Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

Interview With AES Author 51

Posted by Hemos from the talking-with-a-smart-guy dept.
Dave Wreski writes "I recently had a chance to ask Vincent Rijmen a few questions about Rijndael, the algorithm soon to replace DES. He talks about the development of the algorithm, his thoughts on the future of Internet security, Linux and security, and more. He's a pretty interesting guy, and had some interesting comments. You can find the interview here"
This discussion has been archived. No new comments can be posted.

Interview with AES Author More

Interview with AES Author

Comments Filter:
  • Serpent [cam.ac.uk] is actually more secure than Rijndael [kuleuven.ac.be], even if slightly slower. I personally use serpent in my loopback fs's, and it works really well!
  • Surely the most sensible approach is to use neither Serpent nor any other AES candidate for a year or two until they've been well studied. Why don't you use 3DES if you really concerned about security?
  • Here in the US we have the same thing. Anyone who can't pronounce "hot dog" is looked upon with suspicion. Dutch tourists pronounce it like "hat dack" and that's how we can tell they aren't from around here.

  • no comment.
    • Actually we do know. Eli Biham and Adi Shamir (the S in RSA) discovered differential cryptanalysis in 1990. Differential cryptanalysis made short work of many algorithms of the day *except* DES. It was found that any other s-box configuration, including totally random ones, made the whole algorithm fall quickly to this new method. Subsequently, an IBM researcher admitted that they knew about differential cryptanalysis in the early seventies but the NSA convinced them that discussing the method or the s-box criteria would harm US interests.
    So then, we still don't know. All you did is tell us why the S box values were picked (to thwart cryptanalysis. We knew this.), but not the method that determined those numbers.

    Why is this information still classified?

    Actually he did.
  • I'm getting a brain overload from all the different encryption tools/stories/specs. It was not too long ago that I remember that all that was out there was PGP and DES. Now there are so many that I only remember the ones with funny names. (twofish? blowfish?)

    At least with PGP I knew how to decode it, if someone sent me a encrypted email today, I would have no clue how to even identify it, nevermind decode it.

    Is this depth of knowlege really required for a layman to take advantage of reasonable encryption security?
  • Well... it takes umpty-ump billion years to break triple-des, so that ought to be good enough.

    Um... er... it USED to take umpty-ump billion years.

    (Unless you use NSA's backdoor...)

    (No, wait... pretend I didn't say that...)

    -- Michael Chermside

  • We could go back and forth on this for a while, but essentially it's a personal decision based on an opinion, and I respect your opinion but do not share it.

    Firstly, your statement "Rijndael was the one that was least secure" is at best an opinion. Since (to my knowledge) not even a theoretical attack has been found for any of the AES candidates, there can be no objective measure of relative security.

    Secondly, I'd take issue with the argument that once a basic threshold has been reached, more eyeballs = more vulnerable. I accept that pretty much all of the AES algorithms are going to be non-trivially broken, hence the caveat.

    Note that there may well not exist an attack on these algorithms (although history and a study of the human condition suggests that this outcome is unlikely). Schneir's statement that the best one can say about an algorithm is that it hasn't been cracked yet applies for each and every scientific theory on the planet. This is mearly the most pessimistic (and most appropriate) statement that can be made.

    To close, I'd also like to point out that any algorithm can be trivially implemented in an insecure manner. Hence, your hypothesis that Serpent is inherently more secure because it receives less attention is worthless. Remember that each and every *implementation* of the AES algorithms needs to be verified in an open manner for it to be trusted. This is a lot less likely to happen with uncommon implementations (except, of course, for the black-hats with something to gain). With the working assumption that most "new" crypto applications will adopt the AES winner and not the losers, this implies that most industry attention will be focussed on the continuing verification of Rijndael implementations. As time goes by, you can expect the experience-pool that has accumulated with verifying Rijndael implementations to improve - standard suites testing for known risky points etc. This works against you for implementations of more obscure, relatively less-well-known algorithms.

    To close, therefore, I would like to suggest that you are still relying on a variant of Security by Obscurity, and that this is not necessarily a good thing for your long term cryptographic needs.

