On this subject, I recall your dgcchat post of 20-Oct-2002:
> Crypto is very simple, in the large.
>
> 1. If you can share something, share a key and
> use Rijndael (AES).
>
> 2. If you can't, use RSA and a web of trust.
> Go to step 1.
>
> There ain't much more to it, in the business of protecting data.
(FTR, copied from the cryptography list by iang:)
-------- Original Message --------
Subject: Re: AES suitable for protecting Top Secret information
Date: Wed, 14 Apr 2004 18:31:21 -0400
From: Arnold G. Reinhold
To: ... cryptography@metzdowd.com
I was the one who updated the Wikipedia entry . It was shortly before
the cryptography list came back up. I found the June 2003 CNSS fact
sheet while looking for other information on NIST's standards
program. The first reference that I found that suggested AES could be
used for classified was in a slide presentation at a Dec. 4, 2002
NIST Wireless Security workshop http://csrc.nist.gov/wireless by
Timothy Havighurst of NSA on DOD Wireless Policy
http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20Requirements-th.pdf
One slide reads:
" SECRET and TOP SECRET data must be approved with a Type I algorithm
- BATON
- AES (sufficient key length)
- SKIPJACK"
(I believe the BATON algorithm itself is still classified.)
This is a major milestone in cryptography. I believe it is the first
time in modern history that the public knowingly has access to a
cipher that the U.S. Government currently considers strong enough for
Top Secret information.
Note that the CNSS fact sheet goes on to say:
"The implementation of AES in products intended to protect national
security systems and/or information must be reviewed and certified
by NSA prior to their acquisition and use."
Another interesting presentation at the same NIST workshop was by
Bill Burr on NIST's Cryptographic Standards Program.
http://csrc.nist.gov/wireless/S04_NIST_crypto_program_final-bb.pdf It
has a nice chart comparing the strengths of various crypto primitives
based on their key length (page 7). Anther slide (page 13) contains
the following interesting statement:
"Proposed 80-bit crypto end of use date: 2015"
Based on the page 7 chart, this presumably includes SHA1, Skipjack,
1024-bit RSA/DSA and 160-bit ECC.
Arnold Reinhold
[snip...]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com