May 30, 2000 (Computerworld) For the past three years, the National Institute of Standards and Technology (NIST) has been working to develop a new encryption standard to keep government information secure. The Gaithersburg, Md.-based organization is in the final stages of an open process of selecting one or more algorithms, or data-scrambling formulas, for the new Advanced Encryption Standard (AES) and plans to make a decision by late summer or early fall. The standard is slated to go into effect next year.
AES is intended to be a stronger, more efficient successor to Triple Data Encryption Standard (3DES), which replaced the aging DES, which was cracked in less than three days in July 1998.
"Until we have the AES, 3DES will still offer protection for years to come. So there is no need to immediately switch over," says Edward Roback, acting chief of the computer security division at NIST and chairman of the AES selection committee. "What AES will offer is a more efficient algorithm. . . . It will be a federal standard, but it will be widely implemented in the IT community."
According to Roback, efficiency of the proposed algorithms is measured by how fast they can encrypt and decrypt information, how fast they can present an encryption key and how much information they can encrypt.
"There are actually maximum thresholds that you can get if you have high data feeds, (and) 3DES can't accommodate them," says Roback.
The AES review committee is also looking at how much space the algorithm takes up on a chip and how much memory it requires. Roback says the selection of a more efficient AES will also result in cost savings and better use of resources.
"DES was designed for hardware implementations, and we are now living in a world of much more efficient software, and we have learned an awful lot about the design of algorithms," says Roback. "When you start multiplying this with the billions of implementations done daily, the saving on overhead on the networks will be enormous."
Open Process
The process of selecting the algorithm for AES has been notable for its openness and transparency. This is a marked departure from the government's past inclination toward secrecy in discussing encryption standards, which led to the public cracking of DES after critics questioned the government's assertion that the standard was still secure.
"I think (AES) is going to be very well accepted by businesses internationally," says Yair Frankel, chief scientist at Seattle-based eCash Technologies Inc. "The business community has been needing a replacement for DES for some time."
Frankel notes that when DES was developed, the cryptographic community wasn't as large or as well equipped to help conduct a public review of AES. But as a result of the public evaluation process now being conducted, he says, people will have more confidence in the new standard when it's released.
Roback agrees that the process for selecting an encryption standard has changed dramatically since 1975, when the government issued a call for DES algorithms.
"The state of public knowledge and expertise in cryptography is now completely different," says Roback. "You have to put (algorithms) out there and let people hack at them, and if they are still standing, people gain confidence."
NIST kicked off the selection process in September 1997. Conferences were held in August 1998 and March 1999; cryptographers from around the world discussed the algorithm candidates and helped narrow the list to 15 and then to five finalists: IBM's MARS; RSA Laboratories' RC6; Joan Daemen and Vincent Rijmen's Rijndael; Ross Andersen, Eli Baham and Lars Knudsen's Serpent; and Counterpane Labs' Twofish.
"We are hoping that this will be long-lived and provide a strong security foundation for electronic commerce into the next century," says Roback. "When you look at the trillions of dollars protected by AES, this is a very important standard process, and we keep trying to encourage as widespread participation as possible."
Gaining Steam
Bruce Schneier, founder and chief technology officer of Counterpane Internet Security Inc. and a member of the team that developed the Twofish algorithm, says the NIST has done an admirable job.
"I feel confident about Twofish, but even if Twofish did not win, NIST would have done a phenomenal job, aboveboard, with no back-room deals," says Schneier. "That amazes me that that is possible, when you think about all the problems involved in encryption algorithms in this country."
Abner Germanow, an analyst at International Data Corp. in Framingham, Mass., says it's still unclear how quickly AES will be integrated into existing applications used in the private sector.
Because there's already a large installed base that uses the algorithms developed by RSA Data Security Inc. in Redwood City, Calif., new applications being built from the ground up will probably use AES on the first attempt and then switch to RSA if that isn't successful, Germanow predicts. Encryption tool kits sold by vendors typically include a large library of algorithms, he adds, and AES may become yet another choice on that list.
"People are not going to pull out existing infrastructure to adopt to this new standard, but it will be interesting to watch how quickly people see this as a requirement and how quickly developers work the standard into their applications," says Germanow.
While most evaluators of the algorithms want to avoid complexity by selecting one to serve as a standard, there's a vocal minority that wants to select more than one.
"I think there is a benefit to looking at multiple algorithms. It is not only a security issue but a performance issue," says Frankel. "Different algorithms behave differently under different environments."