Commerce Secretary Announces New Standard for Global Information Security
For Immediate Release: December 4, 2001
Contact: Jim Dyke/Trevor Francis/Philip Bulman
"The AES will help the nation protect its critical information infrastructures and ensure privacy for personal information about individual Americans," said Evans. "It also will promote the President's efforts to provide secure electronic government services to our citizens."
Phillip J. Bond, under secretary of commerce for technology, noted that finalization of the standard will benefit many individuals and companies besides federal agencies. "The Secretary's approval means that the AES will now be available to provide the next generation of encryption protection for both government and industry, maintaining America's leadership in the Information Age. We are very pleased that AES development has been successfully completed," said Bond.
The new standard contains a sophisticated mathematical formula known as an algorithm. Algorithms are at the heart of computerized encryption systems, which can be used to encode all kinds of digital information, from electronic mail to the secret personal identification numbers, or PINs, that people use with bank teller machines.
Today's announcement marks the culmination of a four-year effort by computer scientists at the Commerce Department's National Institute of Standards and Technology to achieve a highly secure algorithm for the AES. This was done through an international competition, starting in September 1997, in which researchers from 12 different countries submitted encryption algorithms. Fifteen candidate formulas chosen by NIST in August 1998 were "attacked" for vulnerabilities and intensely evaluated by the worldwide cryptographic community to ensure that they met the AES criteria. After the field was narrowed down to five in April 1999, NIST asked for intensified attacks and scrutiny on the finalists. Evaluations of the encoding formulas examined factors such as security, speed and versatility.
The algorithm selected for the AES in October 2000 incorporates the Rijndael (pronounced Rhine-doll) encryption formula. Belgian cryptographers Joan Daemen (pronounced Yo-ahn Dah-mun) of Proton World International and Vincent Rijmen (pronounced Rye-mun) of Katholieke Universiteit Leuven developed Rijndael. Both men are highly regarded experts within the international cryptographic community. They have agreed that their algorithm may be used without royalty fees.
Each of the algorithms submitted for the AES competition was required to support key sizes of 128, 192 and 256 bits. For a 128-bit key size, there are approximately 340 undecillion (340 followed by 36 zeros) possible keys.
NIST and leading cryptographers from around the world found that all five finalist algorithms had a very high degree of security. Rijndael was selected because it had the best combination of security, performance, efficiency and flexibility. The specifications for the Rijndael algorithm have now been formally incorporated into Federal Information Processing Standard 197.
The AES has been designed to protect sensitive government information well into the 21st century. It will replace the aging Data Encryption Standard, which NIST adopted in 1977 as a Federal Information Processing Standard used by federal agencies to protect sensitive, unclassified information. DES and a variant called Triple DES are used widely in the private sector as well, especially in the financial services industry.
The effort to establish the AES reflects the dramatic transformation that cryptography has undergone in recent years. Just a few decades ago, the science of cryptography was an esoteric endeavor employed primarily by governments to protect state and military secrets. Today, millions of Americans use cryptography, often without knowing it. Most people who use automated teller machines have used cryptography because the secret PINs required by the machines are encrypted. Others use information encryption when they make a purchase over the Internet; their credit card numbers are encrypted when they place an order.
Hundreds of encryption products currently employ DES or Triple DES, and such systems have become almost ubiquitous in the financial services industry.
The Secretary's formal approval action announced today follows a 2001 request for public comments on the draft AES.
Products implementing the AES are expected to be available shortly in the marketplace. NIST also is completing arrangements so that vendors can have their implementations of AES validated under the Cryptographic Module Validation Program, jointly led by NIST and the Government of Canada's Communications Security Establishment. The CMVP provides security testing against the specifications of FIPS 140-2, Security Requirements for Cryptographic Modules and individual federally recognized algorithms. Validation helps ensure that the complex AES algorithm has been implemented correctly. Private-sector accredited laboratories conduct this testing, which then is validated by NIST and CSE. For more details see http://csrc.nist.gov/cryptval/.
The Advanced Encryption Standard, or AES, is the new Federal Information Processing Standard, or FIPS, publication that specifies a cryptographic algorithm (mathematical formula) for use by U.S. government organizations to protect sensitive, unclassified information. NIST also anticipates that the AES will be used widely on a voluntary basis by organizations, institutions and individuals outside of the U.S. government-and in some cases-outside of the United States.
2. Why is this announcement of the AES significant?
This announcement of the Secretary's approval of AES marks the culmination of a four-year effort involving the joint cooperation of the U.S. government, private industry and academia from around the world to develop an encryption technique that has the potential to be used by millions of people-both domestically and internationally-in the years to come.
