NSA Buys License for Certicoms Encryption Technology

This is the first time that the federal agency has endorsed any sort of public-key cryptography system.

In an extraordinary move, the National Security Agency has purchased a license for Certicom Corp.s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications.

As part of the $25 million agreement, the NSA can grant sublicenses within a limited field of use. This most likely will include other government agencies, federal contractors and other parties that send sensitive data to the agency.

This is the first time that the NSA has endorsed any sort of public-key cryptography system.

Certicom officials said the agency approached the company about licensing Certicoms ECC intellectual property. ECC is a type of public-key cryptography that utilizes much smaller keys than other systems such as RSA. The technology is designed for use in constrained environments where memory and computing power are at a premium.

In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits.

Certicom has worked with the NSA, based at Fort Meade, Md., on several classified projects in the past, and this agreement is essentially an outgrowth of that work, officials said.

"They were very interested in getting the best IP out there, and we own a lot of the patents in this area," said Tony Rosati, director of marketing at Certicom, based in Mississauga, Ontario. "If you want to build an NSA-approved product, they want this in there."

The agreement, announced Friday, runs for the life of Certicoms patents on the ECC technology, which are valid for an average of about 14 years, Rosati said. Certicom implements its ECC technology in a variety of encryption products, including movianVPN, movianMail and movianCrypt. The company also provides security and cryptographic toolkits for developers.