Slashdot Mirror
AES Announced as Federal Standard
chekhov writes: "Today NIST has finally announced AES (Advanced Encryption Standard) as a Federal Standard after 4 years of development. See the press release. AES is the replacement of DES and is expected to be used in financial systems and secure networks for up to 20 years. More information on the AES homepage."
There a big ambiguity that I couldn't really sort out while reading these web pages: Is this an Open standard or a Commercial standard ?
Will I have to pay royalties if I intend to write AES-compliant programs then sell related services?
I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public?
Trolling using another account since 2005.
Interesting that the US government was busy asking people to try to crack an encryption standard, while at the same time upholding a law to make breaking encryption illegal.
So, now that this encryption method is officially accepted, will it be illegal to try to crack it?
One of the perks of cryptography seems to be the chance to make up words for big numbers! 1 undecillion = 10^36
10^3 = Thousand
10^6 = Million
10^9 = Billion
10^12 = Trillion
10^15 = Zillion(?)
...
I seem to remeber Douglas Adams invented a 'grillion' but don't know how big that was supposed to be
personally I am a fan of serpant Ross Anderson work because I understand it and after some conversations with people who know both I think its better than AES
the sooner AES is used widely the better though
regards
john 'keys ? no sir I forget things' jones
Your better bet is to work out how to solve NP hard problems (or any one) and map it back to the crypto algorithm. But of course you'll be able to do that easily once IBM releases it's first quantum computer....
.sig
Points for whoever can produce the explanation why the apparent weakness doesn't matter, and why we shouldn't be jimmying our Rijndaels to do a few more rounds, and calling the variant "RWS" (for Rijndael With Suspenders) or something.
Remember that it was the suspenders added to MD4 to make MD5 that made the cracking of MD4 something other than a disaster.
The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.
Key length is, of course, vitally important. Understand the Rijndael spec. before you continue your speculation. Also, many "idiots" try to brute force it. Effort required to force a key is proportional to the cipher's weakness.
Less generally, by employing lack of symmetry and a non-linear layer in the cipher, AES pretty much gurantees that you'll simply be searching the key-space at random. If you can come up with a way to do better than a brute force, you should quit your current job.
The 2^255 Rijandel iterations required to force a 32 byte key is certainly sufficiently secure by todays standards, but historically consistent increases in computing power coupled with increased distributed processing ability due to networked computer proliferation means that keys will have to keep growing to stay resonably secure.
sig is
This is very true, but as someone else pointed out - you will gradually increase the key length as well. Also, the processor time and memory is roughly proportional to key length. They're all connected in an interesting way. So if you double the capabilities of your computer then you can double the key length without taking a performance hit. In doing so you square the time needed to brute-force crack the key.
For example, when public key cryptography was first invented (there's enough contentious history there to make the founding of Cisco look like a tea party) the cost of actually using "safe" length keys was pretty prohibitive. The founding fathers of PGP were just waiting for computers to get fast enough that this situation would be reversed and encryption would become as common as digital information. Well computers probably got fast enough in the last 80s, but encryption-for-everybody still hasn't really taken off. I guess social factors are harder to model than CPU speeds!
Karma police, I've given all I can, it's not enough, I've given all I can, but we're still on the payroll.
Now, if I happen to successfully develop an AES "decryptor", may I publish its source code without infringing the DMCA [tompox.com] ?
The inventors of Rijndael, who seem to be exceptionally intelligent and sane people, would probably be more than happy to be challenged with a real attack on the algorithm. Unless you have a PHD in Mathematics specializing cryptoanalysis you probably needn't waste your breath though.
Of course, if the media industry has had time to implement AES in one of their ridiculous UHT (User Hostile Tech) schemes, you may well end up under legal attack, as could, very possibly, the authors of the algorithm themselves should they find a flaw. It has been noted that the media industries will probably not go after "academics" in the short term considering how the Felten affair blew up on them (Russian's apparently don't count).
Just because the enemy has usurped the term "secure" for their UHT does not mean that you should confuse all encryption with DMCA etc. These algorithms really are secure, based on real math that most people agree not even the NSA can break, and do not rely on stupid "gun in mouth" schemes to keep people from breaking them as UHT invariably does.
-- null
You still use crypto software you have to pay for? [Yes, this was a joke, maybe you only use crypto "for personal use".]
GnuPG, on the other hand, developed AES capability less than 2 days after NIST originally approved Rijndael last year. The next public release wasn't for a week or two, but still.... (Well, NIST officially "approved" it just now, but they "recommended it for approval" just over a year ago.) I remember seeing a message from the GnuPG development list about an hour after the NIST announcement saying "I'm working on it."
