Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
News

AES: Learn All About It 55

Posted by timothy from the paranoia-is-always-justified dept.
Jason Bennett, frequent reviewer of books, now regales you with this great piece on the background and development of the new encryption standard to replace the pretty-good-till-now DES. It's full of linked information you'll want to digest, too. Update: 02/23 12:32 AM by T : Note: The links I borked are better now; mea culpa (and beware copying in Mozilla).

Since it was officially approved by the U.S. Government in November of 1976, most of the world's sensitive commercial traffic has been secured through the use of the Data Encryption Standard (DES). In its twenty-five year lifetime, it has become the most widely used, most widely trusted, and most widely studied encryption algorithm in existence. Alas, in the same way that your Atari 2600 [?] is currently sitting on the floor of your closet, DES' lifetime has come to an end as well. This was most dramatically demonstrated in the three DES Challenges sponsored by RSA Labs between January of 1997 and January of 1999, with a DES-encrypted message eventually being broken in less than 24 hours. This challenge also witnessed the birth of a DES-specific cracking computer, a machine widely theorized about, but never before (publicly) built. Although variants of DES (most notably Triple DES) are still widely used, it became clear that a new algorithm would be needed for the next twenty-five years.

Thus was born the Advanced Encryption Algorithm Development Effort. Beginning in January, 1997 (just before the RSA challenges finally broke DES), the National Institute of Standards and Technology announced its intent to begin the Advanced Encryption Standard (AES) process. The initial AES workshop was held in April, with the official call for algorithms going forth in September. Importantly, this call specified that the algorithms submitted have a key length of 128 bits, and be free of intellectual property constraints. Algorithms would be accepted from domestic and international submitters, and the resulting algorithm would be completely public. The con test would also consider both the hardware and the software implementation -- a divergence from DES, which was specifically designed for use in hardware. Importantly, the hardware that the AES had to operate in could vary from the largest supercomputer to a ROM-based smart card or other embedded ed environment. A candidate algorithm might well be optimized for one or the other, but had to perform at least reasonably well on all to have a real chance of being selected. Finally, this algorithm would be designed from the ground up to use the long key length, and thus would be faster and more secure than Triple-DES is at that length.

Thus came the warriors to the joust. On August 20-22, 1998, the first AES conference was held, with fifteen different algorithms being presented. Over the next seven months, these algorithms were tested in laboratories around the world to probe for weaknesses and to test the their speeds. There is a huge selection of papers on these tests at the AES1 site for your perusal, so I will not try and detail those tests here. Suffice to say, several of the algorithms had serious problems identified, while others came through with flying colors. The next March, the second AES conference was the forum for the presentation of these results, and a subsequent discussion of which algorithms should thus advance to the final round. These finalists were announced in August of 1999, thus beginning the second round of competition. NIST subsequently issued an excellent report detailing their rationale about each algorithm, including the problems and benefits associated with each.

The AES finalists were:

Obviously, each candidate comes to the conclusion that their cipher is the best. Nevertheless, there are some shared criticisms of the various ciphers that show patterns in each one. Serpent, for example, is universally named the slowest algorithm (in software), even by its creators. Nevertheless, they make their case based on being the most secure algorithm of the bunch. RC6 and MARS are both very fast on certain processors, but terrible on others. As noted above, any serious AES candidate had to perform well across all platforms, and thus this variable performance tended t o compromise these candidates. None of the algorithms were ever broken by a practical attack, however, and all should be considered secure enough for serious encryption work. Thus was held the third AES conference in April of 2000. This was the final conference before the official AES selection, and the last chance for each algorithm to make it s case. The statements above were presented at the end of this conference in an effort to make that case. Once the conference ended, it was up to NIST to make its selection. The candidates could only wait.

Finally, on October 2, 2000, NIST released their final decision, that R ijndael was to be the AES selection. Simultaneously, NIST released a paper detailing their rationale for the selection. In sum, this paper says that any of the finalists could have been selected (an opinion echoed by man y in the industry), but that Rijndael proved to have the proper balance necessary between speed in hardware, speed in software, and security. To quote from NIST's statement:

Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good. Rijndael's very l ow memory requirements make it very well suited for restricted-space environ environments, in which it also demonstrates excellent performance. Rijndael's operations ons are among the easiest to defend against power and timing attacks. Additionally, it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance. Rijndael is designed with th some flexibility in terms of block and key sizes, and the algorithm can accommodate alterations in the number of rounds, although these features would require e further study and are not being considered at this time. Finally, Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism.

