Cryptographic Turning Points

It's time to say goodbye to the Data Encryption Standard (DES). A replacement algorithm will be selected "late this summer or early this fall," says Ed Roback, acting head of computer security at the National Institute of Standards and Technology's (NIST) Computer Security Division in Gaithersburg, Md.

DES, the standard for commercial encryption since 1977, is near the end of its useful life. In 1997, NIST announced its intention to develop a new algorithm, the Advanced Encryption Standard (AES), to replace DES and protect "the electronic data flow of the 21st century," according to Philip Bulman, NIST's spokesman.

Since its introduction, DES's adequacy has been re-evaluated every five years.

A 1998 review concluded that the 56-bit-key DES was susceptible to brute-force attacks and should be replaced where possible with Triple DES, which uses 112- or 168-bit keys.

All five finalist algorithms - MARS, RC6, Rijndael, Serpent and Twofish - are officially still in the running, says Roback, and NIST has assembled a team to review all comments and prepare an analysis of the algorithms and the tests to explain how the winner is selected. "We're plodding through this process; there's an enormous amount of public comment and public analysis," Roback says.

Some experts say that the least likely of the five finalists to succeed are RC6 and MARS. One observer, speaking off the record, says that "RC6 and Mars are out of the running because they don't work in hardware." Carlisle Adams, a senior cryptographer at Entrust Technologies Inc. in Plano, Texas, says, "From the poll taken at the close of the final AES conference [in New York in April], it appears that Rijndael and Serpent are the front runners, with Twofish, RC6 and MARS, approximately in that order, following up."

Adams and others suggest that NIST may choose more than one algorithm. He says that two AES winners could be "given equal footing, or two winners with one recommended for some environments and the [second] recommended for others." Or, there could be one winner and one backup, in case the winning algorithm is broken or rendered unusable.

Adams led the team that submitted CAST 256, a candidate that didn't make the final cut. Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc. in San Jose, leads the Twofish team. Both say they're happy with the way the selection is being conducted. Schneier says that "as a block-cipher cryptographer, this is the most fun I've had in my life." The selection process made it "much more real," he says. "I would do it again in a minute."

"The AES process has been as good as humanly possible," says Adams. Balancing conflicting objectives - such as allowing enough time for public comment without unduly delaying a DES replacement - isn't easy, he says, but "NIST has done everything in their power to make this process as open and fair as can be done" while avoiding the controversies that accompanied DES's selection two decades ago.

If DES is demonstrably weak, the encryption products that U.S. companies can export without limit is a joke. Commercial encryption items are controlled by federal export regulations. Those regulations have been significantly revised to mainly open up exports, but many non-U.S. consumers still face big hurdles in acquiring full-strength encryption tools. New regulations announced in January eased controls somewhat, allowing companies to export encryption products after a one-time review rather than requiring a new review for each sale. Last month, more restrictions were removed with an updated policy that allows U.S. companies to export any encryption product to any end user in the European Union and eight other friendly nations.

Dorothy Denning, a professor at Georgetown University in Washington, says encryption controls won't disappear. "There are likely to remain controls over exports to terrorist-designated countries," she says. But it isn't clear how far the feds will go. "I don't believe the government knows exactly where they will be on this in the long term," she adds.

How effective are the controls? Denning calls it a "hard question, for which I can't give you an easy answer." In a 1997 paper, "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," she described how criminals were using encryption. She noted that although some criminals were using encryption programs such as Pretty Good Privacy, there was still value in maintaining controls. Although encryption is essential for legitimate users, Denning concluded that "because encryption can be exploited by criminals and terrorists, its completely unfettered proliferation may not be in our national interest."

Practical experience shows that encryption must be part of a wider security program. Denning reports that criminals using encryption are frequently thwarted by poor implementations, recovery of encryption keys and other weaknesses.

