Draft FIPS for the Advanced Encryption Standard

Several people wrote with news that NIST has released a draft standard for the AES. They're inviting public comment, so if the NSA has added a backdoor to Rijndael, now would be a good time to find it.... :)

Pronunciation

[Stormie]

Why does this specify three alternative pronunciations for "Rijndael"? It's supposed to be an Advanced Encryption Standard, why can't they use the standard pronunciation? Come on guys, Dutch isn't that hard a language, and it makes a lot more sense once you can pronounce it (i.e. "zuid" = "south" is obvious when you know "zuid" is pronounced "soud")

Re:Pronunciation

[radja]

it didn't turn into koeienuier. it's still koeieuier in the new spelling. koe ends in e, and is an exception. stupid new spelling.

//rdj

Re:Pronunciation

[Kartoffel]

Why does this specify three alternative pronunciations for "Rijndael"?

Good question. I've always been told it's pronounced like "RHEIN-DALL". We're just lucky there aren't any Ø's in the word ;-).
--

Re:Pronunciation

[dingman]

I don't know anything about Dutch, but if you look at the names of the algorythm's creators, Joan Daemen and Vincent Rijmen, it appears that the name Rijndael is a loose combination of their surnames, not an actual Dutch word. If I'm not mistaken, the proposed pronunciations on the NIST web site are in fact proposed by the authors themselves for a word they invented. In fact, I'm pretty sure that I read exactly this in documentation on the NIST web site a month or more ago.

Re:Government sponsored encryption?

[Kalten]

If you're really concerned about the governent subverting the algorithm, then go visit Vincent Rijmen's page about Rijndael.

Re:Sorry. "Gov't approved" == "insecure crypto".

[p3d0]

Flamebait? I thought this one was interesting. Sheesh, some moderators need to stop injecting their own personal opinions into their work. Guys, the negative mod points are there to mark down things that are inappropriate, not just things that are controvercial. If you can't tell the difference, stop moderating.

No wonder this guy posted anonymously. It's this kind of thing that makes me glad for metamoderation.
--
Patrick Doyle

Re:Cool

[jovlinger]

IT is provably impossible to retrieve the original text from a hash -- a simple counting argument suffices. What you meant is probably that it is hoped to be difficult to construct a message with any given hash (strong requirement) or find two documents with the same hash (weak).

The value of this is that if someone signs a document, this is typically done by encrypting a hash of the document. A weak hash will let Oscar contruct another document to have the same hash, and hence "trick" the signer into having signed that one too. So the security of digital signature relies on this being difficult.

As a counter example, I give CRC-32, which an Oscar only needs control over 33 consecutive bits in order to modify the checksum to be anything he desires.

Backdoors

[Dr.+Blue]

I'm pretty familiar with the Rijndael algorithm, so I glanced quickly through the FIPS document to see if they changed the algorithm. It looks at first glance to be exactly Rijndael, with one minor reduction in generality: The blocksize is fixed to be 128-bits, rather than the variable length block (128, 192, or 256 bits) in the original Rijndael spec. That doesn't seem to be a particularly important change (128 bits is more than enough).

Now of course, you can still be paranoid if you like, and here's a suggestion if you need one: maybe that particular algorithm was selected from the 5 finalists because the NSA could break it.
Probably not likely (in retrospect, DES turned out to be much stronger than suspected), but you can cling to that if you need some conspiracy theories! :-)

Re:No more Niggers

[phant0mz]

Grow up and learn to act like yo mama taught you how. But of course you mama is also yo sister and yo daddy is also yo uncle. So white trash like you deserves to die.

Cool

[barneyfoo]

When can I get my shadow file encoded in AES? Hehe..

actually md5sum is pretty secure, but nothing is secure if you use plain english dictionary words. Programs like johnny cracker don't care about the encryption.

honestly, I don't know the difference between a md5sum code and a AES code, maybe someone could elucidate me.

Re:Cool

[Cassivs]

md5sum is a hash, meaning that it's a one way algorithm (it's believed impossible (very difficult) to get back the original text from the hashed text. Rijndael is a symmetric cipher, with a variable key length, meaning that, given knowledge of the key, it is trivial to get the plaintext (that's the whole point of it :). I'm not sure if Rijndael can be easily made into a hash (I would guess it could- maybe encode "" using the cleartext as the key?)
On an somewhat unrelated sidenote: OpenBSD uses blowfish (by default) to encrypt passwords (cat /etc/passwd.conf). So I would _guess_ that it's apparently easy to transform a symmetric cipher into a hash. Although- I'm not a crypto expert. Although I have no idea on the relative security provided by Rijndael and MD5, I think Rijndael is considerably better, but that MD5 should suffice for typical systems.