At this point, it's all over but the shouting. At some point later this year, the Secretary of Commerce will officially designate Rijndael the Advanced Encryption Standard, and a new era will have begun. AES was specified (and is expected) to remain a standard for at least as long as DES, and to protect data for even longer, and barring a major development (such as faster-than-forseen developments in quantum computing), this standard will likely be met. No one expects research into new algorithms to die, however. There will continue to be parallel algorithms developed and used, just as there are today. Thanks to be combined efforts of NIST and the community, however, there will always be the bedrock of AES available.

In conclusion, I'd like to point out the positive role that the U.S. Government, as represented by NIST, has played in this process. The Free Software/Open Source community has taken its share of shots at the government over patents, copyright and crypto export over the past several years, and deservedly so. The AES process, however, was lauded throughout the encryption community as a fair and open process that brought together the best minds available to select the algorithm for the next century (as NIST likes to say). Making an algorithm a FIPS standard gives it a legitimacy that cannot be obtained in any other way, especially given the way that this standard was arrived at. The algorithm is completely free of any IP hurdles, as was specified at the beginning of the process, and since the code is open, it can be downloaded by anyone in the world (and since it was designed outside of the U.S., any attempt to regulate its export from the U.S. would be silly). It is reasonable to criticize when a situation is bad, but it is only fair to praise when something is good.

Bibliography

I used a great number of sources from print and the web, so it's only fair to list them here. I also put many links in the body itself, most of which go into much more detail than I did.

This discussion has been archived. No new comments can be posted.

AES: Learn All About It More

AES: Learn All About It

Comments Filter:

  • Re:who's still using DES? (Score:1)

    by Anonymous Coward
    DES is still used in lots of places. saying DES is useless because it has been cracked doesn't neccessarily follow.

    i can pick the lock on your house, but you continue to use it, right? why don't you have a bank vault door on your house? it's a lot more secure, isn't it?

    sometimes you weigh the cost (speed) of the lock against what it is you are protecting. if you are protecting something which only needs to be protected a short time, or is of limited value, then DES is just fine.

    also consider the situation where you are encrypting lots of little bits of data with different keys. yes, you can crack each little thing in 24 hours (if you have the compute power) but that only gets you that one item. then you have to spend 24 hours to crack the next piece, and so on.

    lastly -- "if you have the compute power" -- remember that the 24 hour time was achieved using a specialized machine in conjunction with the compute power of distributed.net. your average cracker is not going to have those kind of resources available.

  • Did Anyone Catch the Pun? (Score:1)

    by Anonymous Coward
    About "digest" (last sentence)? It's a crypto API too. There's tons of subtle jokes throughout slashdot. One of the reasons I love it.

  • AES Interview (Score:1)

    by Anonymous Coward

    There's an interview with the AES winners on LinuxSecurity.com:

    LinuxSecurity.com Speaks With AES Winner [linuxsecurity.com]

  • You can learn about AES (Score:1)

    by Anonymous Coward
    at this page [stanford.edu].

  • Alphabet Soup! (Score:1)

    by Anonymous Coward
    So what's all this encryption stuff got to do with Auger Electron Spectroscopy (AES) anyway?
  • The AES finalists were:

    MARS (IBM) [ibm.com] (their case) [nist.gov]
    RC6 (RSA) [rsasecurity.com] (their case) [nist.gov]
    Rijndael (their case) [nist.gov] (how to pronounce it) [rijndael.com]
    Serpent (their case) [nist.gov]
    Twofish (Counterpane) [counterpane.com] (their case) [nist.gov]

  • Personally, I'm waiting until the SNES comes out. I hear that a 16-bit encrypted graphics console rocks!
  • this seems to me a perfect opportunity

    no one with any sense will trust the silicon from a vendor without having it peer reviewed

    there are notes on how OpenBSD would not like to trust IBM crypto accelerator (for ssl and such) because the RSA,FBI,MI5 and various three letter agencies might have tampered with it

    why not do an add in for a SOC solution based on the AMBA bus
    the Leon is a good example of a LGPL core

    my page on it
    http://www.mischevouslittle.demon.co.uk/hardware/s parc/index.html [demon.co.uk]

    why not do this for AES ?

    regards

    john jones
  • Of course I'm in the wrong country to understand, but it surprises me quite how much people mistrust the NSA.

    Remember that during the developement of DES, the NSA suggested some changes to some of the tables, and these changes WERE incorporated, and conspiracy theorists everywhere assumed that the NSA were using the changes as a backdoor that none of us understood.

