Government debates new encryption standard

The federal government will likely ignite a firestorm of technical and political debate as it begins a search to replace the Data Encryption Standard a staple among government users and industry alike.

The National Institute of Standards and Technology announced in early January that it was seeking public comment for the development of an Advanced Encryption Standard (AES) to succeed DES the required federal standard for the protection of all encrypted government data characterized as sensitive but unclassified.

Most industry observers and government users agree that the time has come to overhaul DES its ability to secure data is perceived to be sorely lagging behind the technology curve as numerous camps have developed technologies that appear to exceed the capabilities of DES. Information security administrators and industry however do not agree on the best candidate to replace the aging algorithm.

It is clear that the move to replace DES will have an enormous impact on agencies and industry because of its widespread use. DES is prominent in all but the most secret agencies and it is offered in the products of most federal contractors.

Although NIST does not maintain documentation of the various uses of DES within the government the agency had validated about 60 hardware and software implementations of DES by the end of 1996.

Given the importance of encryption technology any likely AES candidates will get a lot of scrutiny and draw no small amount of fire.

The National Security Agency was intimately involved in the selection of the DES algorithm and that has left the standard open to criticism and skepticism from some cryptographers who claim that the intelligence agency may have installed a "backdoor" to allow secret access. But Miles Smid manager of the security technology group at NIST said the government is open to suggestions from the commercial sector during the process of choosing an AES.

"This isn't something that the government's trying to do on its own " he said. "The approach here is to get the best ideas from everyone and try to determine what the best candidate is. We want to see this algorithm be used beyond the government. We're open to candidate algorithms from other organizations. [DES] was designed with a fixed key space...that was 20 years ago. Now it would be desirable to have an algorithm that offers greater security."

Cracking the Code

While often discussed in years past the need for a new encryption standard has become a more pressing issue in recent months as security experts have recognized that technology for breaking the code was catching up with the decades-old technology.

Adopted in 1977 DES is based on a conventional or secret key system in which the sender and the receiver use a single key - in either hardware or software - to encrypt and decrypt messages. The sender uses the key to convert a message to binary format and scramble it according to a complex mathematical algorithm and only users sharing the key for cracking the code can decrypt the message.

The key has a length of 64 bits. Of these 64 bits 56 are used as a key while the remaining eight are used to check for errors. The algorithm provides the user with a set of functions to transform a 64-bit input to a 64-bit output. The user selects which one of more than 72 quadrillion transformation functions are to be used by selecting a 56-bit key. The theory behind the security of DES has been that short of trying all 72 quadrillion combinations there is no way to "break" the algorithm.

That theory has been supported until recently. But the phenomenal growth of computing power has rendered DES much more vulnerable. In February a Swiss cryptographer during a promotional contest sponsored by RSA Data Security Inc. cracked a 48-bit encryption algorithm in 13 days by running it through a network of more than 3 500 computers working in parallel. Although the 56-bit DES is much more secure than 48-bit algorithms it is likely to be the next target of the "crypto-analysts."

To increase the security of DES some agencies - and a large block of organizations in the financial sector - use "triple DES" - or three operations of DES with two keys - to protect data. This is one possible replacement the government could choose. This method however hurts processing performance especially in software implementations of DES.

Many Options

The field of candidates from which the government will likely choose a DES successor is quite large.

NIST has issued minimum standards for an AES requiring that the algorithm be publicly defined be designed so that key length can be increased as needed and be functional in hardware and software. It must also be a block cipher algorithm which divides plain text into blocks and applies the same encryption algorithm with the same key to each block.

Two commercial algorithms that have been well-received in the commercial marketplace and are being used by some federal agencies are Blowfish and the International Data Encryption Algorithm (IDEA).

Blowfish was designed in 1993 as a fast free alternative to DES. Unlike DES however the Blowfish algorithm has a variable key length which can be extended from 32 bits to 448 bits. It has slowly gained acceptance in the marketplace. At least 30 companies have incorporated the algorithm into product offerings.

San Jose Calif.-based Data Fellows uses Blowfish in its F-Secure product line which encrypts files on PC and laptop hard drives. The company's federal customers include the Air Force and the Navy said Data Fellows president Petri Laakonen.

Blowfish is popular because it's more secure than DES and faster than triple DES Laakonen said. "If people are transferring a lot of data and they are going over a wide-area network they tend to use Blowfish " he said. "We would definitely welcome a move to Blowfish because we consider it secure enough. DES is something we don't consider to be secure enough."

