Draft FIPS for the Advanced Encryption Standard 51
Several people wrote with news that NIST has released a draft standard for the AES. They're inviting public comment, so if the NSA has added a backdoor to Rijndael, now would be a good time to find it.... :)
Pronunciation (Score:1)
Why does this specify three alternative pronunciations for "Rijndael"? It's supposed to be an Advanced Encryption Standard, why can't they use the standard pronunciation? Come on guys, Dutch isn't that hard a language, and it makes a lot more sense once you can pronounce it (i.e. "zuid" = "south" is obvious when you know "zuid" is pronounced "soud")
Re:Government sponsored encryption? (Score:1)
If you're really concerned about the governent subverting the algorithm, then go visit Vincent Rijmen's page about Rijndael. [kuleuven.ac.be]
Re:Sorry. "Gov't approved" == "insecure crypto". (Score:1)
No wonder this guy posted anonymously. It's this kind of thing that makes me glad for metamoderation.
--
Patrick Doyle
Re:Cool (Score:1)
The value of this is that if someone signs a document, this is typically done by encrypting a hash of the document. A weak hash will let Oscar contruct another document to have the same hash, and hence "trick" the signer into having signed that one too. So the security of digital signature relies on this being difficult.
As a counter example, I give CRC-32, which an Oscar only needs control over 33 consecutive bits in order to modify the checksum to be anything he desires.
Re:Pronunciation (Score:1)
//rdj
Backdoors (Score:1)
Now of course, you can still be paranoid if you like, and here's a suggestion if you need one: maybe that particular algorithm was selected from the 5 finalists because the NSA could break it.
Probably not likely (in retrospect, DES turned out to be much stronger than suspected), but you can cling to that if you need some conspiracy theories!
Re:No more Niggers (Score:1)
Cool (Score:1)
actually md5sum is pretty secure, but nothing is secure if you use plain english dictionary words. Programs like johnny cracker don't care about the encryption.
honestly, I don't know the difference between a md5sum code and a AES code, maybe someone could elucidate me.
Re:Government sponsored encryption? (Score:1)
This concern is exactly why AES wasn't developed by the government. It was developed by two researchers in Belgium. NIST basically ratified the existing Rijndael cipher as "good enough to be the standard."
The website linked in the article has lots more info.
--
Re:it sure is NSA approved (a Good Thing(tm)) (Score:1)
All Your Base Are Belong To Us!!!
Re:Why Symmetric?!? (Score:1)
Re:Cool (Score:1)
On an somewhat unrelated sidenote: OpenBSD uses [openbsd.org] blowfish (by default) to encrypt passwords (cat
Bad Idea (Score:1)
md5 is a one way hash. That means there's no way to decrypt the password once it's encoded. This makes sense for this purpose because you don't care what a password is as long as it's the right one. There's no reason to decypher a password, if someone forgets it you just reset it.
input (Score:1)
Re:Don't do it! It's a trick. (Score:1)
The Rijndael Page (Score:1)
Why Symmetric?!? (Score:1)
Re:Why Symmetric?!? (Score:2)
You can make a hash function out of a block cipher (Score:2)
I hope NIST standardise some such mode, but at the moment they're only talking about standardising modes for encryption and MAC, not for hashing.
--
What "fix for DES"? (Score:2)
There is some evidence (in Skipjack) to suggest the public community is now ahead of the NSA in theoretical cryptanalysis. Certainly there are a hell of a lot of breathtakingly smart people in it.
--
He's right! ...well, sort of. (Score:2)
--
A-trollbusting we will go (Score:2)
No-one who knows how this cipher was chosen could seriously believe that Daemen and Rijmen are NSA plants, or that there's room to hide anything in an algorithm as simple and clear as Rijndael.
--
Re:it sure is NSA approved (a Good Thing(tm)) (Score:2)
For one reason, it's the National Security Agency. It spies on everyone except Americans, even the allies that agree to host their bases.
For another, the British Government sold a bunch of Enigma machines throughout the third world after WWII. I wouldn't put it past the NSA to pull a similar stunt.
Re:it sure is NSA approved (a Good Thing(tm)) (Score:2)
Re:Cool (Score:2)
And as you know, even that isn't sure; there are an infinite number of inputs that will produce the same checksum, and some of those aren't going to be garbage.
-
Re:A long time to think and respond (Score:2)
NSA approved? (Score:2)
It's like asking a burgular which locks to use.
it sure is NSA approved (a Good Thing(tm)) (Score:2)
Back in the 70's the NSA delayed the release of DES, for reasons which they could not disclose at the time.