    Years later, a new type of attack was discovered ("meet-in-the-middle", I think?), and it was realised that the NSA's table-changes made DES MORE secure against this type of attack - basically it seems that the NSA knew about this attack years before the public, and deliberately PROTECTED DES against it.

  • What really sucks is that you can't change encryption algorithms within your VPN. Are you sure about that?
  • ...and those who are in their right minds will continue to use triple-DES over Rijndael/AES for a good while longer. Fancy new algorithms are wonderful things, but they're untested. Give Rijndael a couple of years to mature before you leap whole-heartedly into using it. There is nothing wrong with 3DES right now. The keyspace is sufficient, and there are no known practical attacks after manymany years of use.
  • You messed up the NIST url.. you apparently forgot a quote mark....

    Try again boys...

    --
    Gonzo Granzeau

  • Never replaced? What about MP systems? What about... well, Beowulf Clusters?

  • I'd use blowfish or idea right now as an encryption algorithim. They've been tested for greater than five and ten years respectively, and they are both significantly faster than 3des.

    A couple of years from now, if don't hear of any insecurities, I'd use Serpent, Rijndael, or Blowfish.

    Five years really should be long enough to seen any inherent insecurities in an incremental algorithim alteration like DES->Blowfish.

  • There is nothing wrong with 3DES right now.

    Except being three times as slow as DES, which is already slow. I think you don't understand that security isn't the only reason to choose an algorithm. Rijndael was not considered the most secure of the finalists for AES (the third most secure by some reckonings). It was, however, fast and easy to implement.

    If you are a government or otherwise have secrets you don't want revealed 50 years from now, you might want to use 3DES.

    If you are not the target of a government or something with similar resources, you can probably use even regular DES fairly confidently. But DES still has its problems aside from security. AES is small, extremely fast in software and hardware, works well in smart cards, and it's extremely unlikely that anyone's going to find a practical attack on it for many years, if ever.

  • -IJ is 2 letters, pronounced as one. It has no equivalent in english. Sound is closer to 'i' (as in 'like')

    -ui does not have an equivalent sound in english. the 'ou' and 'au' are both pronounced as 'ou' in english

    -G can be pronounced in 3 different ways: zj, the guttural G and the soft G. the 2 latter ones are exclusive, since they are regional variants.

    //rdj
  • I kind of got the feeling the links were munged on purpose. Perhaps they were trying to prevent against slashdot-effect.
  • I'm sure someone is going to fix the bad HTML, but meanwhile, here is the rest of the article...

    Finally, on October 2, 2000, NIST released their final decision [nist.gov], that R
    ijndael was to be the AES selection. Simultaneously, NIST released a paper [nist.gov]
    detailing their rationale for the selection. In sum, this paper says that any of the finalists could have been selected (an opinion echoed by man y in
    the industry), but that Rijndael proved to have the proper balance necessary between speed in hardware, speed in software, and security. To quote from
    NIST's statement:



    Rijndael appears to be consistently a very good

    performer in both hardware and software across a wide range of computing
    environments regardless of its use in feedback or non-feedback modes. Its key
    setup time is excellent, and its key agility is good. Rijndael's very l ow
    memory requirements make it very well suited for restricted-space environ environments,
    in which it also demonstrates excellent performance. Rijndael's operations ons are
    among the easiest to defend against power and timing attacks. Additionally y, it
    appears that some defense can be provided against such attacks without
    significantly impacting Rijndael's performance. Rijndael is designed with th some
    flexibility in terms of block and key sizes, and the algorithm can accommodate
    alterations in the number of rounds, although these features would require e
    further study and are not being considered at this time. Finally, Rijndael's
    internal round structure appears to have good potential to benefit from
    instruction-level parallelism.


    At this point, it's all over but the shouting. At some point later this year, the Secretary of Commerce will officially designate Rijndael the
    Advanced Encryption Standard, and a new era will have begun. AES was specified (and is expected) to remain a standard for at least as long as DES, and
    to protect data for even longer, and barring a major development (such as faster-than-forseen developments in quantum computing), this standard will
    likely be met. No one expects research
    into new algorithms to die, however. There will continue to be parallel algorithms developed and used, just as there are today. Thanks to be combined
    efforts of NIST and the community, however, there will always be the bedrock of AES available.



