Sun Microsystems Researchers Unveil World's Smallest Secure Web Server, Win Best Paper Award at PerCom 2005

December 23, 2004 - Researchers from the Next Generation Crypto team at Sun Microsystems Laboratories have created the world's smallest secure web server. Nicknamed Sizzle (from SSSL for Slim SSL), this server is the size of a U.S. twenty-five cent coin and is designed to be embedded in a wide array of tiny devices (home appliances, light fixtures, utility meters, sprinkler systems, personal medical devices, temperature and pressure sensors) for secure monitoring and control across the Internet.

A technical paper [1] describing Sizzle has been selected to receive the Mark Weiser Best Paper Award at the Third IEEE International Conference on Pervasive Computing and Communications (PerCom2005) in Hawaii in March, 2005. Sizzle has already sparked significant interest in the wireless sensor network community. According to Prof. David Wagner of U.C. Berkeley, a world-renowned computer security expert affiliated with the Center for Emerging Networked Trustworthy Systems (CENTS), this work represents the "biggest breakthrough in sensor network security in the last year".

The world's smallest secure web server developed at Sun Labs runs on the Berkeley/Crossbow mote devices. Shown here is the Mica2dot mote.

Sizzle runs on the Berkeley/Crossbow "motes" -- battery-powered, wireless devices equipped with an 8-bit microprocessor, 128KB of FLASH and a mere 4KB of RAM. While many small web servers have been demonstrated previously, none has addressed the capability of secure communication within such tight resource constraints. Sizzle implements the industry standard security protocol, SSL, used to protect Internet-based transactions like stock trading, e-commerce and on-line banking.

In spite of its small size, Sizzle makes no compromises in terms of security. It uses Elliptic Curve Cryptography (ECC), which has been chosen by the National Security Agency as the next generation public-key cryptographic technology for protecting sensitive U.S. Government information [2]. Compared to RSA, the conventional public-key technology, ECC provides comparable security while using less resources. For example, an RSA operation on the mote takes nearly 11 seconds but the equivalent ECC operation can be accomplished in under 1 second [3].

Sizzle implements an open specification [4] developed at the Internet Engineering Task Force (IETF), the organization responsible for defining Internet standards. In an effort to improve the overall security of the next-generation Internet, the Sun Labs team has also contributed ECC technology to a number of popular open-source cryptographic libraries and applications including OpenSSL, the Apache web server, and the Mozilla and Firefox browsers [5, 6, 7].

The Sun Labs Open House held in July 2004 at the Computer History Museum in Mountain View, California featured a demonstration of an ECC-enabled Mozilla browser controlling a wireless thermostat built around Sizzle.

More information on the Sun Labs Next Generation Crypto project.

References

[2] NSA's presentation at the IETF Security Area Advisory Group (SAAG) meeting, Washington, DC, Nov 2004.

[3] N. Gura et al., "A Comparison of Elliptic Curve Cryptography and RSA on 8-bit CPUs", CHES 2004, Cambridge, MA, Aug. 2004.

[4] V. Gupta et al., "ECC Cipher Suites for TLS", IETF internet-draft, Dec. 2004.

[5] CNet/News.com, "Open-source group gets Sun security gift".

[6] Sun Microsystems, Inc., "Sun Microsystems Laboratories Contribute Next Generation Security Technologies to Open Source Project".

[7] V. Gupta et al., "Integrating Elliptic Curve Cryptography into the Web's Security Infrastructure", The Thirteenth International World Wide Web Conference, New York City, May 2004.

See Also