  • This is true for your own personal comfort level of "well studied". I think the benefit of the AES review period was that a large number of people + organisations interested in the results of this competition could pass a mutually agreed level of that parameter during the competition.

    Personally speaking I don't know enough one way or the other to form an objective opinion. Like most people on the planet, outside my own limited horizon of speciality, I have to rely on other trusted experts' opinions and judgements. For me, therefore, having seen the manner in which the AES competition was conducted, and without knowing diddly-squat about the analyses of the algorithms in that competition, I'd have to conclude that if it's good enough for them it's good enough for me.

    But if it don't float your boat, fine. If it's for a commercial crypto app then the market will decide, otherwise it's whatever your conscience will let you get away with.

    Ain't crypto wonderfull? All those human interests (theoretical, mathematical, technical, ethical, commercial, practical, political) in one little field...

  • I guess my feeling from the opinions expressed in the interview would be that yer man there just doesn't care. I get the impression he's far more interested in doing theoretical algorithm research than in any real-world applications.

    Hence his comments - "Rijndael is the engine, it's up to someone else to build the car". In the context of your question, the Draft ThoughtCrime Treaty really addresses legislation of the "car" - applications, processes and protocols making use of encryption - rather than the "engine" (the encryption algorithm) itself.

  • Shame the questions are either really obvious or just downright strange. I get the impression the interviewer doesn't know much about encryption.

    And where did the question about rfc2692 come from? I'm not surprised the reply was "No comment" (although "What are you talking about?" would be just as reasonable).
  • However, your faith in Serpent is perhaps misguided. It may have received a similar level of analysis as Rijndael up to now, but you can guarantee that as an also-ran, it's not going to continue to receive this level of investigation. All of which leaves you more, not less, vulnerable in the longer term....
    You're forgetting the obverse to that. Since Serpent will be getting less scrutiny, it's less likely that it will be broken. Unless there's some simple way to break it (which seems unlikely at this point) far fewer people will be trying to crack it, therefore it's more likely to stay uncracked.

    If any of the 5 AES candidates are going to be broken, the one most likely to be is the one that's studied the hardest. And, of all the algorithms, I'm pretty sure that Rijndael was the one that was least secure.

    So going with Serpent doesn't seem like such an unwise move after all. It's all in the way you look at it. 'Security through not-that-many-eyeballs-looking-at-it-even-though-t he-algorithm-is-published.' Works for me.
    --
  • too bad Grootegast doesn't have a lot of beaches...
  • Nah... unfortunately (?) it's spelled zee-eend nowadays
  • The best encryption won't help you if a hacker can read every key stroke you type.

    He said "hacker!" Burn him!!!

  • Well... it takes umpty-ump billion years to break triple-des, so that ought to be good enough.

    Um... er... it USED to take umpty-ump billion years.

    In terms of security, triple-DES is also in the same class as serpent or rijndael.

    (Unless you use NSA's backdoor...)

    DES and triple-DES are probably the most publicly scrutinized crypto algorithms in history, no backdoor has been found. In fact, in retrospect, it's been found that the NSA's changes to the original DES algorithm actually made it stronger.

    I assume you're trying for +1 funny.

  • Serpent is actually more secure than Rijndael, even if slightly slower.

    I'm not disputing that Serpent is more secure than Rijndael. Nor I'm I disputing your right to use whatever algorithm you wish. But if it takes umpty-ump trillion years to break Rijndael, what does the extra security buy me besides slowness?

  • Actually we do know.

    Eli Biham and Adi Shamir (the S in RSA) discovered differential cryptanalysis in 1990. Differential cryptanalysis made short work of many algorithms of the day *except* DES. It was found that any other s-box configuration, including totally random ones, made the whole algorithm fall quickly to this new method. Subsequently, an IBM researcher admitted that they knew about differential cryptanalysis in the early seventies but the NSA convinced them that discussing the method or the s-box criteria would harm US interests.

  • "Scheveningen"

    The most unpronouncable name of a beach-resort in the world!

    All Germans come to this place in the Netherlands because they don't have their own resorts. Little joke: They're only worthy to stay if they can actually pronounce the name, if they can't, we'll kick them out!