Re:Cool

[Syberghost]

If you have data, you can always get the md5 checksum of that data, but with the checksum only there is no way to determine what the data that produced it was, short of trying every possible input.

And as you know, even that isn't sure; there are an infinite number of inputs that will produce the same checksum, and some of those aren't going to be garbage.

-

Re:Cool

[Chandon+Seldon]

md5 and Rijndael (AES) are two different classes of cryptographic algorytims.

md5 produces a 128 bit (16 byte) "checksum" of it's input data. md5 is an example of an "one way function": If you have data, you can always get the md5 checksum of that data, but with the checksum only there is no way to determine what the data that produced it was, short of trying every possible input. This is extremeley useful for storing passwords, as by storing the checksum only, the computer can *check* if a password is valid, but doesn't actually know what the password is.

For md5:

checksum = md5(data)

there is no data = un_md5(checksum)

---

Rijndael is something else entirely, it's a simmetric encryption algorithim. It provides both an encrypt and a decrypt function. Given a 128, 192, or 256 bit key you can encrypt data in such a way that it can only be retrived by using the decrypt function with the key. Anyone with the key and the encrypted data ("cyphertext") can get the decrypted data ("plaintext"). This is much less useful for passwords, as the key has to be stored somewhere, making the passwords easily crackable. In this case the computer would know what the password was, and be able to give a cracker that information.

For Rijndael (AES):

cyphertext = encrypt(plaintext, key)

plaintext = decrypt(cyphertext, key)

Re:Government sponsored encryption?

[Spunk]

how realistic is it to believe that they will create an encryption standard that they don't know how to break

This concern is exactly why AES wasn't developed by the government. It was developed by two researchers in Belgium. NIST basically ratified the existing Rijndael cipher as "good enough to be the standard."

The website linked in the article has lots more info.

--

Re:it sure is NSA approved (a Good Thing(tm))

[rjkimble]

Then what is the reason that the natural 64 bit key length was forced by the government to be degraded to 56 bits before IBM could release their algorithm to the world? At least that's my understanding of how it went. I think that's one of the reasons many people are paranoid.

All Your Base Are Belong To Us!!!

Re:Why Symmetric?!?

[mcorner]

Because asymmetric encryption is 1000 times slower than symmetric algorithms (According to Schneier, approx based on some example algorithms)

Bad Idea

[MeowMeow+Jones]

AES can actaully be decrypted, so so can your passwords.

md5 is a one way hash. That means there's no way to decrypt the password once it's encoded. This makes sense for this purpose because you don't care what a password is as long as it's the right one. There's no reason to decypher a password, if someone forgets it you just reset it.

input

[dedair]

"NIST strongly encourages the public to continue performing analyses of the security of the AES, and to submit those analyses as official comments in response to this request." Looks like they want some input.

Re:Don't do it! It's a trick.

[plcurechax]

Do you have any evidence of a backdoor? No? I didn't think so.

The Rijndael Page

[rsimmons]

You should get your information from the horse's mouth. Here is Rijndael's page in Belguim: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

Why Symmetric?!?

[JayDogg]

I haven't read through the algorithm yet but a few questions/comments: Why are we creating ANOTHER national Symmetric Key standard? Why not go for an Asymmetric standard? 256 bit key max? With the computing power the NSA (and others) have at their disposal, they won't need a back door. And yes of course they are getting free de-bugging, testing... Wouldn't you? That's the only way to truely test the robustness of an encryption algorithm. -forgive any naivity in my posts, I know very little about cryptography... JayDogg

Re:Why Symmetric?!?

[volsung]

As other people have already pointed out, asymmetric key cryptography is *way* slow. To speed things up, you can use the public key crypto (pick your favorite well known algo) to encrypt a symmetric key and send it to your destination. You can then use that private key for the remainder of your communication and save CPU cycles.

Re:Why Symmetric?!?

[plcurechax]

Because the NIST approved standard, DES, is getting old, and the "compatible" mode of TripleDES is very slow. Vendors wanting to win tenders with the US Government have to use a NIST approved method, if one exists for whatever they are doing, from tree planting to cryptographic algorithms. So this is to replace the old exisiting standard.

Symmetric encryption is much faster than asymmetric encryption methods, so they have their uses. In IPSec, and PGP you will find the bulk of the encryption is actually done using a symmetric algorithm because it is about 1000 times faster than say RSA.