Schneier also points out the futility of expecting encryption to solve all security problems. "All the major security vulnerabilities have nothing to do with cryptography," he says. According to Schneier, cryptography can't protect against attacks such as the "I Love You" virus, distributed denial-of-service attacks, public-key infrastructure vulnerabilities or the Outlook bug. "When I look at a product, no matter how bad the crypto is, there's always something else that's worse," he says.

Loshin (pete@Internet-Standard.com), a consultant, has written more than 20 books about the Internet.

Signing on the Electronic Line

It's finally as legal to sign a document electronically with the click of a mouse as it is with the ballpoint-pen click that's part of the process of writing your signature. President Clinton signed S.761, the Electronic Signatures in Global and National Commerce Act (also known as E-Sign), into law in June.

Public Law 106-229, as it's now known, puts electronic signatures on the same footing as ink signatures for affirming contracts. Many individuals and companies involved in Internet commerce say this legislation is a giant step forward. "The law rocks," says David Mirchin, vice president and general counsel at SilverPlatter Information Inc. in Norwood, Mass., and an adjunct professor of Internet law at Boston College Law School.

According to Mirchin, "an electronic signature under E-Sign is defined as information or data attached or logically associated with an electronic record and adopted by the person with the intent to sign the agreement." In other words, anything from clicking an "I agree" button on a Web page to sending a digitized thumbprint to using traditional digital signatures with a public-key infrastructure (PKI) can qualify.

Companies selling PKI products and services welcome E-Sign with open arms for its potential to boost e-commerce. Certicom Corp.'s Executive Vice President Richard Depew says the law is "certainly a step in the right direction," and that it also gives the go-ahead for the wireless transaction of business on the Internet.

The law doesn't identify a specific technology; it just puts electronic signatures on equal footing with ink on paper. This neutrality is widely viewed as a good thing. Bob Pratt, director of product marketing at VeriSign Inc. in Mountain View, Calif., says he's "pretty excited" about it because "it adds a framework for doing business online."

Although VeriSign's business is built on digital signatures, Pratt says he's happy with the technology-neutral law: "E-Sign legislation is not the last word - it's more of a beginning." According to Mirchin, "The key is not the technology but that the person must have the intent to be bound by the agreement."

A company proposing an electronic agreement should make it clear that clicking OK means that the parties involved have agreed to the terms. Entrust Technologies Inc. Chief Technology Officer Brian O'Higgins says digital signatures will become the prevailing form of electronic signatures, despite the law's technology neutrality and that other electronic laws will eventually be passed to "fill the gaps and get more specific about digital signatures."

Scott Schnell, senior vice president of marketing at RSA Security Inc., says he's also satisfied with the law's neutrality: "It establishes a universal baseline that is national" but also "creates a level playing field for the best technology to rise to the top."

Not everyone is a cheerleader, despite the new law's widespread support. Martin Reynolds, an analyst at Stamford, Conn.-based Gartner Group Inc., says there's a downside: "Our society does not understand security very well; a digital signature can be forged from anywhere on the Internet."

Bruce Schneier, founder of Counterpane Internet Security Inc., is more blunt.

"I think they will be used in applications where they make no sense. And I think there will be a lot of fraud related to their misuse," he says. Schneier adds there will be "some high-profile disasters" and that the law will have to be fixed. "If you have Back Orifice on your computer, it could sign things on your behalf," he says. "There's a big difference between the signer computing the algorithm and the signer's computer doing the calculation." Schneier points out that we can know only that the signer's computer generated a signature, because "we have no idea whether the signer wanted the computer to do that."

At the same time, Schneier says that despite the availability of protective technologies, social constraints are far more effective at keeping people from killing each other. And despite the potential for fraud, he says, most signatures, both electronic and ink, will continue to be honored.

Join the newsletter!

Error: Please check your email address.

More about Advanced Encryption StandardAES EnvironmentalCerticomCounterpaneCounterpane Internet SecurityEntrustEntrust TechnologiesGartnerGartnerNorwoodRSA, The Security Division of EMCVeriSign Australia

Show Comments