3. Is the AES now an official U.S. government standard?
Yes. It is specified in FIPS 197.
4. How long will the AES last?
No one can be sure how long the AES-or any other cryptographic algorithm-will remain secure. However, NIST's Data Encryption Standard (known as DES) was a U.S. government standard for approximately 20 years before it became practical to mount a key exhaustion attack (a method in which attackers continually try possible key values) with specialized hardware. The AES supports significantly larger key sizes than what DES supports. Barring any attacks against AES that are faster than key exhaustion, and even with future advances in technology, AES has the potential to remain secure well beyond 20 years.
5. Will NIST continue to monitor the algorithm's security, and how will it handle security issues that may arise in the future?
Yes. Now that AES is the official government standard, it will be formally reevaluated every five years. Maintenance activities for the standard will be developed at the appropriate time, in full consideration of the situation's particular circumstances. Should an issue arise that requires more immediate attention, NIST will act expeditiously and consider all available alternatives at that time.
6. Who will be required to implement and use the AES?
The AES is now an approved encryption algorithm that can be used by U.S. government organizations to protect sensitive, unclassified information. As is currently the case, those government organizations will be able to use other FIPS-approved algorithms in addition to, or in lieu of, the AES.
Commercial and other non-federal organizations are invited-but not required-to adopt and implement the AES and NIST's other cryptographic standards.
7. When will products implementing the AES be available?
Some commercial products implementing Rijndael are already on the market. NIST will soon have conformance testing available for products that implement Rijndael through its Cryptographic Module Validation Program.
8. What will the AES replace?
The AES was developed to replace the old federal standard, the DES, which has been in place since 1977. In recent years, a variation of DES called Triple DES has served as the recommended encryption system while AES was being finalized. NIST anticipates that Triple DES will remain an approved algorithm (for U.S. government use) for the foreseeable future. Single DES is being phased out of use. Triple DES is specified in a FIPS 46-3 and the AES is specified in FIPS 197.
9. What algorithm was selected by NIST for the AES?
NIST selected Rijndael as the proposed AES algorithm following an international competition. The algorithm's developers have suggested the following pronunciation alternatives: "Reign Dahl," "Rain Doll" and "Rhine Dahl."
10. Who developed and submitted the algorithm?
The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Joan Daemen (Yo-ahn Dah-mun) of Proton World International and Vincent Rijmen (Rye-mun), a postdoctoral researcher in the Electrical Engineering Department (known as ESAT) of Katholieke Universiteit Leuven.
11. Why did NIST select Rijndael to propose for the AES?
When considered together, Rijndael's combination of security, performance, efficiency, ease of implementation and flexibility makes it an appropriate selection for the AES.
In terms of security, NIST states in its report that "all five algorithms appear to have adequate security for the AES." NIST did not say that there is anything "wrong" with any of the other four algorithms. However, when all of the analysis and comments were taken into consideration, the NIST team felt that Rijndael was the best selection.
13. How has the encryption community been involved in the development of the AES?
From the beginning of the AES development effort, NIST has relied on the involvement of public and private encryption experts outside the agency, including:
The AES will specify three key sizes: 128, 192 and 256 bits. In decimal terms, this means that there are approximately: 3.4 x 1038 possible 128-bit keys; 6.2 x 1057 possible 192-bit keys; and 1.1 x 1077 possible 256-bit keys.
In comparison, DES keys are 56 bits long, which means there are approximately 7.2 x 1016 possible DES keys. Thus, there are on the order of 1021times more AES 128-bit keys than DES 56-bit keys.
15. What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by using a very sophisticated key exhaustion attack, the hardware could quickly determine which key was used to encrypt a message.
Assuming that one could build a machine that could recover a DES key in a second, then it would take that machine approximately 149 trillion (thousand-billion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.
16. Is NIST concerned that the Rijndael algorithm is of foreign origin?
No. The complete algorithm specification and design rationale have been available for review by NIST, the National Security Agency, and the general public for more than three years. From the beginning of the AES development effort, NIST has indicated that the involvement of the international cryptography community has been necessary for the development of a high-quality standard.
17. Is there a document that provides details on NIST's selection for the AES?
NIST's Report on the Development of the Advanced Encryption Standard (AES) was issued in October 2001. It is a comprehensive report that discusses various issues related to the AES, presents analysis and comments received during the public comment period, summarizes characteristics of the five finalist AES algorithms, compares and contrasts the finalists, and presents the reasoning behind NIST's selection of Rijndael.
Complete AES-related information is available on the AES home page, www.nist.gov/aes. The site includes the AES FIPS itself; the NIST report; test values and code; all public comments, including analysis papers from the various AES conferences; and other "historical" AES information.