NIST New Field For New Security Standard
NIST Narrows Field for New Security Standard<@VM>CRYPTOGRAPHY<@VM>NIST and DES<@VM>FINALISTS<@VM>Internet Security Timeline<@VM>Web Resources
By John Makulowich
In slow, measured movements, the National Institute of Standards and Technology is moving toward a new encryption standard. It will amount to an improved system for protecting sensitive federal data that can be used well into the next century. It should also provide both consumers and business users of the Internet a sufficient level of confidence in the security of transmitted information.
Only last month, Aug. 9, the research and development unit of the Commerce Department announced five finalists that will compete over the critical component, the algorithm, of the so-called advanced encryption standard (AES). Fifteen candidate algorithms, or mathematical formulae, were submitted one year ago by research teams from 12 countries. NIST intends to announced the winner in summer 2001.
In cryptography, a branch of math that focuses on transforming data, there are two elements: an algorithm (also called a cryptographic methodology) and a key, or strings of bits, zeros and ones. Using the key generated from the algorithm, the information to be sent or stored, called plaintext, is disguised (encrypted) or changed into what is called ciphertext.
For you to communicate with me or to view the stored information, we must change the data back to their original form (decrypt) using either the same algorithm or ones designed to work together.
There are only two basic kinds of cryptography: secret key systems, also called symmetric systems; and public key systems, also called asymmetric systems. One of the main differences between them is that secret key uses only one key to encrypt and decrypt data. In public key, there are two keys for each person. AES is a secret key system.
Included among the many roles for cryptography in secure business transactions are assuring data confidentiality and integrity, and authenticating message originator and user.
The five finalist algorithms for AES are:
?MARS by IBM Corp., Armonk, N.Y.;
?RC6 by RSA Laboratories, Bedford, Mass.;
?Rijndael by Joan Daemen and Vincent Rijmen of Brussels, Belgium;
?Serpent by Ross Anderson of the United Kingdom, Eli Biham of Israel and Lars Knudsen of Norway;
?Twofish by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson.
No major security vulnerabilities were found among the finalists in the first analysis of the algorithms.
Each algorithm supports cryptographic key sizes of 128, 192 and 256 bits. For example, for a 128-bit key size there are approximately 340e (340 followed by 36 zeroes) possible keys.
The winner will be chosen on factors such as performance, flexibility, suitability and security.
Right now, the secret key standard used to disguise data to transmit it securely is the data encryption standard (DES), first issued in 1977.
As NIST notes, DES "provides an encryption algorithm for protecting federal unclassified information from unauthorized disclosure or undetected modification during transmission or while in storage."
In the changing environment of computing power and sophistication witnessed over just the last decade, DES, a 56-bit key, has come under attack more and more by mathematicians and others trying to crack the algorithm to test its adequacy to protect data. In July 1998, a group succeeded in breaking a DES-encoded message, according to an account in the New York Times.
As recently as October 1995, NIST in its Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook," claimed that while the "adequacy of DES has at times been questioned, these claims remain unsubstantiated and DES remains strong."
However, since then, continuing attacks on DES led the private sector to develop what is known as Triple DES, a method for using the DES algorithm in three operations.
According to Ed Roback, acting deputy chief of the NIST Computer Security Division, the success of DES over the years was one reason the agency began to develop the advanced encryption standard. DES now is the most widely implemented cryptographic algorithm for encryption.
"With the development of special machines to crack the algorithm, DES is nearing the end of its useful life. Clearly, the government will need an algorithm to protect sensitive data about citizens. And consumers and business need confidence in transactions conducted electronically," Roback said. "We saw a void looming as far as an encryption algorithm with trust and confidence. It was time to move on and come up with a successor. That is the role of AES."
For NIST, AES will serve as a general purpose algorithm that can be adapted to a wide variety of applications and still offer reasonable performance. Triple DES, while secure, is considered by many to be a dog in performance, measured by speed and memory use.
In developing AES, Roback leveraged the confidence that existed in DES based on its long life and the fact that it had no trapdoors or hidden features.
"We wanted to engage the public in analyzing the algorithm under consideration," Roback said. "We thought it made sense that we open up the competition, asking industry and academia and others, 'What would you like to propose?' And we wanted to engage a worldwide audience. After all, e-commerce will not know international boundaries."
Roback said NIST staff members were unsure how many candidates would be proposed, whether their mail boxes would be full or empty. When 21 proposals arrived, from which the initial 15 were selected, he felt that was about the right number.
For Nev Zunic, program manager in the IBM Cryptographic Center of Competence and a member of the MARS development team, DES is coming to the end of its useful life. In the next few years, he said, the 56-bit key will come under increasing attack.
Zunic noted that all of the finalists are faster, stronger and more flexible than the Triple DES used today. By flexibility, he means that all can be implemented on the full range of devices.
One area that does demand attention and will require deeper analysis is security.
