Slashdot Mirror
AES Announced as Federal Standard
chekhov writes: "Today NIST has finally announced AES (Advanced Encryption Standard) as a Federal Standard after 4 years of development. See the press release. AES is the replacement of DES and is expected to be used in financial systems and secure networks for up to 20 years. More information on the AES homepage."
AES is Rijndael (ie the name of the cipher selected selected as AES is "Rijndael").
;-) here and here
Find out all about it (including how to say it
Tales from behind the Lagom Curtain
I don't think Moore's law will have any effect
on cracking AES. Conventional computers will run out of steam long before they get fast enough to crack AES. Quantum computers on the other hand might be a different story.
However hopefully NIST will simplely issue a new standard if the AES becomes breakable. Like it did for DES.
Not dutch. Belgian. He works at the same university as I do : KULeuven. here's his homepage : http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
When will I end this grieving ? When will my future begin ?
Poland got there first, but when the Germans invaded completely ran out of resources and handed all their research over to England. A lot of work further down the line, and we (I'm English) were breaking the 3 wheel standard Enigma within hours of getting the first encrypted transmissions, thanks to Turing's 'bombes' (electro mechanical decrypting devices).
However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.
Note however, that the 3rd Reich trusted Enigma utterly. They fell into the trap of thinking they were completely secure, and that was the downfall of Enigma, as it would be of any trusted encryption. Encryption by definition is breakable in a certain length of time. The problem with Enigma was that there were backdoors, such as the fact it never encrypted any letter as itself. The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.
http://twitter.com/onion2k
> There a big ambiguity that I couldn't really sort out while reading these web pages : Is this an Open standard or a Commercial standard ?
It's a US government standard, meaning that all government-related (whatever that means) should use it (or something like that). It's just another algorithm instead of DES/3DES to be used as The Official US Government Encryption Standard.
Some pieces-o'-software, both free and commercial, use Rijndael, but it's not a standard (ISO or ANSI or whatever).
> Will I have to pay royalties if I intend to write AES-compliant programs then sell related services ?
Probably not. There are plenty of free implementations of the Rijndael algorithm, and from what I can figure out, there doesn't seem do be any restrictions to it. From the authour's page:
Rijndael is available for free. You can use it for whatever purposes you want, irrespective of whether it is accepted as AES or not.
Even if the US government puts some kind of export restriction on software using it, it's still very available (in several free (of some kind) implementations) outside US.
NIST too, provide their own reference implementation.
> I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public ?
The algorithm was invented by "the public" (two guys in Belgium), not by NIST or the US government. NIST just selected the one algorithm they considered the most appropriate from the whole lot of available encryption algorithms out there.
There are 010 kinds of people. Those who understand octal, those who don't, and 06 other kinds of morons.
I found several notes on the openssl users list which seem to indicate that AES/Rijndael support will be available in OpenSSL 0.9.7. This has not been released yet, but is reportedly available in the CVS area.
The AES has selected the variable key lengths of 128, 192, 256 to be used with a 128 bit block
BouncyCastle has had a full implementation of Rijndael since 1.0 beta 4 (now at 1.10)
Disclaimer: I'm a BouncyCastle author.
The problem with Serpent is that the security arguements were heuristic. Rijndael's security is based on the fact that after eight of the ten rounds there are 50 active sboxes. That makes the best differential or linear trail have an amazingly low probability. Rijndael is also a complete cipher after two rounds.
In the case of Serpent the design relies on having a ton of rounds for security since the branch number of the linear transform is not known.
Someday, I'll have a real sig.
Yeah well all of the attacks that apply to DES do not apply to AES [read the paper dude]. You have to realize that AES is based on the research gained in the decades after DES.
That doesn't mean that AES is invulnerable, just less likely to fall to an attack faster than brute force than DES is.
Someday, I'll have a real sig.
You're kidding right?
Unless a shortcut attack is found a 256-bit key will ALWAYS be secure from brute force searching via a computer. There is not enough energy in the universe to make a conventional computer process that much work.
That doesn't preclude QC related attacks but keep in mind that QC is far from reality [in a usable sense] and that even then it will be along time before you're playing your QC powered Gameboy...
Currently the best ways to defeat a cipher like Rijndael [or AES if you will] is non-mathy. You install virii, trojans, backdoors, bribe people, beat it out of them, etc...
Actually breaking AES from ciphertext/plaintext pairs only is not likely for a long time to come
Someday, I'll have a real sig.
Definitely not. This was an important consideration for defining the standard. NIST only accepted unencumbered submissions - meaning:
So - not only can you use the algorithm, you can even use their implementation, no questions asked. They actually released two implementations, a "basic" and an "optimised" one. I don't remember whether having two versions was a NIST requirement.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
Interesting that the US government was busy asking people to try to crack an encryption standard, while at the same time upholding a law to make breaking encryption illegal
As far as I've read, the DMCA doesnt make breaking encryption illegal, it make defeating copy/copywrite protection mechanisms illegal.