256-bit keyspace is huge for a symmetric cipher. To brute force this would take say one million supercomputers a million years. That is a highly non-scientific computation, but demostrates the rough magnatude we are talking about. For assymmetric algorithms like RSA or Diffie-Hellman, the algorithms can be attached more efficiently then by brute force, so we need a larger keyspace. RSA is based on the difficulty of factoring large numbers (composites of two large primes), and DH is based on the discrete logarithm problem.

The AES (Rijndael) was proposed by an European team of cryptographers, the NSA have only acted as advisors to the NIST, whom make the final decision. The algorithm has been in the public since 1998, and has had the best open-source (general public) cryptographers looking for any weaknesses. It appears to be very strong, and modestly fast, faster than TripleDES.

You can make a hash function out of a block cipher

[Paul+Crowley]

You can use a chaining mode to make a hash function out of a block cipher; AES in (say) Miyaguchi-Preneel mode gives you a 128-bit hash, while Tandem Davis-Meyer gives you a 256-bit hash (rather faster than SHA-256, I might add!). See Applied Cryptography for a description of these modes.

I hope NIST standardise some such mode, but at the moment they're only talking about standardising modes for encryption and MAC, not for hashing.
--

What "fix for DES"?

[Paul+Crowley]

The NSA have not proposed a "fix for DES". There is evidence in the design of DES that the designers (IBM) knew about differential cryptanalysis, but not about linear cryptanalysis; however, for practical purposes brute force search is still the best attack on it; thus, the usual fix is to apply it thrice with two or three different keys (Triple-DES).

There is some evidence (in Skipjack) to suggest the public community is now ahead of the NSA in theoretical cryptanalysis. Certainly there are a hell of a lot of breathtakingly smart people in it.
--

Re:What "fix for DES"?

[Kartoffel]

Skipjack has a different heritage than the AES candidates. Skipjack is (iirc) a 40-bit cipher meant for mobile radios, phones, laptops. It's based more on old military style shift-register stuff, rather than your typical modern civilian cyrpto. Skipjack is not intended to be super strong, nor is it intended for high volumes of traffic. For small volumes of traffic from small mobile units, Skipjack is fine.

One of the clever things about Skipjack, however, is that when Skipjack is poorly implemented, it falls right apart and is quite simple to break. When done properly, however, Skipjack makes a fine 40-bit cipher.

This particular quality is actually a good thing. The only people who are supposed to be using Skipjack devices (orignally, at least) would have had embedded devices that were known to be good. Now suppose a bad guy builds his own skipjack devices but bungles the implementation... the bad buy may think he's got secure communications, but it's actually easy to break.
--

He's right! ...well, sort of.

[Paul+Crowley]

You should validate this implementation against the spec to check for back doors before you use it. Not because you'll find a backdoor - I've read this code, you won't - but because it'll be a useful education in crypto implementation techniques. There's quite a bit of cunning in the way the implementation is put together, particularly the way the tables are built. And you can appreciate the simplicity and beauty of Rijndael when you do it.
--

A-trollbusting we will go

[Paul+Crowley]

Electric Angst is a troll, as a check on the user info will reveal (see "YHBT. YHL. HAND.").

No-one who knows how this cipher was chosen could seriously believe that Daemen and Rijmen are NSA plants, or that there's room to hide anything in an algorithm as simple and clear as Rijndael.
--

Re:A-trollbusting we will go

[Electric+Angst]

Oh, well, in that case, I was obviously wrong. If you could tell I was a troll, that just proves that the average /bot is smarter than the NSA.

--

Re:it sure is NSA approved (a Good Thing(tm))

[Goonie]

Why are you slashdotters so paranoid of the NSA? It stands for National Security Agency.

For one reason, it's the National Security Agency. It spies on everyone except Americans, even the allies that agree to host their bases.

For another, the British Government sold a bunch of Enigma machines throughout the third world after WWII. I wouldn't put it past the NSA to pull a similar stunt.

Re:it sure is NSA approved (a Good Thing(tm))

[Goonie]

I also should point out that that many /.ers, including myself, aren't American.

Re:A long time to think and respond

[SoftwareJanitor]

There are ways to view MS Word docs without using MS Word, or for that matter any Microsoft products. I do agree though, that this sort of document should be published in a more universal format such as HTML or at least PDF.

NSA approved?

[The+Dev]

If the NSA puts their stamp of approval on an encryption algorythm for public use, you can damn well expect that they can compromise it.

It's like asking a burgular which locks to use.

Re:NSA approved?

[Lish]

Possibly. But I think it would be more likely to say, they know all possible ways of potentially compromising/breaking it, and are confident that noone except possibly themselves could do so. Because, if there's a way for _them_ to break it, then there's potential for someone else to do so, and if that happened, they'd look awfully stupid....

it sure is NSA approved (a Good Thing(tm))

[Kartoffel]

Why are you slashdotters so paranoid of the NSA? It stands for National Security Agency. NSA are not the bad guys; it's the big corporations and bureaucrats that we need to worry about.

