hamirpuria
Joined: 23 Feb 2004
Posts: 15
Location: 121W59, 37N33
|
 Posted: Fri 16.02.2007, 01:08 Post subject: Himachali achieving success in Silicon Valley. |
 |
|
Vipul Gupta
Internet Security 2.0
Small-Town Boy Makes Good in Silicon Valley and Beyond
February 15, 2007
Vipul Gupta grew up in Solan, India, a small town nestled in the foothills of the Himalayas, beyond the reach of television. There was only one car in the whole town and it belonged to a wealthy industrialist. Everyone else walked or rode bicycles.
"Growing up like that, I didn't even know what else was out there," Gupta says. "When I was a little older I heard about Silicon Valley, and I always thought of this as a fascinating place where so many of our life-changing inventions were brought to life."
The place that fired the boy's imagination has been the man's home for more than a decade now -- and he has been busy adding to its legend.
To the cognoscenti, Gupta, a Sun researcher and Distinguished Engineer, is known as the man behind Internet Security 2.0.
"Vipul's most notable achievement is his work on migrating the Internet's security infrastructure from the old RSA public-key system to the new and highly efficient Elliptic Curve Cryptosystem," says Roger Meike, a senior director in Sun Labs.
Elliptic-curve cryptography (ECC) could be called the next big thing in cryptographic technology except that it's actually much smaller than its predecessor, the widely used Rivest-Shamir-Adleman algorithm, better known as RSA. What's more, ECC is both stronger and faster, and it makes more efficient use of memory, bandwidth, and energy.
All of which may account for its growing popularity.
As you'd expect, ECC is an integral part of Sun products such as the new Sun Java Web Server, Java Card, and Java Standard Edition, not to mention the upcoming "Niagara 2" microprocessor.
Just as important, if not more so, ECC is also being incorporated into products from Apache, Mozilla, Microsoft, and Red Hat.
Widespread adoption is exactly what Gupta and team have been striving for.
"The thing about networking protocols is that if you are the only one who implements it, unless you have a monopoly on both the clients and the servers, it doesn't buy you much," he says. "We knew we would have this in Sun products. We wanted to make sure there were other products that could talk to it, so customers would be able to use it."
He notes that the benefit of any networking technology increases as a square of the number of devices that implement it, a phenomenon often dubbed "the network effect."
"So the fact that ECC has become a standard that is being implemented in the world's most popular Web servers and browsers is extremely gratifying," Gupta says.
But getting there wasn't easy.
Always in the back of his mind was the tongue-in-cheek adage: "The good thing about standards is there are so many to choose from."
"Often you find standards that do the same thing but in different ways, and people tend to pick winners," Gupta says.
He also points out that the best technology -- whether it's an approved standard or an in-house project trying to gain traction -- doesn't always win.
"When I look at examples of projects at Sun Labs that have had great technology but somehow weren't able to make that leap into a product, what I see is ... that's an area where we somehow lucked out," he says. "People we interacted with were very open, and I guess we should take some of the credit for it, too -- that we didn't rub them the wrong way."
The team's approach involved humility and a willingness to roll up their sleeves.
"What researchers often overlook is that product groups have their own constraints and are working very hard within those constraints. If they're not doing something, they have very good reasons. So what helped was just trying to understand what their constraints were and what we could do on our side to make it easier for them to run with the technology," Gupta recalls.
"It wasn't a case of we've done all the interesting work, let those guys take care of the grunt work. A lot of times we participated in the grunt work -- the documentation, the testing -- and did a lot of it ourselves. It was well worth it. I'm much happier to see something built and used."
What he didn't want to see was a replay of past problems where improved security standards were thwarted by incompatible implementations from, say, Mozilla and Microsoft, that would have no choice but to default back to a less secure method in order to complete a transaction.
In addition to leading the development of open standards around elliptic curve cryptography, Sun made ECC code contributions to prominent open source projects -- Firefox and OpenSSL -- and began an ECC interoperability forum with Microsoft and Red Hat. They were soon joined by companies such as Verisign, RSA, and Certicom as well as open-source groups such as Apache and Mozilla.
"What we found was not only issues in the implementations but also some ambiguities in the specification itself, and we were able to catch that and fix it early enough -- before everything was finalized," Gupta says.
Even the U.S. government's National Security Agency has endorsed elliptic-curve cryptography.
"The NSA has an initiative called Suite B, where they are not using RSA at all. They are going with ECC alone as the only public-key cryptography technology. That basically makes ECC the gold standard, so we expect all security-sensitive organizations to migrate to ECC," Gupta says.
At the heart of every public-key cryptosystem is a mathematical problem that is computationally intractable. The harder the problem, the stronger the security of the corresponding system.
"The best known algorithms for attacking the integer factorization problem underlying RSA run faster than the corresponding algorithms for attacking ECC. For this reason, ECC can offer equivalent security with substantially smaller key sizes," Gupta explains. "Smaller keys result in computations that are not only faster but also take up fewer resources -- memory, energy, bandwidth."
Simply put, the smaller the device, the more ECC shines.
Gupta has always been fascinated by small devices that connect to a larger world -- a thread that runs through much of his work in the labs. That, and a decidedly contrarian streak in his nature.
"I enjoy people telling me that something can't be done," he says.
A case in point: In the late 1990s people said mobile phones were too small to implement standard Internet security protocols such as SSL, the secure sockets layer.
Gupta wasn't buying it.
"A colleague and I started tinkering with a small implementation of SSL, called KSSL (for kilobyte SSL), on a Palm PDA. The first time we ran it of course it was extremely slow. I remember the first handshake took about 70 seconds, but we were still excited because people thought, even memory-wise, you couldn't make it work. So the fact that it completed was reason to high-five. Even though it took more than a minute, we knew. That was just a start. We hadn't done any optimizations yet," he says.
By the time they were done, the handshake was down to a couple of seconds -- and a live demonstration convinced the WAP Forum, an early standards body for Internet-enabled phones, to abandon its proprietary (and less secure) protocol in favor of the industry standard.
Since then Gupta has worked with even smaller devices, including the world's smallest secure Web server, Sizzle (about the size of a quarter-dollar coin), and is currently working with Project Sun SPOT (Small Programmable Object Technology).
"These are tiny Java-enabled devices that have the ability to autonomically sense and respond to their surroundings and you can apply that to all kinds of things," he says.
They can be used to monitor the health and safety of human beings, redwood trees, bridges, and other structures. They can even be used to monitor the movement of enemy vehicles on a battlefield.
"Once you install these in a redwood tree, if there's a bug in the code, you don't want to send someone with a ladder to get the thing down, put new code in, and put it back up. Or in a military environment you won't have too many people volunteering to go out in the battlefield, pick up all these devices, and bring them back for reprogramming," Gupta says. "So one of the things you need for these devices is the ability to do reprogramming over the air -- and when you do that there are security concerns."
In other words, the ECC story is just beginning. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