  • It's pronounced Aye-Eee-Ess.
    How hard is that?

  • An algorithm had to be free of patent and other intellectual property claims in order to apply as an AES candidate. Rijndael is not a "standout" in this respect as this was required as part of the process. Credit goes to NIST, which knew a standard would never be a standard if it was encumbered by IP.

  • as it was pointed out in the interview, this encryption method has no intellectual property claims, or patents on it. This is really good news for the open source and free software communities.
    On a side note, was it just me, or did the interviewee seem to be in a bit of a mood?
    ---
  • In light of the absurd "Draft Cybercrime Treaty" [msnbc.com] brought to our attention by this article [slashdot.org] I'd love to hear Rijmem's take on the whole issue. How does the world expect to pull off other events like the AES challenge if researchers can't "hack/crack" without fear of legal repercussions?
  • Well... agree with you on the surface, but how do you test an "engine" without building the "car"? Do you think there would have been such a push for the AES if folks like the EFF and Distributed.net hadn't begun to raise public doubt with their demonstations? Bruce Schneier sez in his excellent new book "Secrets and Lies: Digital Security in a Networked World" that no crypto can be said to be unbreakable, only that those who have tried have failed. When you reduce it to that level, the validity of the strength claims are only as good as the skills of the testers. I'd rather have the whole world testing than a handful of closed, and often profit oriented organizations. The "just trust us" approach to crypto has given us such gems as the CSS and A5 algorithms. (Which, for those of you in a networked cave, both failed under minor attack after being blessed as "secure")
  • udder - Thing hanging under cow :)


    Enigma
  • Has enyone else noticed how any stupid comment can get up to "+5, Interesting" if they include the word interesting in the subject line? Just like this redundant comment that has no new information to people who actually read the story.

    --

  • Thats not true. I always read Signal11s posts, its nice to know what the well balanced mainstream Slashdot reader thinks.


  • Yeah "pretty interesting guy, and had some interesting comments" struck me as being a bit generous to him. Course I have nothing whatsoever to say so I shouldn't criticise.

  • LinuxSecurity.com: Do you believe the open source nature of Linux provides a superior vehicle to making security vulnerabilities easier to spot and fix?

    Journalism just took a punch in the gut, staggered through a parking lot, where some thugs decided to steal his wallet, piss on his clothes, and poop in his briefcase.

  • Is this depth of knowlege really required for a layman to take advantage of reasonable encryption security?

    No, it isn't required by the layman, but yes it is required by someone in order to make sure the layman's encryption is secure. If there weren't people learning more about encryption and coming up with new algorithms and attacks the field would be stagnant.

  • LinuxSecurity.com: How long did it take to develop the algorithm that will provide security for the digital economy well into the 21st century?

    Vincent Rijmen: It depends on how you count. Our research is a continuous process, and it's not easy to say when we started on Rijndael. About a year or two, I would estimate.

    Calculation using Moores CPU law would suggest that this encryption algorithm should be cracked within 6 months.
  • 56-bit DES is easily crackable now. Rijndael takes up to a 256-bit key. (256 - 56) = 300. Where are you getting your numbers from?

    This calculation is of course pretty meaningless, but it gives you a rough idea.
    --
  • Depends what you mean by "more secure", doesn't it? Rijndael's security goal is to be "K-secure and hermetic". In layman's terms, this basically means to be as secure as any block cipher with that block and key size can possibly be. If it meets these goals, then Serpent can't possibly be better - it can only be exactly as good.

    If I could work out a way of demonstrating that it didn't meet these goals, I'd be the world's most famous cryptanalysist in moments. But I'd still be a million miles away from a break that was actually any good for any real attack that any real adversary, even 3-letter agencies equipped with alien tech, could ever use against you.

    There are some good attacks on very much weakened variants of Rijndael. Some people in the crypto world believe that full Rijndael will eventually be demonstrated not to be K-secure. However, no-one who knows what they're talking about thinks that any practical, useful break will ever be found. Really, Rijndael is more than good enough - the weaknesses in your system lie elsewhere.
    --
  • There's another interview over on ZDNet [zdnet.com].

