Secretary of Commerce Donald Evans Tuesday officially finalized the federal government’s approval of the Advanced Encryption Standard (AES), a data encryption technique that will be used to protect sensitive
information and which is widely expected to be adopted by the private sector as well. Evans made the announcement at a meeting of
the Business Software Alliance, a group made up of IT industry CEOs.
AES is a 128-bit block cipher algorithm based on Rijndael, a mathematic formula developed by Belgian cryptographers Joan Daemen, of
Proton World International, and Vincent Rijmen, of Katholieke Universiteit Leuven. Rijndael (pronounced Rhine-doll), named after its
creators, was selected by the U.S. government in October 2000 as a new encryption technique for protecting computerized information.
The National Institute of Standards and Technology (NIST), an agency of the Commerce Department’s Technology Administration,
selected the formula after a four-year competition.
Rijndael was one of five finalists in the competition, which required all algorithms selected to support key sizes of 128, 192 and
256 bits. NIST said it selected Rijndael because it had the best combination of security, performance, efficiency and flexibility.
After winning the competition, the proposed standard was passed to the Office of Management and Budget, and was then passed back to
the Commerce Department for approval. Evan’s approval of AES follows a request for public comments on the draft of the standard.
“The AES will help the nation protect its critical information infrastructures and ensure privacy for personal information about
individual Americans,” Evans said. “It also will promote the President’s efforts to provide secure electronic government services to
our citizens.”
AES will now replace the venerable Data Encryption Standard (DES), which was adopted by the Defense Department in 1977. DES is a
56-bit encryption technique that stood firm for nearly 20 years before scientists were able to crack it using massive parallel
network computer attacks and special-purpose “DES-cracking” hardware. By 1993, other formulas, such as Blowfish, came along,
sporting 64-bit algorithms. Cryptographers then went a step further and developed a method of encrypting data three times over — a
variant known as “Triple-DES.”
But Triple-DES was an imperfect solution, putting a considerable drain on CPU resources because data was encrypted and decrypted
three times over. Because AES works with data in a 128-bit key size (allowing for 340 undecillion — or 340 followed by 36 zeros —
possible keys), it allows programmers to hide critical data while putting less of a strain on CPUs.
By all accounts, private sector firms are eager to use AES, and NIST said Tuesday that products implementing the standard are
expected to be available shortly. NIST said it is also completing arrangements that would allow vendors to validate their implementations of AES under the Cryptographic Module Validation Program
(CMVP), a joint effort by NIST and the Canadian government’s Communications Security Establishment.
