Slashdot Mirror
Interview With AES Author
Dave Wreski writes "I recently had a chance to ask Vincent Rijmen a few questions about Rijndael, the algorithm soon to replace DES. He talks about the development of the algorithm, his thoughts on the future of Internet security, Linux and security, and more. He's a pretty interesting guy, and had some interesting comments. You can find the interview
here"
56-bit DES is easily crackable now. Rijndael takes up to a 256-bit key. (256 - 56) = 300. Where are you getting your numbers from?
This calculation is of course pretty meaningless, but it gives you a rough idea.
--
Xenu loves you!
Depends what you mean by "more secure", doesn't it? Rijndael's security goal is to be "K-secure and hermetic". In layman's terms, this basically means to be as secure as any block cipher with that block and key size can possibly be. If it meets these goals, then Serpent can't possibly be better - it can only be exactly as good.
If I could work out a way of demonstrating that it didn't meet these goals, I'd be the world's most famous cryptanalysist in moments. But I'd still be a million miles away from a break that was actually any good for any real attack that any real adversary, even 3-letter agencies equipped with alien tech, could ever use against you.
There are some good attacks on very much weakened variants of Rijndael. Some people in the crypto world believe that full Rijndael will eventually be demonstrated not to be K-secure. However, no-one who knows what they're talking about thinks that any practical, useful break will ever be found. Really, Rijndael is more than good enough - the weaknesses in your system lie elsewhere.
--
Xenu loves you!
And hey, they mention Linux there too! ;-)
Jacco /var/log
---
# cd
-------
Warning: Slashdot may contain traces of nuts.
I still think they should have called it herfstvrucht, angstschreeuw or koeieuier, like they propose here
--
bgphints - internet routing news, hints and ti
Explanation please.
What does Moore's Law have to do with the *identification* of an attack on an algorithm, or with the time to implement such an attack?
If you're implying that a +6-month CPU will be capable of brute-force attacking Rijndael, please explain why current processors cannot do this, and please give an estimate of the time taken to break an arbitary message (i.e. time to search 50% of keyspace).
For bonus points, please provide an estimate of the hardware resources required (now, in 6months, or sometime after the Pentium 6 is released, which ever takes your fancy) in order to provide a realistic interception capability for oh-let's-say AES-encrypted email in near-real-time.
--
I'd rather have a bottle in front of me than a frontal lobotomy
Even six-round Rijndael, while theoretically "broken", is completely uncrackable with any known algorithm on today's hardware. IIRC it takes over 10^28 (ie 2^90) operations to crack. That's a savings of only 10^11 (2^38) over brute force. Say you're the NSA, and can afford today 10^6 computers each running at 10^12 operations per second. With your boxes all improving at moore's law, it'll be 15 years before you crack your first key; then 2 keys the in the following year.
Preferential Voting: easy as 1-2-3
must not just be able to perform the algorithm, they must also be
protected from out-of-the-box attacks. It is much harder to guess
what a card device is doing from an EM emission analysis if it uses
simple operations such as in Rijndael, that if it uses more complex
operations such as in Sepent and Twofish. This isn't only a matter of
prevalent technology, it involves sensitive design issues as
well, ones that Rijndael went to more pains about that the other
finalists.
I think that Rijndael will prove to be the better technology for
quite a long time, and its selection will do a lot to promote the use
of good cryptography in the next few years.
LinuxSecurity.com: What applications do you forsee it being used?
Vincent Rijmen: Many many applications. Protection of sensitive files
of the US government (mandatory). Email encryption. Mobile phones.
Smartcards.
Interesting to note that the NSA didn't say they would use AES. Schneier's last cryptogram speculated that they won't be using Rijndael for classified documents in the next few years.
Well, you proably know what those words mean, but for the Dutch-illeterate here: ;-)
herfstvrucht: autumn-fruit
angstschreeuw: scream of terror
koeieuier: Well, the thing hanging below a cow, where you get the milk from (dunno the trans
--
--
If code was hard to write, it should be hard to read
3DES has always been entirely free of IP claims, so I don't see what's changed really?
Yeah, the interviewee was a little cold!
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
They're already hard to pronounce, don't make it worse. I fear that soon a Czech name will be given to the next big thing, and we'll have to use the reverse caret over the C!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Which nicely summarises why Rijndael won.
The competition was a nice, real-world example of a trade-off between absolute theoretical security and implementation. AES is intended to scale from smartcards to NSA supercomputers.
If AES had been about producing the most secure algorithm, period, then I guess the winner would have been one which included an infinite number of permutations... After all, if it takes an eternity to encrypt you can guarantee that it can't be broken after encryptions :-)
Note that you, too have found that what the US Gov' says doesn't necessarily apply to the real world either. However, your faith in Serpent is perhaps misguided. It may have received a similar level of analysis as Rijndael up to now, but you can guarantee that as an also-ran, it's not going to continue to receive this level of investigation. All of which leaves you more, not less, vulnerable in the longer term....
--
I'd rather have a bottle in front of me than a frontal lobotomy
Well, it was apparently thought of earlier, in the late 1960s, by James Ellis and Clifford Cocks (who were British secret agents). However they did not publish (being secret agents). R,S+A thought it up independently 10 years later, and they were the first to publish. See this techweb story for some more details.
perl -e 'fork||print for split//,"hahahaha"'
That is true of all the candidates. Even MARS and RSA patents would have to be more-or-less unenforced if selected - go to the AES page and check out the huge red text that says exactly this.
AES homepage
Also, Rivest, Shamir, and Adleman *did* invent RSA. I'm not sure what you're implying.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
I'll admit it: I'm still a twofish fan. I look at the number of rounds required to make rijndael reasonably secure and compare that to twofish and i don't feel happy. This is not to say that I don't think that Rijndael is secure now--it clearly is. This is also not to say that I think there's some good way to reliably determine the likely future security of uncracked algorithms--I think there is not. Nevertheless, we can guess about future security based on things like complexity (where twofish scores poorly) and number of rounds required for security (where twofish scores extremely well and rijndael does not).
There were two lurking decision factors in the AES that concern me:
1) patents. it has not been made clear how much the hitachi claimed patent affected the outcome.
2) embedded devices. i believe that the decision was weighted in favor of current embedded memory and computational power, which doesn't make any sense. Embedded applications will be more powerful by the time anyone actually implements this stuff and I'd much rather have something that is excellent on real computers and fine on smart cards, but that doesn't seem to be what we've ended up with.
Anyway, I'm glad to see the process was open and all kvetching aside, Rijndael is a *huge* improvement over DES or even DESX or tripleDES. The authors of all algorithms deserve congratulations.
Over time AES will be incorporated into all security products and will become a defacto standard. We can already see that GnuPG includes full support and NAI/PGP is expected to follow shortly.
It's nothing that end users will have learn / know - it'll just be included as the standard. If someone wanted to send you an encrypted mail today then they'd still use PGP (or similar), you can't just take Rijndael and encrypt an e-mail (or web session, or SSH session or whatever).
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
The only reason they won't crack it is probably because it's impossible to pronounce.
--
--
If code was hard to write, it should be hard to read
You may wish to check out this website for a quick and clean comparison of the security of the different proposals.