Slashdot Mirror
Draft FIPS for the Advanced Encryption Standard
Several people wrote with news that NIST has released a draft standard for the AES. They're inviting public comment, so if the NSA has added a backdoor to Rijndael, now would be a good time to find it.... :)
As other people have already pointed out, asymmetric key cryptography is *way* slow. To speed things up, you can use the public key crypto (pick your favorite well known algo) to encrypt a symmetric key and send it to your destination. You can then use that private key for the remainder of your communication and save CPU cycles.
You can use a chaining mode to make a hash function out of a block cipher; AES in (say) Miyaguchi-Preneel mode gives you a 128-bit hash, while Tandem Davis-Meyer gives you a 256-bit hash (rather faster than SHA-256, I might add!). See Applied Cryptography for a description of these modes.
I hope NIST standardise some such mode, but at the moment they're only talking about standardising modes for encryption and MAC, not for hashing.
--
Xenu loves you!
The NSA have not proposed a "fix for DES". There is evidence in the design of DES that the designers (IBM) knew about differential cryptanalysis, but not about linear cryptanalysis; however, for practical purposes brute force search is still the best attack on it; thus, the usual fix is to apply it thrice with two or three different keys (Triple-DES).
There is some evidence (in Skipjack) to suggest the public community is now ahead of the NSA in theoretical cryptanalysis. Certainly there are a hell of a lot of breathtakingly smart people in it.
--
Xenu loves you!
You should validate this implementation against the spec to check for back doors before you use it. Not because you'll find a backdoor - I've read this code, you won't - but because it'll be a useful education in crypto implementation techniques. There's quite a bit of cunning in the way the implementation is put together, particularly the way the tables are built. And you can appreciate the simplicity and beauty of Rijndael when you do it.
--
Xenu loves you!
Electric Angst is a troll, as a check on the user info will reveal (see "YHBT. YHL. HAND.").
No-one who knows how this cipher was chosen could seriously believe that Daemen and Rijmen are NSA plants, or that there's room to hide anything in an algorithm as simple and clear as Rijndael.
--
Xenu loves you!
For one reason, it's the National Security Agency. It spies on everyone except Americans, even the allies that agree to host their bases.
For another, the British Government sold a bunch of Enigma machines throughout the third world after WWII. I wouldn't put it past the NSA to pull a similar stunt.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I also should point out that that many /.ers, including myself, aren't American.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
If you have data, you can always get the md5 checksum of that data, but with the checksum only there is no way to determine what the data that produced it was, short of trying every possible input.
And as you know, even that isn't sure; there are an infinite number of inputs that will produce the same checksum, and some of those aren't going to be garbage.
-
There are ways to view MS Word docs without using MS Word, or for that matter any Microsoft products. I do agree though, that this sort of document should be published in a more universal format such as HTML or at least PDF.
If the NSA puts their stamp of approval on an encryption algorythm for public use, you can damn well expect that they can compromise it.
It's like asking a burgular which locks to use.
Back in the 70's the NSA delayed the release of DES, for reasons which they could not disclose at the time.
NSA knew of a then-classified attack against DES known as differential cryptanalysis. NSA could not disclose why they delayed the release of DES, they could only say that they were still working on it. Lots of people speculated NSA was inserting a "secret backdoor", when actually they were ensuring the national standard for data encryption would be secure against even secret attacks than only NSA knew about at the time.
Of course, the complete design criteria for DES were not published at that time. Since not all of the steps in the algorithm seemed logical at the time, people got real suspicious. AES, on the other hand, is pretty straightforward.
For more background, check out this history of DES, or Eli Biham'sthese papers on differential cryptanalysys.
--
Good question. I've always been told it's pronounced like "RHEIN-DALL". We're just lucky there aren't any Ø's in the word ;-).
--
NSA broke DES before anyone else did, and they fixed DES to make more resistant agaist that kind of attack. Only much later did anyone outside NSA break DES thru differential cryptanalysis, and by that point (late 80s/early90s, iirc), it was becoming practical to simply brute-force DES.