RFC2440, which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).
Gnupg already supports AES in all 3 block sizes and so does 'official' PGP v7.0x.
PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
For names of large numbers, see http://www.unc.edu/~rowlett/units/large.html.
>The S-tables were thought to have been chosen to
>make the algorithm easy to break for someone who
>knew the secret.
Yes, this is what was _thought_.
When differential cryptanalysis was discovered in 1991, many DES 'replacements' were completely broken, but DES itself was only weakened, not broken.
It turned out to be those NSA-picked S-boxes that made it much more secure than the alternatives. So, they actualy made the algorithm stronger, not weaker.
(and they had appearently knew about differential cryptanalysis some 20 years before the academic world did. scary, isn't it?)
--
GCP
Security wasn't the only consideration in choosing an algorithm for AES. Another major factor was how efficient the candidate was. The winner had to be not only secure, but also fast on very low-end devices and able to scale up to very powerful machines. You can expect to see AES used on emmbedded microcontrollers, smart cards, and appliances (music players, phones, etc.) and also on hulking encryption "mainframes" dedicated to doing huge amounts of cryptographic operations very, very fast.
I'd guess that Rijndael was more efficient on more types of devices than serpent and that led to its being accepted as the standard.
IMO, that doesn't take anything away from the other top five candidates in terms of their usefullness at hiding information.
obviously no deficiencies vs. no obvious deficiencies
I think you're confused. RSA claimed, in their Scientific American article at least, that their 100-bit key would take millions of years to break. In fact, advances in factoring algorithms (and to a far less extent, raw computing power) lead to it being broken in less than 20 years. Now the minimal recommended key size is 400 bits longer, amd most of us use keys 900 bits longer.
DES was never expected to have a lifetime longer than 25 years or so. The cryptanalysts who designed DES never heard of Moore's law, and wouldn't have cared about it if they had. They knew that the most important factor was algorithm efficiency, not the raw computing power.
In fact, a study in Programming Pearls a while back compared the effects of improved algorithms vs. improved hardware speed for several historically hard problems. The results were clear - hardware is getting faster, but you could still run circles around the latest supercomputer running 1960s era algorithms with your PDA running current algorithms. (Okay, the original article compared Crays to TRS-80s, but kids today may not know what a trash-80 is.)
The only reason computers seem slower is that they're used to solve far bigger problems. People tend to be willing to spend the same amount of time solving problems, and for a given time O(nlg(n)) has a far larger value of 'n' than O(n^3).
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Well you are talking apples and Oranges. Rijndael is a symmetric block cipher where the encrypt and decrypt key are private [and typically the same, or a derivative of the other]. You can typically attack a block cipher through itterative statistical attacks [differential, linear, truncated differentials, boomerangs, square, etc...] or through a brute force of the key space.
Typically for symmetric ciphers those itterative attacks fail [require too many ciphertext/plaintext pairs to work] so brute force is the only remaining known attack.
In the case of DH/ElGamal/RSA over the field of integers [i.e what PGP basically uses for its private/public key stuff] there are ways to attack those systems faster than randomly guessing the secret information. For example, in RSA you can factor the public modulus [typically the 'n' part of your key] to find the private decrypt exponent. Factoring a N-bit number is typically faster than guessing the N/2-bit factors. [Similar idea holds for DH/DSA and ElGamal]. So factoring a 1024-bit RSA key modulus may take the same amount of time as brute forcing a 80-bit symmetric block cipher's key.
That's why in symmetric block ciphers you can get away with smaller keys than in public key ciphers.
Hope that helps!
Tom
Someday, I'll have a real sig.
A bit more info. PGP is not a cipher either. Its a cryptosystem. It uses a collection of Public Key Ciphers and symmetric key ciphers todo its work.
A public key cipher is a cipher where you make up a key where you can give out a public copy and keep a private copy. People can send you messages using your public key and only your private key can decrypt them. For example, In RSA you make up two primes p and q, and get N=pq, you make up an encryption exponent typically e=65537 [fixed] and find your own decryption exponent de = 1 mod (p-1)(q-1). Since only you know the factors only you know 'd' [your private key].
Think of it this way.
Let e=5 and then d=1/5.... If you are going to encrypt a message M=4 you do
C = M^e = 4^5 = 1024
Then to decrypt
M = 1024^d = 5^e^d = 5^(ed) = 5^(5/5) = 5
etc...
What PGP really does is uses the PK cipher to encode a random key used in the symmetric cipher. The symmetric ciphers actually encrypt your message, and the PK cipher encrypts the key used. When you go to decrypt a message you use your PK private key to decrypt the symmetric key and then you decrypt the message.
Arrg...
Buy Schneiers "Applied Cryptography" if you want to learn this.
Tom
Someday, I'll have a real sig.