NSA knew of a then-classified attack against DES known as differential cryptanalysis. NSA could not disclose why they delayed the release of DES, they could only say that they were still working on it. Lots of people speculated NSA was inserting a "secret backdoor", when actually they were ensuring the national standard for data encryption would be secure against even secret attacks than only NSA knew about at the time.
Of course, the complete design criteria for DES were not published at that time. Since not all of the steps in the algorithm seemed logical at the time, people got real suspicious. AES, on the other hand, is pretty straightforward.
For more background, check out this history of DES [wm.edu], or Eli Biham'sthese papers [technion.ac.il] on differential cryptanalysys.
--
Re:Pronunciation (Score:2)
Good question. I've always been told it's pronounced like "RHEIN-DALL". We're just lucky there aren't any Ø's in the word ;-).
--
Re:The NSA is smarter than you! (Score:2)
--
Re:What "fix for DES"? (Score:2)
One of the clever things about Skipjack, however, is that when Skipjack is poorly implemented, it falls right apart and is quite simple to break. When done properly, however, Skipjack makes a fine 40-bit cipher.
This particular quality is actually a good thing. The only people who are supposed to be using Skipjack devices (orignally, at least) would have had embedded devices that were known to be good. Now suppose a bad guy builds his own skipjack devices but bungles the implementation... the bad buy may think he's got secure communications, but it's actually easy to break.
--
Re:it sure is NSA approved (a Good Thing(tm)) (Score:2)
--
Re:it sure is NSA approved (a Good Thing(tm)) (Score:2)
Obviously, degrading the key like that makes it easier to break. Should you be paranoid? Duh, of course. Is it an evil conspiracy? No, just a bizarre law.
--
Re:Cool (Score:2)
md5 and Rijndael (AES) are two different classes of cryptographic algorytims.
md5 produces a 128 bit (16 byte) "checksum" of it's input data. md5 is an example of an "one way function": If you have data, you can always get the md5 checksum of that data, but with the checksum only there is no way to determine what the data that produced it was, short of trying every possible input. This is extremeley useful for storing passwords, as by storing the checksum only, the computer can *check* if a password is valid, but doesn't actually know what the password is.
For md5:
checksum = md5(data)
there is no data = un_md5(checksum)
---
Rijndael is something else entirely, it's a simmetric encryption algorithim. It provides both an encrypt and a decrypt function. Given a 128, 192, or 256 bit key you can encrypt data in such a way that it can only be retrived by using the decrypt function with the key. Anyone with the key and the encrypted data ("cyphertext") can get the decrypted data ("plaintext"). This is much less useful for passwords, as the key has to be stored somewhere, making the passwords easily crackable. In this case the computer would know what the password was, and be able to give a cracker that information.
For Rijndael (AES):
cyphertext = encrypt(plaintext, key)
plaintext = decrypt(cyphertext, key)
Here's a thought (Score:2)
You can make this statement from the laws of thermodynamics (Energy in a system is conserved). And since information is energy, (Think about data compression, is information lost in the message - Entropy? Think about an air compressor, is energy lost in the air - Temperature/UnitVolume?). Think about it for 5 minutes before you hit the reply button. Afterall, we live in the universe, not an equation sheet.
Now what about asymmetric algos? Do the laws of thermodynamics suggest there is conceivably a perfect public-key algorithm? Nope. The public key contains information about the private key, all the information you need in fact. So what protects us? It is our child-like understanding of these hard problems.
Now what about quantum crypto? Is this any different from asym algos? Information must be transferred. It cannot be destroyed.
Granted, if one day someone proves the fundamental laws of thermodynamics wrong, we're all in trouble. But I doubt that will happen.
The key exchange problem - I would state - is by it's very nature a problem with no permanent solution. It implies the destruction and re-emergence of information on a massive scale. The only thing we can do is protect our selves with "strong" key exchange systems and prepare for the enviable: humanity's intellectual growth.
So that said, why gripe over a possible weakness in Rijndael when the CSE or the NSA have solved the hard problems of asym algos to get at your precious block cipher key used in all electronic transmissions? You're not safe no matter how strong the cipher is, even the proposed perfect cipher.
Jumping to an implementation (Score:2)
For those people (myself included) who are too lazy to interpret the specification and enter the code in yourself, you can find a C & C++ implementation here [plus.com]. Note a link to this and other useful information is provided from the original link.
