US Secretary of Commerce Don Evans has approved a new IT encryption standard for the federal government at a meeting with members of the Business Software Alliance, a group made up of IT industry CEOs.
The Advanced Encryption Standard, or AES, is expected to be used widely in the private sector to protect sensitive computer information and financial transactions.
The announcement marks the culmination of a four-year effort by computer scientists at the Commerce Department’s National Institute of Standards and Technology to achieve a highly secure algorithm for the AES.
This was done through an international competition, starting in September 1997, in which researchers from 12 different countries submitted encryption algorithms. Fifteen candidate formulas chosen by NIST in August 1998 were ‘attacked’ for vulnerabilities and intensely evaluated by the world-wide cryptographic community to ensure that they met the AES criteria. After the field was narrowed down to five in April 1999, NIST asked for intensified attacks and scrutiny on the finalists. Evaluations of the encoding formulas examined factors such as security, speed and versatility.
The algorithm selected for the AES in October 2000 incorporates the Rijndael encryption formula. Belgian cryptographers Joan Daemen of Proton World International and Vincent Rijmen of Katholieke Universiteit Leuven developed Rijndael. They have agreed that their algorithm may be used without royalty fees.
Each of the algorithms submitted for the AES competition was required to support key sizes of 128, 192 and 256 bits. For a 128-bit key size, there are approximately 340 undecillion (340 followed by 36 zeros) possible keys.
NIST and leading cryptographers from around the world found that all five finalist algorithms had a very high degree of security. Rijndael was selected because it had the best combination of security, performance, efficiency and flexibility. The specifications for the Rijndael algorithm have now been formally incorporated into the US Federal Information Processing Standard 197.
The AES itself will replace the ageing Data Encryption Standard, which NIST adopted in 1977 as a Federal Information Processing Standard used by federal agencies to protect sensitive, unclassified information. DES and a variant called Triple DES are used widely in the private sector as well, especially in the financial services industry.
Products implementing the AES are expected to be available shortly in the marketplace. NIST also is completing arrangements so that vendors can have their implementations of AES validated under the Cryptographic Module Validation Program, jointly led by NIST and the Government of Canada’s Communications Security Establishment.