Still Laakonen conceded that Blowfish is young compared with IDEA. Although IDEA was developed in 1991 - only two years earlier than Blowfish - it has been scrutinized and subject to the attack of many crypto-analysts since then and it has withstood all attacks to date industry sources said.

However IDEA was designed by two Swiss researchers not American inventors which has raised some concern within NSA sources have said. Still NSA has been testing at least one product that uses the IDEA algorithm: Digital Secured Networks (DSN) Technology Inc.'s NetFortress encryption product.

Because NetFortress uses a unique key to encrypt at the network layer outside readers only see the source and destination Internet Protocol address not the encrypted information itself according to DSN. Data inside the packet is scrambled into gibberish until it arrives at its destination. DSN's founder chairman and chief technology officer Aharon Friedman said the company incorporated IDEA into its products because it has proven to be secure against attackers.

IDEA "has not been broken " Friedman said. "It is known to be immune against any backdoors. The more serious security guys like the Department of Defense guys and the security agencies don't particularly like to use DES because it's weak. They will go with IDEA " he said.

A field division of the Drug Enforcement Administration in Houston is using NetFortress to send and receive sensitive data using a virtual private network. Brian McCarron a DEA research specialist in Houston said the office chose the product because it offered a hardware solution which he considers more secure than software security products. Still he said NSA's examination of the product increased his confidence in IDEA and NetFortress.

"I would rather have the NSA handling our security needs as far as wide-area networking " McCarron said. "As far as [IDEA] being developed by foreign persons it's definitely a serious concern. Once it goes through NSA procedures I'll feel pretty comfortable with it."

A high-level Energy Department security official who asked not to be named said agency officials prefer to use IDEA-based technology from Pretty Good Privacy Inc. as opposed to DES to encrypt highly valuable files.

Yet another algorithm candidate is CAST the algorithm of Entrust Technologies which was proprietary until January when the company announced it would make the product available for free. Brian O'Higgins executive vice president and chief technology officer at Entrust said the company plans to submit the CAST algorithm - named for the initials of its creators - to be considered as a replacement for DES.

The algorithm is also a 64-bit block cipher algorithm that supports variable key lengths from 40 to 128 bits. According to Entrust CAST is two to three times faster than DES and six to nine times faster than triple DES. CAST is implemented in products from Pretty Good Privacy IBM Corp. Tandem Computers Inc. and Microsoft Corp.

Finally the Skipjack algorithm designed by NSA might also be considered an AES candidate. DOD recently announced that it would strip Skipjack of its Clipper chip function which was intended to give law enforcement access to encrypted data but which only made the algorithm politically unviable.

Industry Involvement

Regardless of the algorithm that is eventually tapped as the new federal standard the government is likely to seriously consider input from the commercial encryption sector.

Ideally the government would like to be able to drive the encryption market with its choice of a new standard as it did in the 1970s to ensure widespread adoption of the standard. This would give agencies more choices and extend interoperability with the private sector.

"The decision the government is going to make...will have a significant impact on the industry " Laakonen said. "But they are not going to rule the industry as they did in the '70s. If the government makes a decision that doesn't satisfy the private sector...industry is not going to standardize."

Elizabeth Kaufman product line manager for enterprise security at Cisco Systems Inc. said the government must choose an algorithm that has been published and undergone intense public scrutiny and multiple analyses from cryptographers. It also must offer high performance and be tested to ensure interoperability among multiple vendors she said.

Although the process to replace DES could take many months even years NIST officials are wasting no time in beginning their search for a successor. On April 15 NIST will host an open public workshop to discuss the draft minimum requirements published in January criteria for evaluating a new algorithm and requirements for the submission of an algorithm candidate.

Whatever form the successor of DES may take it will most likely be warmly embraced by agencies which have been forced to use the aging algorithm to protect vital information despite recent public displays of its potential weaknesses.

"Everyone who is a professional realizes that DES is not only expiring but is at the end of its useful life " said Joe Sharkey a communications specialist with the Federal Security Infrastructure Program. "The future of the whole question is going to be a strong algorithm that is safe and being able to build programs to recognize that you're going to have to change them. You're going to have to build your systems so that you can change the algorithm. That's one of the challenges that we face systemwide and I'm talking about the whole Web."

* * * * *

At A Glance

Status: Government and industry this year begin the long process of selecting a new more robust data encryption standard.Issues: The government faces the arduous task of balancing political and technical security concerns and its need to work with industry to select and eventually support the new DES standard.Outlook: Good. Unlike years past industry has pushed ahead of government in developing advanced encryption capabilities. The difficulty comes with actually making the choice.