I thought... (Score:2)
"I may not have morals, but I have standards."
Re:NSA approved? (Score:2)
Re:Pronunciation (Score:2)
Re:A-trollbusting we will go (Score:2)
Oh, well, in that case, I was obviously wrong. If you could tell I was a troll, that just proves that the average /bot is smarter than the NSA.
--
Re:A long time to think and respond (Score:2)
Now, if we could just prove that they're both saying the same things, instead of the PDF one saying "Here's the Open Source AES implementation" and the DOC one saying "Dear A Valued Micro$oft Customer, trust this special Micro$oft/NSA joint venture AES implementation. *ERROR DETECTED: the network traffic light on your PC is blinking indicating it is malfunctioning. [ok][continue]"
John
Don't do it! It's a trick. (Score:2)
Don't listen to this guy! It's a trick! The NSA has planted this guy and the code. Nudge nudge, wink wink. Write your own implementation from the spec and you'll see the back-door, clear as day. Tricky buggers...
Re:The NSA is smarter than you! (Score:2)
DES was sanctioned by the the NSA and it was broken by somebody not in the NSA. (don't have the book here to reference but they talk about it in applied cryptography). Of course after that happened the NSA said yes we know about that type of attack here is a fix for DES. So the public cryptography community may be behind the NSA but people do figure things out. There are pleanty of math PhD's that don't work for the NSA you know.
Blowfish Hash (Score:2)
I think the logic is not so much that it's a provable perfect hash (only one password will create the same hash), but that it's way to computationally expensive to do a dictionary attack.
A long time to think and respond (Score:2)
Looks like they're serious about the comments.
Government sponsored encryption? (Score:2)
Maybe a better solution would to have an government-indepedent group that is politically neutral be responsible for the development of encryption standards. I don't know how exactly that could be setup, but it at least might be worth a little thought.
Re:Why Symmetric?!? (Score:2)
Symmetric encryption is much faster than asymmetric encryption methods, so they have their uses. In IPSec, and PGP you will find the bulk of the encryption is actually done using a symmetric algorithm because it is about 1000 times faster than say RSA.
256-bit keyspace is huge for a symmetric cipher. To brute force this would take say one million supercomputers a million years. That is a highly non-scientific computation, but demostrates the rough magnatude we are talking about. For assymmetric algorithms like RSA or Diffie-Hellman, the algorithms can be attached more efficiently then by brute force, so we need a larger keyspace. RSA is based on the difficulty of factoring large numbers (composites of two large primes), and DH is based on the discrete logarithm problem.
The AES (Rijndael) was proposed by an European team of cryptographers, the NSA have only acted as advisors to the NIST, whom make the final decision. The algorithm has been in the public since 1998, and has had the best open-source (general public) cryptographers looking for any weaknesses. It appears to be very strong, and modestly fast, faster than TripleDES.
The NSA approved all five final candidates (Score:3)
A burglar you trust is an excellent person to ask about what locks to use. Of course, NIST didn't just ask the NSA, they asked all the best burglars in the world, and the conclusion is that this is as secure a lock as you could possibly need for the foreseeable future.
--
Re:Blocksize vs. Keysize (Score:3)
So this "change", is really just rewriting Rijndael to fit the NIST's proposal. Check the original 1997 request for candiates [nist.gov].
I don't know what it is about cryptography that causes people to widly speculate about it, but unless you have any evidence, I claim that there is no known backdoors in DES, or AES. Period.
If you read Steven Levy's Crypto, chapter 2, you'll see that DES was quite strong in its day. Its structure now makes sense, once the T-attack was rediscovered by Biham and Shamir as differential cryptanalysis. The only just criticism of DES was that even then 56-bit was conceiviable weak in the future, not in the 1970s when it was first made standard.
The NSA has two responsibilities [nsa.gov] , to gather national intelligences, and to preserve the US Government's own security. The AES will be used as the standard encryption for non-classified (basicilly non-military) security, and willing likely be adopted by X9 [x9.org] as a sucessor to TripleDES for banking and international financial security. Using a weak algorithm for AES is would not make the NSA's responsibility of protecting the US Government's security easier, so I do not see the benefit of trying to do such a thing.
Public review is finished after two years or so (Score:4)
So long as this FIPS is simply a formal description of the algorithm we were all examining (and it appears to be), there's no problem. NIST have done all the right things here.
--
Rijndael team's new cipher (Score:4)
--