EU crypto project Suphice mired in red tape

Suphice, an EU project to create a single European cryptography standard is gathering dust as political differences between the countries gets in the way.

As the European Commission gets stuck into 1.5 billion euros worth of contract negotiations for its first ever tranche of security research funding, the results of a test programme have demonstrated that it doesn't matter how much money the EU throws at pan-European security projects - internal politics can render them impotent.

The EU's security funding started in 2004 under the umbrella title the Preparatory Action for Security Research (PASR) - One PASR projects in particular summed up the aims and ideals of the EU's entire security research programme. Called Suphice, its goal was to prove that European member states could overcome their differing political and commercial interests to adopt a common data encryption algorithm that would act as the lubricant in the co-ordinated responses to emergency situations.

The issues are that 25 countries make different decisions about what they want
Peter Davies
Technical Director, Thales e-security
What it actually proved was that EU member states are as yet unable to overcome their political and commercial differences to implement a common crypto. This does not mean that Suphice was a total failure. It has been good for Thales, the firm that won 1.4 million euros of public money on behalf of the project consortium. Thales started selling systems based on Suphice six months after it received the funding and has since sold it to 45 banks, according to Peter Davies, technical director at Thales e-security.

Neither was the public money necessarily wasted. Davies says that "eight or nine" EU countries adopted the Suphice architecture. Another 30 countries outside Europe followed suit. But the EU countries didn't adopt a common crypto and they are using the system mostly for internal communications.

The main achievement of Suphice, according to Davies, was to get member states moving toward a common crypto.

"The very existence of the programme would go some way to achieve its aims," he told SearchSecurity UK. "We wanted to demonstrate that we could create a crypto that was unencumbered. Suphice was to point out that they say they want these common networks but they don't have a way of doing it. We highlighted the principle issues which are the next things that need to be worked on."

The EC said at the time that the PASR would prove that the 1.5 billion euros it is now spending under the Framework Programme 7 on security research would be well spent. It was to "demonstrate that the EU has the potential to address its immediate security challenges through a security research programme", though would only represent a "first step".

Yet three years later, security industry bigwigs including Khoen Liem, head of security research at the European Commission, are still bemoaning how political and commercial interests are hampering security technology developments in Europe.

Suphice appears to be a study in the reasons why. The official report on the Suphice funding, under close wraps since the EC filed it in September 2006, but released to SearchSecurity UK, stated that "Mutual Certification has proved to be a difficult concept to realise". Thales's Davies said there was no getting around existing differences between member states: "We suffered difficulties getting an algorithm we could use across [all Europe]. There may be five nations in Europe that trust the UK, or eight that trust the French. The issues are that 25 countries make different decisions about what they want".

Those countries that did take an interest were those that didn't already have their own encryption technology or a strategically important defence industry. Newer member states jumped on it. France, where Thales is based, was not interested because the technology was from a UK subsidiary and therefore subject to British export controls. If it was to be sold to any other country it had to be agreed by the UK first.

Germany also had no interest. Davies said a German government spin-off is touting its own rival to the Thales proposal called Zena. Suphice's Vegas algorithm, meanwhile, "didn't get shipped" and Thales fell back on the US-approved AES (Advanced Encryption Standard) algorithm that came out of the European Cosic group of cryptography experts.

That's all very well, but AES has not made it as a standard for SECRET-level communications among member states. It is not certain that there ever will be such a thing, no matter how hard the likes of Thales try or how much money the European Commission throws at it.

It's stopped now and nothing will go on and therefore the achievements were relatively zero
Heinrich Guschlbauer
Director of Austria-based security communications firm ESL
"France, Germany and the UK have their own algorithms and will do anything to avoid using a standard," said Professor Bart Preneel of COSIC.

Differences between member states were so severe that Suphice wasn't even able to convene, with the EC's backing, a workable forum of the national Infosec authorities that hand out the crypto certifications. It convened a poorly attended forum for a while, but it hasn't met for over a year.

Heinrich Guschlbauer, a director of Swiss-owned, Austria-based security communications firm ESL, which was part of the Suphice project, said this failure to get member states to agree spelled curtains for the programme.

"For me the project was a start-up, and should have a second phase. But it's stopped now and nothing will go on and therefore the achievements were relatively zero," Guschlbauer told SearchSecurity UK.

The final Suphice report filed at the EC stated somewhat modestly that "the next challenge is to ensure the National Authority Working Group survives". It didn't, but Davies insists he hopes it can be revived.

The EC, meanwhile, has refused to reveal the details of any assessment it has made of the 1.5 million euros it invested in Suphice, citing the commercial in confidence defence beloved of officialdom. Nor has it explained what has happened to the aim of a common European crypto. But it has taken the Suphice budget, added another three zeros to it, and declared how it will help build a European security industry good enough to take on the Americans in the world market, along with terrorists and undesirables within Europe's borders.

Read more on Identity and access management products