were working on new parameters, and now we have provable security.”
But, as the furor surrounding the algorithm problems began to subside this spring, Ntru executives decided to refocus the companys efforts on its nascent consulting business. That decision led to a round of layoffs in February that slashed the companys payroll to 20—and left many of the remaining employees as part-timers.
One high-level casualty of the reorganization at the same time was Scott Crenshaw, the former CEO who had been asked to take a diminished role earlier in the year. Crenshaw left Ntru and is now attending graduate school at the Massachusetts Institute of Technology.
“We looked at the financial picture and found that the skill set we had was geared toward getting our [intellectual property] licensed,” said Ed King, Ntrus former vice president of sales, who is now the companys general manager. “But we needed to get more consulting. The layoffs were a one-time deal in my mind. By no means are we de-emphasizing the Ntru [intellectual property].”
Much of the consulting work at this point is in the form of custom cryptographic algorithm development and security audits. But Ntru is also doing work with Microsoft Corp., sources said, which could turn into a larger project.