    In conclusion, I'd like to point out the positive role that the U.S. Government, as represented by NIST, has played in this process. The Free
    Software/Open Source community has taken its share of shots at the government over patents, copyright and crypto export over the past several years,
    and deservedly so. The AES process, however, was lauded throughout the encryption community as a fair and open process that brought together the best
    minds available to select the algorithm for the next century (as NIST likes to say). Making an algorithm a FIPS standard gives it a legitimacy that
    cannot be obtained in any other way, especially given the way that this standard was arrived at. The algorithm is completely free of any IP hurdles,
    as was specified at the beginning of the process, and since the code is open, it can be downloaded by anyone in the world (and since it was designed
    outside of the U.S., any attempt to regulate its export from the U.S. would be silly). It is reasonable to criticize when a situation is bad, but
    it is only fair to praise when something is good.



    Bibliography

    I used a great number of sources from print and the web, so
    it's only fair to list them here. I also put many links in the body itself,
    most of which go into much more detail than I did.

  • Now that I've been reading up on crypto I see what the real problem with DES was -- it is really slow in software, because it relies on bit (rather than byte) operations.

    I think currently, specialized hardware is something like 1000 times as fast as software, which means if you want something to encrypt your T1 connection in software, you have to use single DES, which can be cracked by dedicated hardware.
  • There are lots of ways to hide a backdoor or key leak in an SSL implementation because it's complex and uses public-key cryptography. The most popular idea is to tamper with the random number generator. However it would be quite hard to backdoor a symmetric block cipher like AES and still have it interoperate with reference implementations.
    Although you could design the chip to leak some key data via RF. This would only benefit adversaries capable of getting an antenna near the chip.

  • The article said this...

    AES was specified (and is expected) to remain a standard for at least as long as DES, and to protect data for even longer, and barring a major development (such as faster-than-forseen developments in quantum computing), this standard will likely be met.

    Is there any reason quantum computing would be better at cracking AES than some other algorithm? It seems to me that if someone builds a quantum computer and gets it to crack stuff really fast, it wouldn't be hard to crack any algorithm really fast.

    Luckily, there are other ways of keeping data secure. One I remember seeing was another quantum effect, dealing with the orientation of photons. Basically, it was a complicated but theoretically perfectly secure way to transmit data with light. The only real downside was that it's probably expensive to do, and no one's yet done it over a very long distance (say, to a satellite) so far. Plus, of course, that it only helps for transmission. You can't encode a hard drive like that.

  • Something a friend pointed out to me on the official [kuleuven.ac.be] Rijndael site - if you go to the "Vincent Rijmen" link [kuleuven.ac.be] on the main page with Internet Explorer, it redirects you here [kuleuven.ac.be], for no reason I can figure out from browsing the source. Also note the banner at the top [kuleuven.ac.be] of the page. Is this really the sentiment we want from the cocreator of an international standard? I realize yes, in some ways it doesn't matter because it's not part of the main page, it's part of his personal page (in theory), but still - it's linked *straight* from the official page, and is unviewable with IE.

    (And I suppose I must mention this for the sake of the people who'll reply with "well, of course, IE sucks so it shouldn't be used" - how would you like it if that page redirected you to "This page is ONLY viewable with Internet Explorer" instead?)

    Discussions? Flames? :P

  • Hello, Koeieuier is no longer valid (unfortunately). The new spelling introduced at the start of the '90s makes it "koeienuier"...
  • ...or you just decided that this was the best security you could get (provided you were in the US at the time), that could make fair speeds. You'd like it to be perfectly secure for an "almost" unlimited time, but there wasn't any reasonable way to do so (or you thought the DES would last "forever"). 128bit (or for that matter, use 256 bit if you're paranoid and you'll have that security, if it's needed.

    I'd say that in general information would have interest far longer than a few hours or a day, to make a few examples: Military, banking, confidential information (medical, employee details etc.), inside information of your company (including marked plans, strategic alliances, product plans), security systems and also on the personal level, though I hardly suppose anyone would dedicate a DES cracking machine to you unless you were in serious organized crime.

    But hey, whatever works for you.. last time I heard during a drive around my capital you got access to 11 unsecured wireless networks.. oh well ;)

    Kjella
  • Dear Cryptography User:

    It has come to our attention that your use of the AES system infringes on our intellectual property rights as set forth in US patent 293869113.

    All your AES are belong to us.
  • Of course, there are many factors that alter this, chief of which is that we'll probably hit theoretical limits on Moore's Law by then. Ross Anderson speculates that the AES may *never* be replaced.