GnuPG is similar to the command-line version of PGP and supports the same file formats / protocols, but is free for all uses and isn't affiliated with Phil Zimmerman or Computer Associates. I don't know if it has the same depth of plugin support for third-party apps, but hey, it's supported by all the Linux apps I need it for.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
As I understand it, the majority of the Enigma encryptions weren't broken mathematically. GCHQ noted that Enigma was being used for repetitive messages (example: every morning at 6AM a particular transmitter broadcasts an encrypted message, and the plaintext of that message always begins "Aviation weather report 0600 . . . "). Frequently, Turing's bombes were used to rapidly confirm a key derived by working backwards from an assumed plaintext. Additional assistance came from harried Enigma operators who re-used keys, substituted girlfriends' initials for keys, etc.
The German Navy, on the other hand, was notably more disciplined in the use Enigma. That, more than any other single factor, made it harder to read naval intercepts.
Useful lesson, in my humble opinion; the encryption method (DES, AES, PGP, Enigma, whatever) is less of a vulnerability than the habits of the person using the method. If my messages always begin with "Dear Mom," and always end with my name, I've introduced an exploitable flaw.
Turing Didn't invent the concept of the bombes, he just took Rejewski's design and made it work on another level. Even so, Turing does deserve most of the credit for cracking the Enigma. Everyone else was just exploiting implementation flaws in the Enigma code, while Turing kept looking for a more permanent solution. The Poles passed the torch to Britain because they could no longer crack the messages with their budget. This was because the Germans gave every Enigma operator two new scramblers (total of 5), and thus it would have required more bombes than they could afford to build.
The German naval Enigma machines were the most secure, yes, but they had eight scramblers, not four. Also, the navy machines' reflectors could change position, unlike other Enigma boxen. The German navy basically had their shit together where the Enigma machine was concerned. They probably took it more seriously than the other branches, since it was their one and only secure link to the Reich while they were out to sea.
However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.
This is plain not true. The German naval ciphers were cracked by continually stealing the code books. Right up to the end of the war, the cryptanalysts at Bletchley Park were completely dependent on codebooks to make sense of the Kriegsmarine messages. That was the only Enigma implementation that wasn't "cracked."
Yes, Enigma had backdoors. But it was only after Enigma had already been cracked due to poor message construction and not enough scrambler wheels that this was discovered. So that wasn't why Enigma was initially cracked. It was initially cracked thanks to the cryptanalytic genius of Marian Rejewski, a name that is unknown even in many crypto circles.
Only an idiot would try to brute force it though,
It WAS Martin Hellman who said "God rewards fools."
OK, so you mean that if I happen to break it as an algorithm, this is okay, but if I happen to break its implementation as the new killerdvd format, then I may end up in a similar cell as Dmitri Sklyarov's ?
Yes, pretty much.
So this once again makes me wonder whether there is or not a bug in the DMCA :
If some technologies are based upon some free algorithm which get broken, (*breathe here*) why should the happy-genious-hacker be sued as he just pointed out some flaw in a "public" technology?
Don't try to apply logic to law, it will lead you nowhere. The reason the happy-genious-hacker gets sued is because he is a convenient target, who can easily be painted as a villian in the eyes of courts, politicians, and the public.
Actually, as he'll make the technology improve and thus get rid of the given flaw, it'd rather be the fault of the suing organization as they accepted to use a flawed1 algorithm...
You are missing a vital point that a lot of technologists seem to miss, but that has not been lost on the international media cartels. It is this: there is no non-flawed implementation of UHT.
Because UHT relies on your computer controlling you (what "user hostile" means) and in at least some sense your computer is always actually under your control, regardless of implementation it will always be possible to crack it. Hackers like Sklyarov and Beale Screamer are not helping improve the UHT technology because whatever is done it will always stay vulnerable, and the vulnerablilities they exposed were undoubtably known by the implementors. If you support the existance of UHT (or copyright law, with doubtlessly requires UHT to be enforced) then the DMCA is not only a justified, but a necessary law. In fact, the DMCA does not go nearly far enough, which is why laws like the 'SS'SCA are very necessary as well.
I guess the DMCA seriously sucks because of its lack of consistance :
They should rather not use any protection at all than inventing some stupid placebo and whining it's been broken into by some clever hacker.
The DMCA provides the international media cartels with a weapon to harrass technologists who want to use computers freely as they see fit rather than under the control of the cartels' authority. It may not be too helpful against software hackers, though it has certainly slowed down many projects, but it certainly works for other purposes (consider why you will never see a CD-ROM drive that by default ignores the broken error-correction codes on those new "copy-proof" CDs).