"Security has not been analyzed too much on the first round. How safe and secure are the algorithms? Do they have an acceptable number of rounds? How many times do they perform encryption operations? And what is an acceptable limit of rounds?" said Zunic.
He raised the issues of calculating a security margin and the need for a common measurement scheme. For example, an algorithm with 10 rounds that is capable of performing 12 would have a 20 percent security margin.
"There is a need to extend the security margin and to develop a common measurement scheme. Perhaps a 50 percent security margin would do. There also is more work needed on cryptanalysis, the art of cracking algorithms, of understanding how algorithms operate and the data paths that can be manipulated or controlled to leak information," said Zunic.
He believes the AES activity and selection should instill trust and confidence in customers, vendors and service providers that information will be well protected in electronic transactions. All that information will be protected with a minimal 128-bit key length.
Beyond the AES, Zunic sees the AES competition stirring up interest in both algorithm design and cryptanalysis.
Aside from the cryptographic community, the AES competition is raising security awareness in general for Web- and non-Web-based transactions and networked environments.
Burt Kaliski, chief scientist and director at RSA Laboratories, and another finalist, believes the choice of an advanced encryption standard by NIST is very important. He, too, feels DES has reached the end of its useful life in many applications.
"Users need a stronger encryption standard, and DES provides only 56-bit security," he said. "There are many other choices today, including Triple DES and various proprietary algorithms, than there were when DES was first published more than 20 years ago.
"But there are also many more applications that need security," Kaliski said. Rather than just a proliferation of choices, it is helpful to have one or a small number of well-trusted algorithms that everyone can implement."
Kaliski noted that public-key algorithms, such as NIST's digital signature algorithm, the RSA public-key cryptosystems and elliptic curve cryptography will continue to have a role alongside AES and will not be replaced by AES.
Since AES is being developed by an international community of cryptographers, it may find support by governments worldwide, Kaliski said.
Like DES, AES supports encryption for both confidentiality (keeping messages secret) and authentication (detecting unauthorized modifications). He reasons that AES, like DES, will find applications in many different areas of computer and communications security.
"AES has been a focal point for cryptography research over the past few years and should serve as a reference point for further collaborations between government standards-setting bodies and the academic community," Kaliski said.
This is in marked contrast to DES development, which essentially was done in secret. Hopefully, the knowledge gained through AES will increase public confidence in the algorithm, and future security standards will be developed in a similar way to AES, said Kaliski.
Yet another finalist, Joan Daemen, president of Proton World in Brussels, feels the importance of AES resides in the fact that it will replace DES and Triple DES by a new algorithm that is better suited for modern platforms.
"Encryption and decryption and message authentication will become available at faster speeds," Daemen said. "It will also simplify the specifications of systems that make use of DES. Because of its small key length and block length and some peculiar undesired properties, such as weak keys and complementation property, DES is used in many 'strengthened' modes, of which Triple DES is an example, that often differ from each other in subtle ways.
"For AES, this kind of strengthening will no longer be necessary, resulting in systems that are easier to understand, document and maintain," Daemen said.
Daemen believes it is not unlikely that in the long term AES will replace DES and Triple DES in a lot of its applications, including banking, virtual private networks and PC security.
However, he added AES is not likely to attain the monopolistic position DES has had because many good block cipher designs are around.
"All five AES finalists are excellent high-speed encryption functions, and they will not disappear when one of them is chosen as winner," said Daemen.
For Bruce Schneier, president of Counterpane Systems, Minneapolis, and a member of the team that developed the Twofish algorithm, the winner will be chosen based on such factors as performance, flexibility and suitability. He feels that to the average consumer, the choice of AES is unimportant. What is important is that NIST has made a choice.
"Right now, we don't have an encryption standard that is secure," he said. "DES has too short a key. People are using Triple DES, but that has other problems, such as performance and use in some weird applications. AES is a new encryption standard that will hopefully remain secure for a few decades."
Schneier does not believe AES selection will have a big impact on electronic business or commerce.
"E-commerce works just fine without any security. Future Internet protocols will implement AES, just as they now implement DES. Hardware performance will be better, but the impact on e-commerce will be negligible," he said.
As Schneier noted in an essay published on his Web page, AES will have to work in a variety of applications, doing all sorts of encryption tasks. These include 32-bit microprocessors, 64-bit microprocessors, small 8-bit smart cards and everything else that cannot be imagined yet.
"Choosing a single algorithm for all these applications is not easy, but that's what we have to do," he said. "It might make more sense to have a family of algorithms, each tuned to a particular application, but there will be only one AES.