--
md5 and Rijndael (AES) are two different classes of cryptographic algorytims.
md5 produces a 128 bit (16 byte) "checksum" of it's input data. md5 is an example of an "one way function": If you have data, you can always get the md5 checksum of that data, but with the checksum only there is no way to determine what the data that produced it was, short of trying every possible input. This is extremeley useful for storing passwords, as by storing the checksum only, the computer can *check* if a password is valid, but doesn't actually know what the password is.
For md5:
checksum = md5(data)
there is no data = un_md5(checksum)
---
Rijndael is something else entirely, it's a simmetric encryption algorithim. It provides both an encrypt and a decrypt function. Given a 128, 192, or 256 bit key you can encrypt data in such a way that it can only be retrived by using the decrypt function with the key. Anyone with the key and the encrypted data ("cyphertext") can get the decrypted data ("plaintext"). This is much less useful for passwords, as the key has to be stored somewhere, making the passwords easily crackable. In this case the computer would know what the password was, and be able to give a cracker that information.
For Rijndael (AES):
cyphertext = encrypt(plaintext, key)
plaintext = decrypt(cyphertext, key)
-- The act of censorship is always worse than whatever is being censored. Always.
You can make this statement from the laws of thermodynamics (Energy in a system is conserved). And since information is energy, (Think about data compression, is information lost in the message - Entropy? Think about an air compressor, is energy lost in the air - Temperature/UnitVolume?). Think about it for 5 minutes before you hit the reply button. Afterall, we live in the universe, not an equation sheet.
Now what about asymmetric algos? Do the laws of thermodynamics suggest there is conceivably a perfect public-key algorithm? Nope. The public key contains information about the private key, all the information you need in fact. So what protects us? It is our child-like understanding of these hard problems.
Now what about quantum crypto? Is this any different from asym algos? Information must be transferred. It cannot be destroyed.
Granted, if one day someone proves the fundamental laws of thermodynamics wrong, we're all in trouble. But I doubt that will happen.
The key exchange problem - I would state - is by it's very nature a problem with no permanent solution. It implies the destruction and re-emergence of information on a massive scale. The only thing we can do is protect our selves with "strong" key exchange systems and prepare for the enviable: humanity's intellectual growth.
So that said, why gripe over a possible weakness in Rijndael when the CSE or the NSA have solved the hard problems of asym algos to get at your precious block cipher key used in all electronic transmissions? You're not safe no matter how strong the cipher is, even the proposed perfect cipher.
For those people (myself included) who are too lazy to interpret the specification and enter the code in yourself, you can find a C & C++ implementation here. Note a link to this and other useful information is provided from the original link.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
I thought they meant this FIPS! I figured it was taking it a bit far making a disk partitioning program in to an Advanced Encryption Standard, but you never know... ;-)
"I may not have morals, but I have standards."
"I may not have morals, but I have standards."
I don't know anything about Dutch, but if you look at the names of the algorythm's creators, Joan Daemen and Vincent Rijmen, it appears that the name Rijndael is a loose combination of their surnames, not an actual Dutch word. If I'm not mistaken, the proposed pronunciations on the NIST web site are in fact proposed by the authors themselves for a word they invented. In fact, I'm pretty sure that I read exactly this in documentation on the NIST web site a month or more ago.
Now, if we could just prove that they're both saying the same things, instead of the PDF one saying "Here's the Open Source AES implementation" and the DOC one saying "Dear A Valued Micro$oft Customer, trust this special Micro$oft/NSA joint venture AES implementation. *ERROR DETECTED: the network traffic light on your PC is blinking indicating it is malfunctioning. [ok][continue]"
John
John
For those people (myself included) who are too lazy to interpret the specification and enter the code in yourself, you can find a C & C++ implementation here.
Don't listen to this guy! It's a trick! The NSA has planted this guy and the code. Nudge nudge, wink wink. Write your own implementation from the spec and you'll see the back-door, clear as day. Tricky buggers...
