April 14, 2004

AES now rated to "Top Secret"

Of interest only to hard core cryptogaphers, it seems that the CNSS (a US intelligence/Defense security advisory body) has designated AES as suitable for "top secret." This is highly significant, as DES was only ever rated as suitable for "unclassified" material only, and the AES competition was specifically designed to create a replacement. I.e., the requirement was "good enough for the rest, not the big boys."

There is now no reason to ever prefer anything but AES as a secret key algorithm. Steve Bellovin reports:

-------- Original Message --------
Subject: AES suitable for protecting Top Secret information
Date: Wed, 14 Apr 2004 08:43:03 -0400
From: Steve Bellovin
To: cryptography@metzdowd.com

I haven't seen this mentioned on the list, so I thought I'd toss it
out. According to http://www.nstissc.gov/Assets/pdf/fact%20sheet.pdf ,
AES is acceptable for protecting Top Secret data. Here's the crucial
sentence:

The design and strength of all key lengths of the AES algorithm
(i.e., 128, 192 and 256) are sufficient to protect classified
information up to the SECRET level. TOP SECRET information will
require use of either the 192 or 256 key lengths.


--Steve Bellovin, http://www.research.att.com/~smb


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

Posted by iang at April 14, 2004 11:00 AM | TrackBack
Comments

On this subject, I recall your dgcchat post of 20-Oct-2002:

> Crypto is very simple, in the large.
>
> 1. If you can share something, share a key and
> use Rijndael (AES).
>
> 2. If you can't, use RSA and a web of trust.
> Go to step 1.
>
> There ain't much more to it, in the business of protecting data.

Posted by: Patrick Chkoreff at April 14, 2004 11:22 AM

(FTR, copied from the cryptography list by iang:)

-------- Original Message --------
Subject: Re: AES suitable for protecting Top Secret information
Date: Wed, 14 Apr 2004 18:31:21 -0400
From: Arnold G. Reinhold
To: ... cryptography@metzdowd.com

I was the one who updated the Wikipedia entry . It was shortly before
the cryptography list came back up. I found the June 2003 CNSS fact
sheet while looking for other information on NIST's standards
program. The first reference that I found that suggested AES could be
used for classified was in a slide presentation at a Dec. 4, 2002
NIST Wireless Security workshop http://csrc.nist.gov/wireless by
Timothy Havighurst of NSA on DOD Wireless Policy
http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20Requirements-th.pdf

One slide reads:

" SECRET and TOP SECRET data must be approved with a Type I algorithm
- BATON
- AES (sufficient key length)
- SKIPJACK"

(I believe the BATON algorithm itself is still classified.)

This is a major milestone in cryptography. I believe it is the first
time in modern history that the public knowingly has access to a
cipher that the U.S. Government currently considers strong enough for
Top Secret information.

Note that the CNSS fact sheet goes on to say:

"The implementation of AES in products intended to protect national
security systems and/or information must be reviewed and certified
by NSA prior to their acquisition and use."

Another interesting presentation at the same NIST workshop was by
Bill Burr on NIST's Cryptographic Standards Program.
http://csrc.nist.gov/wireless/S04_NIST_crypto_program_final-bb.pdf It
has a nice chart comparing the strengths of various crypto primitives
based on their key length (page 7). Anther slide (page 13) contains
the following interesting statement:

"Proposed 80-bit crypto end of use date: 2015"

Based on the page 7 chart, this presumably includes SHA1, Skipjack,
1024-bit RSA/DSA and 160-bit ECC.


Arnold Reinhold

[snip...]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

Posted by: Arnold G. Reinhold at April 15, 2004 04:25 PM