Digital identity authentication and data encryption are expanding exponentially with our growing reliance on the Internet of Things (IoT). Companies are looking to technology to minimize risk, protect assets, and reduce operational expense by safeguarding access to information and systems. In the past, user names and passwords used to be the gold standard but as we learn more about security in a hyper-connected world, alternate methods relying on Public Key Cryptography have become very popular. As if it’s not complicated enough to identify and implement the right blend of security technology for a specific use case, along comes CryptoPeak Solutions LLC to throw a monkey wrench into the works.
Let me set the stage: Certified Security Solutions (CSS) lives and breathes digital identity, encryption, and signing technologies. I personally spend practically every waking hour researching digital certificates used in SSL/TLS to understand how identity is represented (and sometimes misrepresented) in the wild. This week, I’ve been disappointed to read all over the Internet about a volley of lawsuits that just might undermine the trust placed in digital certificates.
ECC patent trolling
CryptoPeak Solutions LLC is suing more than 70 large companies over alleged infringement of US Patent 6202150B1 which broadly covers issues of key management in crypto systems. CryptoPeak’s assertion appears to be that any website delivering HTTPS content that uses digital certificates with Elliptic Curve Cryptography (ECC) keys stands in infringement of their patent. This behavior has been described as “patent trolling” by a large number of technical and legal experts, and I generally agree with that assessment. However, what concerns me much more than the legal issue is understanding the potential ripple effects these suits might have on the SSL/TLS ecosystem – and the larger world of IoT security – that might arise from these legal proceedings.
Our CSS Research team has been conducting a Certificate Monitoring Survey by scanning the entire Internet with the goal of learning how digital certificates are being used. From the data gathered, we’ve identified approximately 2,700 sites on the Internet that utilize ECC keys in the SSL/TLS certificates for HTTPS. Although the number of sites using ECC is growing, many of the sites currently belong to only a handful of corporate entities. For example, Facebook as a company accounts for more than 60 of those nearly 2,700 sites.
The bigger impact of ECC patent trolling
Even though the number of ECC key adopters remains relatively small when compared to more widely distributed RSA keys for SSL/TLS, CryptoPeak’s lawsuits are troubling because of potential negative impact on the future adoption and renewal of digital certificates with ECC keys. Security on the Internet is based on trust, and trust is earned by organizations that take a strong security posture and choose strong cryptographic keys for the SSL/TLS certificates for their webservers. Patent trolling in this area is especially distressing because it weakens the trust placed in digital certificates, which jeopardizes secure communications as organizations reconsider their use of ECC keys in favor of weaker cryptosystems to avoid the possibility of being named in infringement lawsuits.
Additionally, much of the security in the budding Internet of Things relies on ECC keys to secure communications and establish identity. A great example is the development of the U.S. Department of Transportation mandated vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) systems, where ECC keys are preferred for multiple reasons, including smaller certificate file size, lower power requirements, and similar cryptographic strength in smaller key size as compared to RSA keys. Though the CryptoPeak lawsuits seem to be currently constrained to applications for HTTPS, a similarly broad reading of the patent language could cause organizations to forgo ECC and its advantages in IoT applications to avoid litigation. That decision could have a damaging effect on the development of secure IoT devices and networks like the aforementioned V2V and V2I systems.
Worldwide Internet certificate research
Check out the CSS website for data on the current Internet landscape of SSL/TLS, as well as the ability request a custom report on your company's digital certificates we have observed monitoring SSL/TLS usage on the Internet: https://www.css-security.com/research/.
For more information about the Certificate Monitoring Survey and the efforts of CSS Research, please contact us at firstname.lastname@example.org.