DES was sanctioned by the the NSA and it was broken by somebody not in the NSA. (don't have the book here to reference but they talk about it in applied cryptography). Of course after that happened the NSA said yes we know about that type of attack here is a fix for DES. So the public cryptography community may be behind the NSA but people do figure things out. There are pleanty of math PhD's that don't work for the NSA you know.
As x approaches total apathy I couldn't care less.
Basically what they do is encrypt the password with blowfish. Then they take the resulting cypher and encrypt it in blowfish. Then they take that result and encrypt it in blowfish. And repeat the cycle something like 36 times. This effectively creates a one-way hash.
I think the logic is not so much that it's a provable perfect hash (only one password will create the same hash), but that it's way to computationally expensive to do a dictionary attack.
Trolls throughout history:
Jonathan Swift
Looks like they're serious about the comments.
There's always sufficient, but not always at the right place nor for the right folks.
Maybe a better solution would to have an government-indepedent group that is politically neutral be responsible for the development of encryption standards. I don't know how exactly that could be setup, but it at least might be worth a little thought.
Symmetric encryption is much faster than asymmetric encryption methods, so they have their uses. In IPSec, and PGP you will find the bulk of the encryption is actually done using a symmetric algorithm because it is about 1000 times faster than say RSA.
256-bit keyspace is huge for a symmetric cipher. To brute force this would take say one million supercomputers a million years. That is a highly non-scientific computation, but demostrates the rough magnatude we are talking about. For assymmetric algorithms like RSA or Diffie-Hellman, the algorithms can be attached more efficiently then by brute force, so we need a larger keyspace. RSA is based on the difficulty of factoring large numbers (composites of two large primes), and DH is based on the discrete logarithm problem.
The AES (Rijndael) was proposed by an European team of cryptographers, the NSA have only acted as advisors to the NIST, whom make the final decision. The algorithm has been in the public since 1998, and has had the best open-source (general public) cryptographers looking for any weaknesses. It appears to be very strong, and modestly fast, faster than TripleDES.
All five final candidates for the AES got the NSA stamp of approval. If they can break them all, even Serpent, they probably have orbital mind control rays too.
A burglar you trust is an excellent person to ask about what locks to use. Of course, NIST didn't just ask the NSA, they asked all the best burglars in the world, and the conclusion is that this is as secure a lock as you could possibly need for the foreseeable future.
--
Xenu loves you!
So this "change", is really just rewriting Rijndael to fit the NIST's proposal. Check the original 1997 request for candiates.
I don't know what it is about cryptography that causes people to widly speculate about it, but unless you have any evidence, I claim that there is no known backdoors in DES, or AES. Period.
If you read Steven Levy's Crypto, chapter 2, you'll see that DES was quite strong in its day. Its structure now makes sense, once the T-attack was rediscovered by Biham and Shamir as differential cryptanalysis. The only just criticism of DES was that even then 56-bit was conceiviable weak in the future, not in the 1970s when it was first made standard.
The NSA has two responsibilities , to gather national intelligences, and to preserve the US Government's own security. The AES will be used as the standard encryption for non-classified (basicilly non-military) security, and willing likely be adopted by X9 as a sucessor to TripleDES for banking and international financial security. Using a weak algorithm for AES is would not make the NSA's responsibility of protecting the US Government's security easier, so I do not see the benefit of trying to do such a thing.
NIST started the process of designing a successor to AES many years ago, and fifteen algorithms were submitted from all over the world as candidate successors. The eventual winner comes from a team from Belgium; it's been thoroughly examined by the worlds best cryptanalysts and I don't think anyone thinks there's going to be a useful break.
So long as this FIPS is simply a formal description of the algorithm we were all examining (and it appears to be), there's no problem. NIST have done all the right things here.
--
Xenu loves you!
Far from resting on their laurels, the Rijndael team have been busy with new cipher design work. Check out their latest creation, Noekon, designed for simple implementation and resistance to differential power attacks and other side channel attacks.
--
Xenu loves you!