1 : though this argumentation is purely 100% hypothetical, I assume there are flaws until one mathematically demonstrates there aren't...
Unfortunately that puts you in a quite a bad place, as to my knowledge there are no(*) current ciphers that are mathematically proven to be uncrackable. There are a couple of, at least hypothetical, asymmetric ciphers that have been shown to be "NP-complete" meaning, roughly, that if they can be cracked then a whole class of problems nobody has found any answers to yet can be solved as well (you may have heard of the N != NP conjecture), but the common ones (RSA, DSA, ElGamal) are not even that. Newly designed ciphers like Rijndael/AES (which is a symmetric cipher, so should not be confused with those mentioned before) are not proved to be mathematically secure, but simply engineered to be secure against all currently known attack vectors.
(*) In order to avoid the obligatory lamer responding with ("There is a provably secure cipher, it's called One Time Tap"), I digress that there is a provably secure cipher called a one time pad, which uses keys as large as the messages that can only be used once. OTP can only be used as a type of secrecy delay - if you have a secure channel between two parties at one point in time, they can exchange random key data that will allow them to securely communicate the exact same amount of data securely over an insecure channel later. There is also the algorithm that I believe came from a student of Adi Shamir last year which hid the data in a stream of random data so large there would be no way to cache it long enough to crack the cyrpto (in theory anyways).
In 1976 Donald Knuth published a paper titled Coping with Finiteness in which he names a number Super K. It is defined as 10^^^^3 where 10^^10 = 10^10^10^10^10^10^10^10^10^10^10 or 10^10 10 times.
I couldn't find the paper (damnit) but Knuth says in Things a Computer Scientist Rarely Talks About
"If you don't agree that Super K is so large as to be beyond human comprehension, I can at least prove conclusively that if you consider all the numbers less than or equal to Super K, almost all of them are impossible to describe in any way in the univerise"
I dunno, is that bigger than a googleplex? I wouldn't be surprised if the Guinness people spent less than 30 seconds researching this - in fact I suspect this was just some piece of useless trivia someone who happened to be in the office that day happened to know
Cryptonomicon is a good book, as is Enigma by Robert Harris.. however, they are works of fiction.
The Germans changed the wheel order, start positions, and reflector positions on the Enigma machines nightly, but that wasn't enough. The operators often used the same start codes over and over again, they sent predictable messages, and, like I said, there were issues with the Enigma itself. The UK RAF set up 'traps' by mining specific locations of the English Channel, and then Bletchly Park knew that the messages from specific lookout posts would contain the coordinates of the mines.. a very useful crib.
Try books such as Station X, Engima, Seizing The Enigma, and The Code Book for a readable history..
(The Code Book even has a nice challenge at the end (although the prize has been claimed))
http://twitter.com/onion2k
But that is a huge "if".
I recently did a study of future trends with regard to processors. Let me sum up ....
Processing speeds are currently limited by charge dissipation (no pun intended). Charge dissipation is related to feature (transistor) size. It is a hard fact that feature size can only shrink at the Moore's Law rate for about another 12 years before we get transistors that are only a few molecules thick.
I'm not saying that it will be impossible to continue with efficiency gains beyond that point. But who's going to pay for the research to continue at such a break-neck pace?
Perhaps, I am being short-sighted, but I think we are starting to see a slowing of the demand for ever-faster technology.
Graphics-intensive games are staying on store shelves for years, instead of months. Even Microsoft is having a hard time making software that is bloated enough to demand the latest hardware.
Developing new processor technologies is horrendously expensive. Unless there is sufficient demand for faster processing speed, it will simply not be viable for companies to research the technology.
Okay, I spoke my mind. Flame on!
You can never equivocate too much.
US Government classified information? What the heck are they using for classified info crypto? From the article:
Q: What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.
A: Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.
snip...
The Advanced Encryption Standard (AES) will be a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.
Very true; it's commonly believed that the way that DES withstood differential encryption shows that the NSA knew about that technique in the '70s.
Also interesting, though, is the evidence that the NSA didn't know about linear cryptanalysis; DES was weakened quite a bit more under that method of attack.
That's not to insult IBM or the NSA; you can't predict what sort of an attack people are going to throw at you two decades in the future. That it stood up as well as it did is a monstrously huge accomplishment.
I'm just fascinated how we can deduce what the NSA knew and didn't know so many years ago, by judging how well things withstand attacks today.