Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report

Crypto proposal faces long journey

Rijndael algorithm needs conformance, interoperability tests before implementation.

Today's breaking news
Send to a friendFeedback

WASHINGTON, D.C. - The National Institute of Standards and Technology earlier this month selected the encryption algorithm called Rijndael as the preferred 128-bit encryption for the government, but NIST has to tackle conformance testing and other issues before Rijndael shows up in any products.

Sign up for the Security or Security and Bug Alert newsletters.

Conformance tests would ensure that vendors implemented the Rijndael technology properly, and would help drive interoperability. NIST is promising to conduct conformance tests of products after Rijndael, designed by Belgian cryptographers Vincent Rijmen and Joan Daemen, is officially designated the Advanced Encryption Standard (AES). That action isn't expected to occur until July, making it unlikely the new and largely unknown Rijndael will be used any time soon.

"It's a very good symmetric algorithm, but we won't see widespread use of this for a number of years," predicts Scott Schnell, senior vice president of security at RSA Security, which makes a range of encryption tool kits and security products.

RSA will include Rijndael in its BSAFE cryptography tool kit as an optional algorithm to use when developing applications that make use of encryption, Schnell says.

Schnell believes the banking community, which favors government-sanctioned encryption, would probably be the first industry to use Rijndael. It is seen as a replacement for the two-decade-old 56-bit Data Encryption Standard, which can be cracked with sufficient processing power.

However, a stronger version of DES, called Triple-DES, is also a government standard, and "will remain so for the foreseeable future," NIST stated in its recent guidelines, offering a well-known alternative to the largely unknown Rijndael.

Vendors of VPN products so far have not committed to using Rijndael, but they are certain to at least offer it as an option in their VPN products next year once it's an official government standard. But large enterprise customers and government agencies may not bet on Rijndael-based VPNs until they see conformance tests completed by independent labs.

Banks, in particular, are closely following Rijndael's progress. "Because our customer base is in North America we care about all the standards in this arena," says Randy Ford, the Bank of Montreal's director of e-purchasing solutions. He adds it's unclear at this point what impact AES will have.

The large installed base of Web browsers and servers that encrypt data using Secure Sockets Layer (SSL) encryption have become the norm in e-commerce. Within that application, it will be years before AES finds a role, if it ever does. Today, SSL can only use DES or RSA's 40-bit RC4. It doesn't support any strong encryption. The Internet Engineering Task Force would have to take a look at AES before altering SSL to work with it, and that will take time, Schnell says.

NIST selected Rijndael over four other cryptography entries because during testing, it showed the best consistent speed across platforms ranging from small-memory devices to mainframes. Though NIST evaluation process has won general praise, some security experts are not in favor of using Rijndael.

"It's the weakest of all the algorithms," claims John Viega, senior research assistant and consultant at Cigital (formerly Reliable Software Technologies) in Dulles, Va., which evaluates information-technology systems.

Though tests showed Rijndael won't easily be broken, even NIST suggested the algorithm could benefit by having more operations added to its structure to reduce potential vulnerabilities, he says.

Unlike the four algorithms it was competing against, Rijndael is a "square structure" algorithm, and the relative novelty of the design approach means there is less knowledge about where weaknesses may reside, Viega says.

Another issue is that Hitachi last spring exerted patent claims over the four other algorithms (MARS, RC6, Serpent and Twofish). The government wants AES to be public-domain technology, and given that it was stuck in a situation of fighting Hitachi over the four algorithms, NIST decided to choose Rijndael, Viega says.

NIST vehemently denies the Hitachi patent claims had anything to do with selecting Rijndael. Cryptographer Bruce Schneier, inventor of Twofish, brushes aside the patent claims as invalid, and says they had no affect on NIST's decision-making process, which he praises as a job well done.

Rijmen notes the competition is fierce, and he is surprised that the U.S. would adopt as a standard technology that was invented in Europe.


Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Download the paper that explains
Rijndael in detail.

Improved cryptoanalysis
of Rijndael.

The Rinjdael Page
Includes links to more information about the standard.

The Rinjdael Fan Page

Cryptography research center
Links to more information about cryptography.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.