Smart Card: Diebold Licenses Certicom's Encryption System

Diebold Inc. has licensed the elliptic curve cryptosystem of Certicom Corp., lending more transaction industry support to a security technology that has been fighting for credibility.

Diebold, the leading manufacturer of automated teller machines, joins a list of licensees that includes the French smart card maker Schlumberger, computer-chip leader Motorola Inc., and Hewlett-Packard Co.'s transaction automation subsidiary, Verifone Inc.

They share an interest in "small-footprint" devices such as smart cards, wireless phones, and personal digital assistants. As powerful as these compact devices are, computing capacity is at a premium, and manufacturers are looking for economical ways to handle the complex data encryption and decryption calculations that prevent tampering with electronic information and communications.

Certicom, which is based in Toronto and has its marketing headquarters in San Mateo, Calif., has touted elliptic curve technology as a cure. It performs the same algorithmic functions as more established encryption methods-notably those offered by the industry leader, RSA Data Security Inc.-but the encryption keys that secure the data are far shorter, lessening the burden on the processing unit.

Elliptic curve's readiness for "prime time" has been hotly debated in the security community. Though the mathematical underpinnings have been under study for more than a century, Certicom has been working on it only since the mid-1980s.

RSA and leading academics in the field have called for more testing to make sure elliptic curve can stand up to hacking and other pressures, but the interest level is high enough that even RSA has added the upstart technology to its basic tool kit for system developers.

"There is still a lot to be learned," RSA vice president Scott Schnell said in January when the Redwood City, Calif., company bowed to the growing popularity of elliptic curve. With RSA sponsoring a field trial, "we will start getting a broad community shipping, hacking into, and understanding how to use the technology."

Jerome Svigals, a smart-card advocate and consultant in Redwood City, Calif., said the caution is well placed. It is the nature of the cryptography beast that "you have to keep trying it to feel comfortable that it is working right."

He said there is no reason yet to be overly concerned.

"ECC represents an improvement factor of seven, which is huge for cryptography, so you can understand why people want to try using it," the consultant said.

Certicom said it has signed nearly 30 licensing agreements in the last year.

"The acceptance of elliptic curves has improved dramatically," said Philip Deck, president and chief executive officer of Certicom.

Schlumberger, which has historically worked closely with Diebold, was an early Certicom licensee. Last year it demonstrated a digital signature operation on a smart card. Verifone uses the Certicom cryptosystem in its Personal ATM, a hand-held smart card reader that can hook into telephone lines.

"Diebold is a highly credible company, and that helps in showing that everyone seems to be turning to elliptic curves," Mr. Deck said.

Christine Vitale, a spokeswoman for Canton, Ohio-based Diebold, said the company's engineers will use the elliptic curve cryptosystem as an adjunct to existing security capabilities in its products.

More specific details on how the system will be used for various applications and how it may affect users of Diebold products will be disclosed in coming months.

"Diebold is taking smart card systems into exciting new application areas" such as multi-application college campus programs, said Rick Dalmazzi, Certicom's executive vice president for sales and marketing.

In such businesses that are dependent on constrained computing devices, "size and efficiency yield the competitive edge, and nothing but the highest-strength cryptography will suffice," said John Ziegler, Diebold's strategic alliance director.

Ms. Vitale said the company's interest in Certicom stemmed not only from the technology itself, but also the speed with which it could be applied.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER