Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Kill switches coming to iPhone, Android, Windows devices in 2015
Still deploying 11n Wi-Fi?  You might want to think again
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases
6 Amazing Advances in Cloud Technology
Collaboration 2.0: Old meets new
Data breaches nail more US Internet users, regulation support rises
With a Wi-Fi cloud service, Ruckus aims to help hotspot owners make money
How to get Windows Phone 8.1 today
Secure browsers offer alternatives to Chrome, IE and Firefox
10 Big Data startups to watch

Crypto proposal faces long journey

Rijndael algorithm needs conformance, interoperability tests before implementation.

Today's breaking news
Send to a friendFeedback

WASHINGTON, D.C. - The National Institute of Standards and Technology earlier this month selected the encryption algorithm called Rijndael as the preferred 128-bit encryption for the government, but NIST has to tackle conformance testing and other issues before Rijndael shows up in any products.

Sign up for the Security or Security and Bug Alert newsletters.

Conformance tests would ensure that vendors implemented the Rijndael technology properly, and would help drive interoperability. NIST is promising to conduct conformance tests of products after Rijndael, designed by Belgian cryptographers Vincent Rijmen and Joan Daemen, is officially designated the Advanced Encryption Standard (AES). That action isn't expected to occur until July, making it unlikely the new and largely unknown Rijndael will be used any time soon.

"It's a very good symmetric algorithm, but we won't see widespread use of this for a number of years," predicts Scott Schnell, senior vice president of security at RSA Security, which makes a range of encryption tool kits and security products.

RSA will include Rijndael in its BSAFE cryptography tool kit as an optional algorithm to use when developing applications that make use of encryption, Schnell says.

Schnell believes the banking community, which favors government-sanctioned encryption, would probably be the first industry to use Rijndael. It is seen as a replacement for the two-decade-old 56-bit Data Encryption Standard, which can be cracked with sufficient processing power.

However, a stronger version of DES, called Triple-DES, is also a government standard, and "will remain so for the foreseeable future," NIST stated in its recent guidelines, offering a well-known alternative to the largely unknown Rijndael.

Vendors of VPN products so far have not committed to using Rijndael, but they are certain to at least offer it as an option in their VPN products next year once it's an official government standard. But large enterprise customers and government agencies may not bet on Rijndael-based VPNs until they see conformance tests completed by independent labs.

Banks, in particular, are closely following Rijndael's progress. "Because our customer base is in North America we care about all the standards in this arena," says Randy Ford, the Bank of Montreal's director of e-purchasing solutions. He adds it's unclear at this point what impact AES will have.

The large installed base of Web browsers and servers that encrypt data using Secure Sockets Layer (SSL) encryption have become the norm in e-commerce. Within that application, it will be years before AES finds a role, if it ever does. Today, SSL can only use DES or RSA's 40-bit RC4. It doesn't support any strong encryption. The Internet Engineering Task Force would have to take a look at AES before altering SSL to work with it, and that will take time, Schnell says.

NIST selected Rijndael over four other cryptography entries because during testing, it showed the best consistent speed across platforms ranging from small-memory devices to mainframes. Though NIST evaluation process has won general praise, some security experts are not in favor of using Rijndael.

"It's the weakest of all the algorithms," claims John Viega, senior research assistant and consultant at Cigital (formerly Reliable Software Technologies) in Dulles, Va., which evaluates information-technology systems.

Though tests showed Rijndael won't easily be broken, even NIST suggested the algorithm could benefit by having more operations added to its structure to reduce potential vulnerabilities, he says.

Unlike the four algorithms it was competing against, Rijndael is a "square structure" algorithm, and the relative novelty of the design approach means there is less knowledge about where weaknesses may reside, Viega says.

Another issue is that Hitachi last spring exerted patent claims over the four other algorithms (MARS, RC6, Serpent and Twofish). The government wants AES to be public-domain technology, and given that it was stuck in a situation of fighting Hitachi over the four algorithms, NIST decided to choose Rijndael, Viega says.

NIST vehemently denies the Hitachi patent claims had anything to do with selecting Rijndael. Cryptographer Bruce Schneier, inventor of Twofish, brushes aside the patent claims as invalid, and says they had no affect on NIST's decision-making process, which he praises as a job well done.

Rijmen notes the competition is fierce, and he is surprised that the U.S. would adopt as a standard technology that was invented in Europe.


Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Download the paper that explains
Rijndael in detail.

Improved cryptoanalysis
of Rijndael.

The Rinjdael Page
Includes links to more information about the standard.

The Rinjdael Fan Page

Cryptography research center
Links to more information about cryptography.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.