New Encryption Standard Won't Blow the Budget: PwC

Existing data encryption standards have been officially superseded at US government level, but it won't mean another multimillion-dollar software payout for businesses.

After a three-year worldwide competition, the US Commerce Department announced the Rijndael encryption algorithm from Belgium has been selected as the USA's new Advanced Encryption Standard (AES).

Rijndael was developed by Belgian cryptographers Joan Daemen of Proton World International and Vincent Rijmen of Katholieke Universiteit Leuven. Algorithms were evaluated for the strength of their security as well as for their speed and versatility across a variety of computer platforms.

Commenting locally PricewaterhouseCoopers partner Bruce Humphries said the cost of additional software and hardware to accommodate the new standard will be relatively low in the short term.

The main costs of a changeover for businesses will be in consulting for data management strategies.

Humphries said the adoption of the new standard did not automatically mean systems using previous encryption methods were "rendered useless". However, "the implications [of the new standard] need to be looked at immediately", he said.

Humphries is a partner at the consulting firm's technology risk management services division.

He said the new encryption standard comprises a "much more sophisticated mathematical model" than its predecessors, DES (Data Encryption Standard) and Triple DES.

Humphries said the new standard could "theoretically" be "cracked" using the same methods used to successfully crack DES and Triple DES.

He said both former standards were found to be crackable using the "brute force" decryption method. That method involves using "every possible formula" to crack a code until, ultimately, one formula works.

It could take several months to crack a code written using the new encryption standard, whereas the typical bank transaction involved the transfer of data over about 10 minutes, he said. However, he said some funds transfer systems, typically used by credit card companies, took longer to process transactions because data was passed through "hierarchies" of encryption "keys".

Humphries said the US government replaced DES and Triple DES surprisingly soon after their inception due to the unexpected speed of growth in commercially available computing power. Similarly, the longevity of the new standard would depend entirely on "how quickly computer technology and computing power advance", he said.

Join the newsletter!

Error: Please check your email address.

More about Advanced Encryption StandardAES EnvironmentalPricewaterhouseCoopersPricewaterhouseCoopersPricewaterhouseCoopers

Show Comments

Market Place