    "Heavier than air flying machines are impossible."
    [Lord Kelvin, 1895]

    "Everything that can be invented has been invented."
    [Commissioner, US Patent Office, 1899]

    "Stocks have reached what looks like a permanently high plateau."
    [Yale Economics professor, 1929]

    "I think there is a world market for maybe five computers."
    [IBM Chairman, 1943]

    "640K ought to be enough for anybody."
    [Bill Gates, 1981]

    128 bits is a very very large key space (to put it mildly), but the phrase "AES may *never* be replaced" seems destined to end up on someone's "stupid predictions made by historical figures" list sooner or later. (I'm not trying to insult Ross Anderson here, in fact I have a great deal of respect for the work he's done in the field of cryptography, it's just that whenever I hear the word "never" an alarm is triggered in the back of my head).


    --

  • Saddam Hussein: Quickly, let us get to our modified playstation 2 devices to use this Rijindael encryption!
  • I don't know if timothy or Jason Bennett made the mistake, but the above does not display a good chunk of what's in the html source. This bit:

    Finally, on October 2, 2000, NIST's main AES site [nist.gov] is the place to start.

    is supposed to read thusly:

    Finally, on October 2, 2000, NIST released their final decision [nist.gov], that Rijndael was to be the AES selection. Simultaneously, NIST released a paper [nist.gov] detailing their rationale for the selection. In sum, this paper says that any of the finalists could have been selected (an opinion echoed by many in the industry), but that Rijndael proved to have the proper balance necessary between speed in hardware, speed in software, and security. To quote from NIST's statement:

    Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good. Rijndael's very l ow memory requirements make it very well suited for restricted-space environ environments, in which it also demonstrates excellent performance. Rijndael's operations ons are among the easiest to defend against power and timing attacks. Additionally y, it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance. Rijndael is designed with th some flexibility in terms of block and key sizes, and the algorithm can accommodate alterations in the number of rounds, although these features would require e further study and are not being considered at this time. Finally, Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism.

    At this point, it's all over but the shouting. At some point later this year, the Secretary of Commerce will officially designate Rijndael the Advanced Encryption Standard, and a new era will have begun. AES was specified (and is expected) to remain a standard for at least as long as DES, and to protect data for even longer, and barring a major development (such as faster-than-forseen developments in quantum computing), this standard will likely be met. No one expects research into new algorithms to die, however. There will continue to be parallel algorithms developed and used, just as there are today. Thanks to be combined efforts of NIST and the community, however, there will always be the bedrock of AES available.

    In conclusion, I'd like to point out the positive role that the U.S. Government, as represented by NIST, has played in this process. The Free Software/Open Source community has taken its share of shots at the government over patents, copyright and crypto export over the past several years, and deservedly so. The AES process, however, was lauded throughout the encryption community as a fair and open process that brought together the best minds available to select the algorithm for the next century (as NIST likes to say). Making an algorithm a FIPS standard gives it a legitimacy that cannot be obtained in any other way, especially given the way that this standard was arrived at. The algorithm is completely free of any IP hurdles, as was specified at the beginning of the process, and since the code is open, it can be downloaded by anyone in the world (and since it was designed outside of the U.S., any attempt to regulate its export from the U.S. would be silly). It is reasonable to criticize when a situation is bad, but it is only fair to praise when something is good.

    Bibliography

    I used a great number of sources from print and the web, so it's only fair to list them here. I also put many links in the body itself, most of which go into much more detail than I did.

    • NIST's main AES site [nist.gov] is the place to start. It links to most of the technical information I linked to above.

    All that missed due to one stinking quotation mark! Geeze, guys, learn to Preview!

  • Oh, great. Several of us post that /. made an error, and all our posts are modded to zero. Then I complain that those posts were modded down, and that post is called flamebait and modded down as well -- but the original posts are modded back up!

    So which is it, /.: Were the original posts crap deserving of modding down, in which case the above complaint may indeed qualify as "flamebait", Or was the original modding down wrong (as indicated by their being modded back up), in which case my complaint is not flamebait and should not have been modded down? Which is it -- you can't have it both ways (at least, not without getting called on it :-)

    By the way, this is not flamebait. When I bait a flame, you'll know it!

  • I'm as paranoid as anybody who does encryption. I was chatting with an OS implementation guy at one of the major Unix vendors regarding the PRNG that he is charged with implementing, and I clued him in on several paranoid assumptions he was overlooking.