    And hey, they mention Linux there too! ;-)

    Jacco
    ---
    # cd /var/log

  • I still think they should have called it herfstvrucht, angstschreeuw or koeieuier, like they propose here [kuleuven.ac.be]
    --
  • Calculation using Moores CPU law would suggest that this encryption algorithm should be cracked within 6 months.

    Explanation please.

    What does Moore's Law have to do with the *identification* of an attack on an algorithm, or with the time to implement such an attack?

    If you're implying that a +6-month CPU will be capable of brute-force attacking Rijndael, please explain why current processors cannot do this, and please give an estimate of the time taken to break an arbitary message (i.e. time to search 50% of keyspace).

    For bonus points, please provide an estimate of the hardware resources required (now, in 6months, or sometime after the Pentium 6 is released, which ever takes your fancy) in order to provide a realistic interception capability for oh-let's-say AES-encrypted email in near-real-time.

  • Even six-round Rijndael, while theoretically "broken", is completely uncrackable with any known algorithm on today's hardware. IIRC it takes over 10^28 (ie 2^90) operations to crack. That's a savings of only 10^11 (2^38) over brute force. Say you're the NSA, and can afford today 10^6 computers each running at 10^12 operations per second. With your boxes all improving at moore's law, it'll be 15 years before you crack your first key; then 2 keys the in the following year.
  • Embedded systems: a point to bear in mind is that embedded systems
    must not just be able to perform the algorithm, they must also be
    protected from out-of-the-box attacks. It is much harder to guess
    what a card device is doing from an EM emission analysis if it uses
    simple operations such as in Rijndael, that if it uses more complex
    operations such as in Sepent and Twofish. This isn't only a matter of
    prevalent technology, it involves sensitive design issues as
    well, ones that Rijndael went to more pains about that the other
    finalists.

    I think that Rijndael will prove to be the better technology for
    quite a long time, and its selection will do a lot to promote the use
    of good cryptography in the next few years.

  • LinuxSecurity.com: What applications do you forsee it being used?

    Vincent Rijmen: Many many applications. Protection of sensitive files
    of the US government (mandatory). Email encryption. Mobile phones.
    Smartcards.

    Interesting to note that the NSA didn't say they would use AES. Schneier's last cryptogram [counterpane.com] speculated that they won't be using Rijndael for classified documents in the next few years.

  • And they also speculated on the reason: It requires few years of internal analysis before they can trust it. And besides, they probably have something much better (or something that has already survived decades worth of analysis) in use..
  • Well, you proably know what those words mean, but for the Dutch-illeterate here:
    herfstvrucht: autumn-fruit
    angstschreeuw: scream of terror
    koeieuier: Well, the thing hanging below a cow, where you get the milk from (dunno the trans ;-)



    --

  • 3DES has always been entirely free of IP claims, so I don't see what's changed really?

    Yeah, the interviewee was a little cold!

  • They're already hard to pronounce, don't make it worse. I fear that soon a Czech name will be given to the next big thing, and we'll have to use the reverse caret over the C!

  • Re:Serpent (Score:3)

    by henley ( 29988 ) on Thursday October 26, 2000 @04:31AM (#674753) Homepage
    Serpent is actually more secure than Rijndael, even if slightly slower. I personally use serpent in my loopback fs's, and it works really well!

    Which nicely summarises why Rijndael won.

    The competition was a nice, real-world example of a trade-off between absolute theoretical security and implementation. AES is intended to scale from smartcards to NSA supercomputers.

    If AES had been about producing the most secure algorithm, period, then I guess the winner would have been one which included an infinite number of permutations... After all, if it takes an eternity to encrypt you can guarantee that it can't be broken after encryptions :-)

    Note that you, too have found that what the US Gov' says doesn't necessarily apply to the real world either. However, your faith in Serpent is perhaps misguided. It may have received a similar level of analysis as Rijndael up to now, but you can guarantee that as an also-ran, it's not going to continue to receive this level of investigation. All of which leaves you more, not less, vulnerable in the longer term....

