Welcome to Volume 3, Issue 5 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists will be teaching and speak at The Internet Security Conference, June 4-8, 2001 at the Century Plaza Hotel in Los Angeles, California.
Previous issues are posted here..
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
In this issue, Elaine Barker from NIST explains the process by which the new Advanced Encryption Standard (AES) was selected, and provides an overview of the algorithm and its potential applications.
Last year, the National Institute of Standards and Technology (NIST) announced the selection of a new encryption algorithm that will be used to protect sensitive (unclassified) government information. This algorithm, to be proposed as the Advanced Encryption Standard (AES), is the result of work conducted by NIST and the international cryptographic community since 1997. The AES is intended to replace the Data Encryption Standard (DES) that was adopted in 1977 and is now considered to be inadequate to protect today's information. NIST anticipates wide voluntary use of AES by organizations, institutions and individuals outside the U.S. Government.
The development of the AES began with a call for algorithm submissions. The call stipulated that a candidate for the AES should specify an unclassified, publicly disclosed encryption algorithm that would be available royalty-free, worldwide. Fifteen candidate algorithms were announced at the First AES Conference in August 1998. These algorithms were submitted by cryptographers from around the world. Public comments were solicited on the candidates, prompting a period of analysis ("Round 1") by the international cryptographic community. A Second AES Conference was held in March 1999 to discuss the Round 1 analysis. In August 1999, after the close of the Round 1 public comment period and after considering all available information (approximately eighty comments and papers, totaling 600 pages), NIST narrowed the algorithm list to five finalist candidates. A second round of intense review ("Round 2") was followed by a Third AES Conference in April 2000 to discuss the merits of each of the five finalists.
After the end of the Round 2 public comment period in May 2000, NIST began an exhaustive analysis of all results and comments submitted. In addition to the Round 1 information, NIST studied and considered about 800 additional pages of material from the 160 papers and comments submitted during Round 2. This material included security analyses and hardware and software performance studies on various platforms.
In October 2000, NIST announced the selection of Rijndael (pronounced "Rain Doll" or "Rhine Dahl") as the proposed AES. Rijndael was developed by Belgian cryptographers Joan Daemen of Proton World International and Vincent Rijmen of Katholieke Universiteit Leuven. NIST considered Rijndael's combination of security, performance, efficiency, ease of implementation and flexibility appropriate for selection as the AES. Rijndael processes information in 128 bit blocks (i.e., encrypts or decrypts 128 bits of data at a time) using either 128, 192 or 256 bit keys. Each encryption or decryption operation is byte oriented (rather than bit oriented) and consists of 10, 12 or 14 rounds of multiple sub-operations, depending on the key size. AES is expected to be used for a wide range of applications and environments, including file encryption, IPsec, the Transport Layer Security (TLS) protocol, and secure mail protocols such as S/MIME. Within days of the AES announcement, commercial firms were announcing products that incorporated the AES, making it clear that the AES will soon be used extensively internationally.
Details on the AES development effort are available at the AES home page. A FAQ sheet is also available via this page to answer questions.
The proposed standard was issued for public comment on February 28, 2001 and is available on the AES home page. After a 90-day public comment period, the draft standard will be revised in response to the public comments, if appropriate, and submitted to the Secretary of Commerce for signature. NIST's goal is to have the AES adopted during the summer of 2001.
When the AES officially becomes a Federal Information Processing Standard (FIPS), a conformance-testing program will be available for AES implementations through NIST's Cryptographic Module Validation Program (CMVP). Information is available on this program at http://csrc.nist.gov/cryptval/.
An encryption algorithm such as the AES is not used alone, but as part of a cryptographic standards toolkit of algorithms and protocols to provide security for various applications and environments. For example, the AES encrypts a data block of 128 bits. Many applications require messages or files larger than 128 bits to be encrypted; some applications also require a method for detecting whether or not the encrypted information is modified during communications. An assortment of "modes of operation" is needed that use the encryption algorithm to accomplish these services. Such modes were defined for the DES. However, AES is a different "beast" from DES, and today's and tomorrow's applications and environments are different from those needed for DES. New modes are required in addition to the original modes, and NIST has requested that the public submit new modes for consideration. A workshop was held in October 2000 to begin the process, and another workshop is scheduled for August 2001 to continue discussions. Information on this effort is available at http://www.nist.gov/modes.
A second part of the cryptographic standards toolkit includes mechanisms for securely establishing keys shared by multiple parties so that communications can be secured. NIST has begun an effort to define secure methods for establishing keys for the U.S. Government using mechanisms defined in the private sector. A security analysis of the available mechanisms will assure that those selected for use will provide adequate security for sensitive government applications. In addition, guidance for the handling of these keys - from generation through distribution, storage and destruction - will be developed. Information on the key management project is available at http://www.nist.gov/kms.
NIST's cryptographic standards toolkit also contains authentication, hashing and digital signature algorithms. An authentication algorithm may be used to determine the authenticity of information (e.g., that the received information is the same as the information that was sent and that the information was sent by the identified party). NIST proposed a draft authentication standard, the Keyed-Hash Message Authentication Code (HMAC), in January 2001. The draft standard is available at http://www.nist.gov/hmac.
A hashing algorithm condenses variable length messages or files into short, fixed length values. The resulting hash value may be used to determine the integrity of the information (i.e., that the information has not changed between the time that the hash value was calculated, and the time that the hash value is verified). The HMAC and digital signature algorithms use hashing algorithms. A hashing algorithm, commonly known as SHA-1, was adopted in 1995 as FIPS 180-1. Three new hashing algorithms have recently been made available at http://www.nist.gov/sha; they are being added to the current standard and should be available in Draft FIPS 180-2 in the near future.
Digital signatures, like their handwritten counterparts, are used to prove to a recipient or a third party that the information was signed by a particular entity. Since a digital signature algorithm is used in conjunction with a hashing algorithm, the integrity of the signed data is also assured. The Digital Signature Algorithm (DSA) was first specified by NIST in 1994. In response to numerous public comments, NIST made two revisions to the FIPS that added the RSA and ECDSA digital signature algorithms. RSA is commonly used in many communication protocols and is specified in American National Standards Institute (ANSI) X9.31 and in Public Key Cryptography Standard (PKCS) #1. ECDSA (Elliptic Curve Digital Signature Algorithm) uses elliptic curve technology and is specified in ANSI X9.62. A draft revision of the Digital Signature Standard (Draft FIPS 186-3) that increases the key sizes of the DSA will soon be available. Draft FIPS 186-3 will be available on the cryptographic standards toolkit home page at http://csrc.nist.gov/encryption/.
NIST is developing a comprehensive cryptographic standards toolkit of algorithms that may be used in various applications and environments to provide security for the government's sensitive (unclassified) information. These algorithms may also be used voluntarily by the private sector internationally. NIST is actively encouraging the use of its toolkit by non-government communities in order to promote secure interoperable communications between the U.S. Government, its citizens, its industries and organizations, and the citizens, industries and organizations of other nations.