    Still, past a certain point, you must consider practicality. While I'd love to chain Twofish and Rijndael together (Twofish is a Feistel cipher somewhat similar to DES, Rijndael is some other kind of beasty altogether, so it is unlikely that BOTH would be broke), the result would be less than half the speed of Rijndael. While this would be fine for a file encryption program, I wouldn't want to try it for encrypting a gigabit Ethernet network connection -- it'd suck my CPU to the toilet.

    Past a certain point, you have to look past paranoia and decide: a) Just how secure the data needs to be (and against whom does it need to be secure), and b) what's practical to do, given current technology. I made the decision, when Rijndael was chosen as the Advanced Encryption Standard, that Rijndael alone provided adequate security for my purposes. Depending upon how sensitive your data is (and what happens if it is compromised), you may make a different decision. I'm sure that Bin Laden triple-encrypts everything, since failure of his encryption means that he dies. If the consequences of failure are death and imprisonment, of COURSE you should double or triple encrypt everything, regardless of the performance penalty. Otherwise, it's a more difficult analysis, and usually double or triple encryption doesn't buy you enough to outweigh the costs.

    -E

  • Me and Randy Kaelber whipped up a program called 'aescrypt' that is at aescrypt.sourceforge.net [sourceforge.net]. Nothing fancy, but useful for shell scripts. (Reminder: If you post any shell scripts that use aescrypt, you must also submit the URL to the BXA, see Matt Blaze's crypto page at crypto.com [crypto.com] for more info). Anywho, this uses Rijndael to implement a stream cipher via CFB-128 cipher feedback mode.

    You'll need to devise your own shell scripts to serve as a key manager etc.,this is a raw Unix component similar to 'dd', rather than a swiss-army-knife application like PGP.

    -E

  • While not as fast as Serpent in hardware, Rijndael is pretty efficient, and doesn't demand too many gates. There should be no problem with encrypting a T1 using Rijndael even in software; in hardware it should be able to encrypt much fatter links, especially used in CTR mode (or OCB, IAPM etc) where you can do several block encrypts in parallel.
    --
  • I'm pretty sure RC6 had the smallest security margin of the five finalists.

    Note that Bruce Schneier has also gone on record as saying that he does not believe any practically useful weakness against Rijndael will ever be discovered. Also, Rijndael gains a lot of strength from each round, so the security margin may be misleading; the Square based attacks stretch across quite a few rounds but they're very hard to extend.
    --
  • This piece didn't really seem all that complete since there were a couple of things that should have been mentioned. The first one was that the standard did not mandate just an 128-bit key length but also required key lenghts of 192- and 256-bits. An 128-bit block size was also required.

    Secondly it should have been mentioned that Rijndael had the smallest "security margin" of the AES finalists. (At least I'm pretty sure it was the smallest, I don't have the papers here to confirm.) What this means is that out of the number of rounds (essentially iterations) of the cipher, it has proportionally the most broken of any of the finalists. While none of these represent real-life attacks they do give some indication of a confidence level for the future. Remember, as Bruce likes to say, "attacks always get better."

    Finally it should be noted that this is only a standard for a block cipher so calling it a "encryption standard" is a little misleading. It would be nice also to have an official stream cipher standard and public key encryption standard.
  • I'm not entirely certain no cipher negotiation is a good idea. If Rjindael is ever cracked, it would be nice to be able to plug in another algorithm. Plus, Rjindael is fairly new, so older programs may not support it.

    But, it does at least make an obvious default.
  • hmm.. not according to Van Dale's dictionary.

    [snip]
    Schrijf een tussen-n als het eerste deel van de samenstelling:
    niet op een e eindigt en een meervoud heeft op -en: bloemenmand, leeuwendeel
    een persoon aanduidt en een meervoud heeft op -en: blindeninstituut, ziekenhuis
    [snip]

    (translation)
    Use the extra 'n' when the first part of the compound word:

    -doesn't end in 'e' and has a plural ending in 'en'
    -denotes a person and has a plural ending in 'en'

    koe ends in 'e', so no 'n'. koeieuier stands. Now I would like to hear Bush pronounce this.

    //rdj
  • Now that I've been reading up on crypto I see what the real problem with DES was -- it is really slow in software, because it relies on bit (rather than byte) operations.

    According to the Serpent WWW site, DES can encrypt 15 Mbit/sec on a Pentium 200; Serpent manages 45 Mbit/sec - three times faster, despite being much more secure! A great deal of effort went into optimising both Serpent and Rijndael for performance; I can't see the corresponding figure for Rijndael on their page, but I was told a few weeks ago that Serpent basically lost because it was slower than Rijndael... (Since this came from one of the guys who worked on the performance optimisations, I think he'd know!)

