Experts approve of new encryption standard

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
 

Connecting state and local government leaders

By

The selection of the Rijndael algorithm as the heir apparent to the government's Data Encryption Standard has gotten good reviews from cryptographic experts.

By William Jackson

GCN Staff


The selection of the Rijndael algorithm as the heir apparent to the government's Data Encryption Standard has gotten good reviews from cryptographic experts.

They praised the National Institute of Standards and Technology's open process in selecting the new Advanced Encryption Standard, as well as Rijndael's compact size, speed and flexibility.

'NIST's AES effort has broken the mold in terms of collaboration with the cryptographic community,' said Susan Langford, senior cryptologic engineer at Certicom Corp. of Hayward, Calif.

A three-year public examination of the code is likely to encourage public acceptance of AES, Langford said.

'Rijndael is already widely acknowledged as a sensible balance of security and efficiency,' she said.

'The extensive scrutiny of the AES evaluation procedure has helped instill confidence in the security of Rijndael,' said Bruno Couillard, chief technology officer of Chrysalis-ITS Inc. of Ottawa.

Companies began announcing security products using the new algorithm within hours of the NIST announcement early this month, although it will take several more months before Rijndael becomes a new Federal Information Processing Standard.

Not required

Commerce Secretary Norman Y. Mineta announced selection of Rijndael Oct. 2, but formal notice in the Federal Register probably will not appear until November. A 90-day public comment period will follow. After NIST makes any necessary changes to the algorithm, it will be submitted to the Commerce secretary as a FIPS. Final approval is expected by spring.

Although AES will be authorized for government unclassified use, agencies will not be required to use it. DES is now approved only on legacy systems, but Triple DES will remain an approved algorithm for the foreseeable future, NIST officials said.

DES, the government standard for encrypting sensitive but unclassified information since 1977, has seen wide use in government and commercial applications. By the late 1990s, however, the algorithm's 56-bit encryption keys had become inadequate. NIST issued a call for what would become AES in September 1997 and received 15 submissions. It invited encryption users to attack the formulas, then narrowed the field to five finalists and conducted a second round of tests.

Although security was the primary criterion for AES, NIST also considered speed and versatility.

'All five algorithms appear to have adequate security,' the NIST final report said. Rijndael also was a consistently good performer across a range of hardware and software computing platforms, it said.

Researchers from 12 countries worked on the AES candidates. Belgian cryptographers Joan Daemen and Vincent Rijmen developed Rijndael. Because their complete specifications have been available to NIST for study for more than two years, government officials have said the algorithm's foreign origin is not a concern.

Some industry observers believe the fact that Rijndael was developed outside the United States could speed the standard's adoption outside government. Its Belgian origin might squelch fear of back doors being built into the algorithm by the U.S. government, they have said.

Rijndael, like DES, is a symmetric algorithm that uses the same key to encrypt and decrypt data. This speeds up encryption but requires transmitting the secret key to the receiver of the message.

Symmetric cryptography can be used with public-private key systems. The secret key needed to decrypt a message can itself be encoded using a public-private key pair.

The small amount of memory Rijndael needs could make it convenient for the rapidly expanding mobile computing market, dominated by handheld devices with limited memory capacity. Despite its small size, NIST officials said, Rijndael packs a lot of security.

AES must generate 128-, 192- and 256-bit keys, making the number of possible keys astronomical.

A DES cracker developed in the late 1990s could recover a 56-bit DES encryption key in several hours. NIST estimates that if a computer could crack a DES key in one second, the same computer would take about 149 trillion years to crack a 128-bit AES key.

NIST does not claim Rijndael is unbreakable. But 'even with future advances in technology, AES has the potential to remain secure well beyond 20 years,' the NIST report said.

NEXT STORY: Agencies edge forward with Web travel apps

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.