"And when AES becomes a standard, customers will want their encryption products to be 'buzzword-compliant,' " Schneier said. "They'll demand it in hardware, in desktop computer software, on smart cards, in electronic-commerce terminals and other places we never thought it would be used. Anything we pick for AES has to work in all those applications." 1977
Data Encryption Standard first approved (reaffirmed by the secretary of commerce in 1993 until December 1998)1987
Through the Computer Security Act of 1987 (and later Section 513 of the Information Technology Management Reform Act of 1996, P.L. 104-106, Executive Order 13011 and Office of Management and Budget Circular A-13), the National Institute of Standards and Technology develops standards and guidelines for federal computer systems. These are approved by the secretary of commerce. Standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use throughout the federal government. According to its mandate, NIST develops these standards when there are compelling federal government requirements, such as security and interoperability, and there are no acceptable industry standards or solutions.1993
Data encryption standard (DES) adopted as one of the FIPS (46-2). DES is for use in special-purpose electronic devices or computer systems or networks for cryptographic protection to binary coded data. However, included in the standard was this statement by the commerce secretary: "At the next review (1998), the algorithm specified in this standard will be over 20 years old. NIST will consider alternatives that offer a higher level of security. One of these alternatives may be proposed as a replacement standard at the 1998 review."1995
NIST issues Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook." (www.nist.gov)Jan. 2, 1997
NIST announces in the Federal Register the initiation of a process to develop a FIPS for advanced encryption standard (AES) using an advanced encryption algorithm. As the first step, NIST publishes for comment draft minimum-acceptability requirements and draft criteria to evaluate candidate algorithms. Also announced for comment are draft submission requirements. According to NIST documents, AES is intended to specify an unclassified, publicly disclosed encryption algorithm available royalty free, worldwide and able to protect sensitive government information well into the next century. Comments were due by April 2, 1997.Aug. 20, 1998
NIST announces 15 AES candidate algorithms at the First AES Candidate Conference. They were submitted by members of the cryptographic community throughout the world.1998
NIST issues "Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems." (www.nist.gov)March 1999
NIST holds Second AES Candidate Conference to discuss the results of the analysis conducted by the global cryptographic community on the candidate algorithms.April 15
The public comment period on the initial review of the algorithms closes.Aug. 9
NIST announces five contenders as finalists to develop the advanced encryption algorithm for the advanced encryption standard. April 13-14, 2000
NIST will sponsor the Third AES Candidate Conference in New York to discuss the analyses of the AES finalists. Proposed papers for the conference are due to NIST by Jan. 15, 2000.May 15, 2000
Closing date for comments on the remaining algorithms. Comments and analysis to be actively sought by NIST.Summer 2001
AES FIPS completed.By John MakulowichCommercial Encryption Export Controls
A division of the Commerce Department, Bureau of Export Administration, Office of Strategic Trade and Foreign Policy Controls. This Web page carries information on regulations, criteria, special guidance, White House documents, testimony, press releases, speeches and correspondence as well as links to other government sites. The most recent news on the site is the June 21 announcement about the Justice Department's petition to rehear a case about the constitutionality of the federal government's export controls on encryption products. President's Export Council
A key national advisory committee on international trade. PEC is a forum for resolving trade problems among the business, industrial, agricultural, labor and government sectors. The council, set up by executive order in 1973, maintains separately chartered subcommittees. One formed in 1997 is the subcommittee on encryption, which reviews commercial encryption issues. Subcommittee members are appointed by the secretary of commerce. On the site are recommendations about encryption policy. National Institute of Standards and Technology Computer Security Resources Clearinghouse
Through the Computer Security Act of 1987, NIST issues guidance to federal agencies on security controls for unclassified systems. This site houses the complete collection of that guidance.Federal Computer Incident Response Capability
FedCIRC issues security advisories and offers free and for-fee services, such as incident response and onsite recovery and audit-trail analysis. The FedCIRC partnership is made up of federal incident response teams, law enforcement, private sector, academia and U.S. government agencies responsible for securing the National Information Infrastructure.Digital Signature Legislation
Summary for the 105th and 106th Congress
This page includes references to the Government Paperwork Elimination Act, Title XVII of Public Law 105-277; H.R. 439, Paperwork Elimination Act of 1999; S.761, Millennium Digital Commerce Act; H.R. 1714, Electronic Signatures in Global and National Commerce Act; H.R. 1572, Digital Signature Act of 1999; and H.R. 1685, Internet Growth and Development Act of 1999.National Security Agency
Information Systems Security Organization
ISSO provides security for the communications and information systems of the Defense Department and other government agencies. Its services include information systems security engineering and threat and vulnerability assessments for information systems and operations. Numerous solutions are described at this site, which carries a revision date of Aug. 27, 1997.National Information Assurance Partnership
NIAP is designed to meet the security testing needs of both IT producers and users and to foster the development of commercial testing laboratories. The partnership is a collaboration of NIST and NSA.World Wide Web Security FAQ
The Web Security frequently asked questions list, housed on the World Wide Web Consortium server, tries to answer some of the most commonly asked questions about the security implications of running a Web server and using Web browsers.