    I'm currently doing an encryption project with Ross Anderson (one of the Serpent guys) as my supervisor. It's a public key system (RSA with 2048 bit keys). Unfortunately, I'm using DES for part of the project, which probably won't make him happy :-/

  • It's gonna take about 2 more years for them to crack RC5-64, but hey, let's get started on AES now! According to my rough calculations, it should take a mere 1,000,000,000,000,000,000,000 (that's 1^20) years to break at today's computing speed!

    Unless we can get some time on the NSA's über-secret quantum computer and do it in a few minutes, that is.

    :)

  • Ross Anderson speculates that the AES may *never* be replaced.

    I guess he never heard of Quantum Computation [qubit.org].

    I'd like to play Quake 21 (or Doom 15) in one of those babies

  • Dear sirs As a foreigner living in Holland and using Dutch v1.x i'm taking this opportunity to complaint about a couple of issues with your system:
    • IJ actualy represents an Y with two dots on top. It reads strange otherwise
    • UI actualy reads as OU. For example UIT is read as the english word OUT (and means the same)
    • The letter G can be read in two totally distinct ways: As the G of Going or as a gutural groan (nothing quite like it in any of the other languages i know). It all depends on the origins of the word: "garage" is G because it comes from the French, "gaan" is the gutural thing.
    I expect this to be corrected in Dutch v2.0

    Best Regards,
    A Dissatisfied User

  • What really sucks, is I just set up a VPN between offices using DES and now their is something new out. Oh well, back to the old drawing board.

  • Calling the DES replacement AES is like naming a specific product "new" or "ultimate".

    I always thought the same thing about the "Very Large" qualifier in VLSI, or the V and U in VHF and UHF.

    Five years later it isn't new, and what are you going to call its replacement?

    I take your point about the name getting obsolete, but as an aside: AES will probably last longer than just 5 years. (DES lasted as a standard for a LONG time, much after most people thought it should have. Hopefully AES won't be thought of as weak for a long time.)

  • I've been playing with the perl API to the Rijndael encrytion scheme and have found it easy to use and speedy. The module is very new, and does cause a segfault it you feed it data of an improper length (instead of throwing an error), but it is interesting to experiment with this emerging technology. Read about the module here: http://search.cpan.org/search?mode=module&query=Ri jndael [cpan.org]

  • Can't you give it another name ? (Propose it as a tweak !)

    Dutch is a wonderful language. Currently we are debating about the names "Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".

  • Who in their right mind is still using DES for anything important? I think the fact that it's been cracked a number of times puts me off from using it.
  • Most VPN solutions use triple DES, though I expect they'll have firmware updates soon to take advantage of AES.

    --

  • Importantly, this call specified that the algorithms submitted have a key length of 128 bits, and be free of intellectual property constraints.

    Better make sure RamBus doesn't join!

    --

  • Trust Bruce Schneir, Paul Crowly, etc. (Score:3)

    by Eric Green ( 627 ) on Thursday February 22, 2001 @09:26PM (#409849) Homepage
    The AES candidates have been examined by the best and brightest cryptographers world-wide (every cryptographer outside of the NSA, anyhow). The creators of Rijndael are two of the most reputable cipher designers in Europe, who, amongst other things, have designed ciphers currently implemented in most of the "smart cards" in Europe. While I would not trust the NSA further than I could throw a Buick, I trust Bruce Schneir, Paul Crowly, Brian Gladman, and all of the other very, very good and reputable people who have closely examined Rijndael and found no breaks.

    Right now I believe that the NSA has given up on cracking ciphers, and is more interested in securing America's commercial transactions to protect them from info warfare. Besides, as one spook divulged somewhere that I don't recall, the NSA doesn't need to crack the encryption to monitor your communications. Most networks and operating systems are so insecure that, if they decide to monitor you, they can intercept your data long before it hits the wire.

    -E

  • When the time comes... (Score:3)

    by Christopher B. Brown ( 1267 ) <cbbrowne@gmail.com> on Thursday February 22, 2001 @01:59PM (#409850) Homepage
    They'll work on the:
    • UAES - Ultra-Advanced Encryption Standard
    • MAES - More Advanced Encryption Standard
    • NES - Next Encryption Standard

      At which point AES would get renamed PES, the Previous Encryption Standard

    • FES

      Where if you don't "FES" up to what your key is, they'll have at you with rubber pipes...

    • GES - Guess!