Back in the 70's the NSA delayed the release of DES, for reasons which they could not disclose at the time.

NSA knew of a then-classified attack against DES known as differential cryptanalysis. NSA could not disclose why they delayed the release of DES, they could only say that they were still working on it. Lots of people speculated NSA was inserting a "secret backdoor", when actually they were ensuring the national standard for data encryption would be secure against even secret attacks than only NSA knew about at the time.

Of course, the complete design criteria for DES were not published at that time. Since not all of the steps in the algorithm seemed logical at the time, people got real suspicious. AES, on the other hand, is pretty straightforward.

For more background, check out this history of DES, or Eli Biham'sthese papers on differential cryptanalysys.
--

Re:it sure is NSA approved (a Good Thing(tm))

[Kartoffel]

The UK sold those enigma machines mostly to other Commonwealth countries (for instance, India). The Indians certainly suspected that Britain knew how to break enigma, but that wasn't their cheif concern. The Enigma machines allowed secure communications protected Indian secrets from countries like Pakistan. That served a purpose. Even if _some_ countries could have broken enigma, the machines were useful/ Many of the clued-in 3rd world customers figured that the Allies had a break for enigma, so they used the machines accordingly.
--

Re:it sure is NSA approved (a Good Thing(tm))

[Kartoffel]

Shortening the key to 56 bits made DES export compliant, because anything longer than that was classified as "munitions" under the US crypto laws.

Obviously, degrading the key like that makes it easier to break. Should you be paranoid? Duh, of course. Is it an evil conspiracy? No, just a bizarre law.
--

Re:The NSA is smarter than you!

[Kartoffel]

NSA broke DES before anyone else did, and they fixed DES to make more resistant agaist that kind of attack. Only much later did anyone outside NSA break DES thru differential cryptanalysis, and by that point (late 80s/early90s, iirc), it was becoming practical to simply brute-force DES.
--

Here's a thought

[jlcooke]

Symmetric algos a can be perfectly safe if for a given key K, the number of blocks B collected by an attacker is less then 2**L, where L is the bit length of K. This assumes the cipher is perfectly crafted.

You can make this statement from the laws of thermodynamics (Energy in a system is conserved). And since information is energy, (Think about data compression, is information lost in the message - Entropy? Think about an air compressor, is energy lost in the air - Temperature/UnitVolume?). Think about it for 5 minutes before you hit the reply button. Afterall, we live in the universe, not an equation sheet.

Now what about asymmetric algos? Do the laws of thermodynamics suggest there is conceivably a perfect public-key algorithm? Nope. The public key contains information about the private key, all the information you need in fact. So what protects us? It is our child-like understanding of these hard problems.

Now what about quantum crypto? Is this any different from asym algos? Information must be transferred. It cannot be destroyed.

• SymAlgos: 2**L unknowns can be solved with 2**L equations. (if perfectly crafted equations are used in accordance with thermodynamics).
• AsymAlgos: The private key can be derived from the public key. The only thing stopping you is your understanding of the mathematical problem.
• QuantumCrypto: The session key can be deduced from the transmission by detecting the transmission of quantum state of the information (virtual particles like photons). And we know that information cannot be destroyed. The only thing stopping you is your understanding of quantum physical problem..

Granted, if one day someone proves the fundamental laws of thermodynamics wrong, we're all in trouble. But I doubt that will happen.

The key exchange problem - I would state - is by it's very nature a problem with no permanent solution. It implies the destruction and re-emergence of information on a massive scale. The only thing we can do is protect our selves with "strong" key exchange systems and prepare for the enviable: humanity's intellectual growth.

So that said, why gripe over a possible weakness in Rijndael when the CSE or the NSA have solved the hard problems of asym algos to get at your precious block cipher key used in all electronic transmissions? You're not safe no matter how strong the cipher is, even the proposed perfect cipher.

Jumping to an implementation

[First+Person]

For those people (myself included) who are too lazy to interpret the specification and enter the code in yourself, you can find a C & C++ implementation here. Note a link to this and other useful information is provided from the original link.

I thought...

[krmt]

I thought they meant this FIPS! I figured it was taking it a bit far making a disk partitioning program in to an Advanced Encryption Standard, but you never know... ;-)


"I may not have morals, but I have standards."

Re:A long time to think and respond

[plover]

The web site has it available in both PDF and MSWord format. While I find both formats almost equally abhorrent, (what's wrong with HTML, people?) at least there are two, and one of them's not Micro$oft.