  • Re:Interesting approach (Score:3)

    by divec ( 48748 ) on Thursday October 26, 2000 @07:35AM (#674754) Homepage
    Also, Rivest, Shamir, and Adleman *did* invent RSA. I'm not sure what you're implying.

    Well, it was apparently thought of earlier, in the late 1960s, by James Ellis and Clifford Cocks (who were British secret agents). However they did not publish (being secret agents). R,S+A thought it up independently 10 years later, and they were the first to publish. See this techweb story [techweb.com] for some more details.

  • Re:Interesting approach (Score:3)

    by konstant ( 63560 ) on Thursday October 26, 2000 @05:00AM (#674755)
    That is true of all the candidates. Even MARS and RSA patents would have to be more-or-less unenforced if selected - go to the AES page and check out the huge red text that says exactly this.

    AES homepage [nist.gov]

    Also, Rivest, Shamir, and Adleman *did* invent RSA. I'm not sure what you're implying.

    -konstant
    Yes! We are all individuals! I'm not!

  • Still a TwoFish Fan (Score:3)

    by tmu ( 107089 ) <todd-slashdot@re n e s y s .com> on Thursday October 26, 2000 @04:33AM (#674756) Homepage
    I'll admit it: I'm still a twofish fan. I look at the number of rounds required to make rijndael reasonably secure and compare that to twofish and i don't feel happy. This is not to say that I don't think that Rijndael is secure now--it clearly is. This is also not to say that I think there's some good way to reliably determine the likely future security of uncracked algorithms--I think there is not. Nevertheless, we can guess about future security based on things like complexity (where twofish scores poorly) and number of rounds required for security (where twofish scores extremely well and rijndael does not).

    There were two lurking decision factors in the AES that concern me:

    1) patents. it has not been made clear how much the hitachi claimed patent affected the outcome.

    2) embedded devices. i believe that the decision was weighted in favor of current embedded memory and computational power, which doesn't make any sense. Embedded applications will be more powerful by the time anyone actually implements this stuff and I'd much rather have something that is excellent on real computers and fine on smart cards, but that doesn't seem to be what we've ended up with.

    Anyway, I'm glad to see the process was open and all kvetching aside, Rijndael is a *huge* improvement over DES or even DESX or tripleDES. The authors of all algorithms deserve congratulations.

  • Re:Encryption Overload (Score:3)

    by ssimpson ( 133662 ) <<slashdot> <at> <samsimpson.com>> on Thursday October 26, 2000 @04:32AM (#674757) Homepage

    Over time AES will be incorporated into all security products and will become a defacto standard. We can already see that GnuPG [gnupg.org] includes full support and NAI/PGP is expected to follow shortly.

    It's nothing that end users will have learn / know - it'll just be included as the standard. If someone wanted to send you an encrypted mail today then they'd still use PGP (or similar), you can't just take Rijndael and encrypt an e-mail (or web session, or SSH session or whatever).

  • secure standard (Score:3)

    by gnudutch ( 235983 ) on Thursday October 26, 2000 @03:06AM (#674758)
    The only reason they won't crack it is probably because it's impossible to pronounce.

  • Interesting approach (Score:4)

    by Wizard of OS ( 111213 ) on Thursday October 26, 2000 @03:03AM (#674759)
    I read an article about RijnDael in a Dutch magazine a few weeks ago. They interviewed the authors (they're from Belgium and speak Dutch too) about the algorithm. The things I remember from the interview:
    • They didn't patent it. This means that they ofcourse get the credit (everlasting fame) but don't earn any money with it (compare that to the people that 'invented' RSA ...)
    • They were searching for the most simple algorithm. Not something that would require massive processors or mathematical libraries, but an algorithm based on simple instructions, something that could fit on (for example) a small chip (smart-) card.



    --

  • Security of selected proposals (Score:4)

    by Phoz ( 241367 ) on Thursday October 26, 2000 @03:01AM (#674760)
    You may wish to check out this website [ii.uib.no] for a quick and clean comparison of the security of the different proposals.

Slashdot Top Deals

All life evolves by the differential survival of replicating entities. -- Dawkins

Close