  • As long as they don't actually call it AES (Score:3)

    by devphil ( 51341 ) on Thursday February 22, 2001 @01:17PM (#409851) Homepage


    Calling the DES replacement AES is like naming a specific product "new" or "ultimate". Five years later it isn't new, and what are you going to call its replacement? "really ultimate, we mean it this time"?

    Calling DES by its name now feels silly because the S is more or less false. Three decades from now we'll feel silly calling these algorithms AES, because our hardware will be able to crack 128-bit keys in eight seconds (while ripping mp3's, of course), and that hardly counts as "Advanced".

    Still, I'm looking forward to Razjdxndawl. (I can pronounce it no problem, but heck if I can remember how to spell it.)

  • Re:This really hurts (Score:3)

    by yamla ( 136560 ) <chris@@@hypocrite...org> on Thursday February 22, 2001 @01:14PM (#409852)
    You shouldn't use a new encryption algorithm just because it is new. In fact, if you did your requirements analysis correctly for your VPN, the introduction of AES changes absolutely nothing.

    Sure, AES is (almost certainly) more secure. But in your requirements phase, you presumably determined that DES provided sufficient security for your needs. You presumably determined that your VPN needed to keep data secure for approximately 24 hours and anything more secure was simply overkill.

    The introduction of AES does not change this. Your data is still secure for about 24 hours against a custom-built DES cracking machine, longer against a general purpose attack.

    I suggest you read Secrets and Lies so you can understand the tradeoffs in the computer security field.

    --

  • AES info (Score:3)

    by pgpckt ( 312866 ) on Thursday February 22, 2001 @12:58PM (#409853) Homepage Journal
    Not much to say here.

    I noticed some links were bad. So, for your pleasure, look at http://www.nist.gov/aes [nist.gov]
    instead. It has all the links to everything.

    In case anyone is wondering if there are any applications that use AES, the newest version of PGP do. I am not using any version past 6.5.8 due to the NAI/PRZ split that was noted here on Monday, but I thought I would make sure you all knew.
    ----------------------
    Kurt A. Mueller
    kurtm3@bigfoot.com
    PGP key id:0x4FB5FB1D

  • Just so there are no misunderstandings (Score:4)

    by powerlord ( 28156 ) on Thursday February 22, 2001 @01:12PM (#409854) Journal
    " SPECIAL NOTE - Intellectual Property

    NIST reminds all interested parties that the adoption of AES is being conducted as an open standards-setting activity. Specifically, NIST has requested that all interested parties identify to NIST any patents or inventions that may be required for the use of AES. NIST hereby gives public notice that it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information.    "

    -- Quoted from the NIST homepage

    Its nice to know that someone thought this through and/or has been paying attention to recent events in the Patent arena.
  • I was at the third AES candidate conference, and everyone I spoke to was basically entirely happy with the way the competition was run. I've heard no complaints from anyone involved; in the Cryptogram, I think Schneier's phrase was that NIST had "covered themselves with glory" in the cipher selection process. This is a cipher the academic crypto community can happily stand behind.

    Some may worry that NIST chose one of the ciphers it rated as "Adequate security" rather than those rated "Highest security" like Serpent. However, to be secure the AES must achieve one thing: *it must get used*. If Serpent were named as the winner, it would perhaps be one option in a cipher negotiation stack, but people would tend to avoid using it, preferring faster alternatives. And when they're designing protocols, Serpent would tempt them to include cipher negotiation levels, a notorious source of possible insecurities; attackers try and force you onto your weakest cipher with fake packets before you have the cipher in place. Because Rijndael is so efficient on every platform, it's likely to get used everywhere without negotiation, and overall I think that'll make our protocols more efficient and more secure.
    --

  • Rijndael will last much more than 30 years (Score:5)

    by Paul Crowley ( 837 ) on Thursday February 22, 2001 @02:02PM (#409856) Homepage Journal
    The simple sum says if 56-bit DES was relatively easy in 1998, and if Moore's Law adds two keybits every three years, 128-bit Rijndael falls 108 years later, in 2106, and 256-bit Rijndael falls in 2298. Thus the apt slogan "A cipher for the next century".

    Of course, there are many factors that alter this, chief of which is that we'll probably hit theoretical limits on Moore's Law by then. Ross Anderson speculates that the AES may *never* be replaced.

    (Unrelated footnote: Slashdotter Nic C Weaver presented a paper at the AES3 conference on hardware implementations of AES candidates on FPGAs, and handed out neat little summaries on yellow business cards!)
    --

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close