Now, if we could just prove that they're both saying the same things, instead of the PDF one saying "Here's the Open Source AES implementation" and the DOC one saying "Dear A Valued Micro$oft Customer, trust this special Micro$oft/NSA joint venture AES implementation. *ERROR DETECTED: the network traffic light on your PC is blinking indicating it is malfunctioning. [ok][continue]"

John

Don't do it! It's a trick.

[dstone]

For those people (myself included) who are too lazy to interpret the specification and enter the code in yourself, you can find a C & C++ implementation here.

Don't listen to this guy! It's a trick! The NSA has planted this guy and the code. Nudge nudge, wink wink. Write your own implementation from the spec and you'll see the back-door, clear as day. Tricky buggers...

Re:The NSA is smarter than you!

[bmongar]

DES was sanctioned by the the NSA and it was broken by somebody not in the NSA. (don't have the book here to reference but they talk about it in applied cryptography). Of course after that happened the NSA said yes we know about that type of attack here is a fix for DES. So the public cryptography community may be behind the NSA but people do figure things out. There are pleanty of math PhD's that don't work for the NSA you know.

Blowfish Hash

[MeowMeow+Jones]

Basically what they do is encrypt the password with blowfish. Then they take the resulting cypher and encrypt it in blowfish. Then they take that result and encrypt it in blowfish. And repeat the cycle something like 36 times. This effectively creates a one-way hash.

I think the logic is not so much that it's a provable perfect hash (only one password will create the same hash), but that it's way to computationally expensive to do a dictionary attack.

A long time to think and respond

[ishrat]

Due date for submitting public comments: May 29, 2001

Looks like they're serious about the comments.

Government sponsored encryption?

[ybmug]

I am just wondering if this is really a good idea or not. Considering the governments track record of privacy (especially the NSA's), how realistic is it to believe that they will create an encryption standard that they don't know how to break. Granted, they are allowing time for public review, but that time is limited (May 29, 2001 I believe) for the amount of work and testing that should be used. You might also say that they the standard is going to be used for a lot of the government so they have incentive to not put any back doors in it, but it isn't like we've never seen competition or espionage taking place between government organizations.

Maybe a better solution would to have an government-indepedent group that is politically neutral be responsible for the development of encryption standards. I don't know how exactly that could be setup, but it at least might be worth a little thought.

The NSA approved all five final candidates

[Paul+Crowley]

All five final candidates for the AES got the NSA stamp of approval. If they can break them all, even Serpent, they probably have orbital mind control rays too.

A burglar you trust is an excellent person to ask about what locks to use. Of course, NIST didn't just ask the NSA, they asked all the best burglars in the world, and the conclusion is that this is as secure a lock as you could possibly need for the foreseeable future.
--

Re:Blocksize vs. Keysize

[plcurechax]

While the blocksize of Rijndael was able to operate in variable lengths of 128, 192, or 256, the AES specification designated 128-block size as standard.

So this "change", is really just rewriting Rijndael to fit the NIST's proposal. Check the original 1997 request for candiates.

I don't know what it is about cryptography that causes people to widly speculate about it, but unless you have any evidence, I claim that there is no known backdoors in DES, or AES. Period.

If you read Steven Levy's Crypto, chapter 2, you'll see that DES was quite strong in its day. Its structure now makes sense, once the T-attack was rediscovered by Biham and Shamir as differential cryptanalysis. The only just criticism of DES was that even then 56-bit was conceiviable weak in the future, not in the 1970s when it was first made standard.

The NSA has two responsibilities , to gather national intelligences, and to preserve the US Government's own security. The AES will be used as the standard encryption for non-classified (basicilly non-military) security, and willing likely be adopted by X9 as a sucessor to TripleDES for banking and international financial security. Using a weak algorithm for AES is would not make the NSA's responsibility of protecting the US Government's security easier, so I do not see the benefit of trying to do such a thing.

Public review is finished after two years or so

[Paul+Crowley]

NIST started the process of designing a successor to AES many years ago, and fifteen algorithms were submitted from all over the world as candidate successors. The eventual winner comes from a team from Belgium; it's been thoroughly examined by the worlds best cryptanalysts and I don't think anyone thinks there's going to be a useful break.

So long as this FIPS is simply a formal description of the algorithm we were all examining (and it appears to be), there's no problem. NIST have done all the right things here.
--

Rijndael team's new cipher

[Paul+Crowley]

Far from resting on their laurels, the Rijndael team have been busy with new cipher design work. Check out their latest creation, Noekon, designed for simple implementation and resistance to differential power attacks and other side channel attacks.
--