Encryption standard strengthened

The federal government has a new standard for encrypting electronic documents and messages, a code so secure federal officials predict its encoded material will remain uncrackable for 20 to 30 years.

The Advanced Encryption Standard (AES) received formal approval from Commerce Secretary Donald Evans Dec. 4. It replaces the Data Encryption Standard (DES), which was adopted in 1977 and can be deciphered with modern computers.

Now that the federal government has adopted the standard, it is expected to provide a boost to e-government and become widely used by the private sector to protect sensitive computerized information and financial transactions.

In the short term, the use of the new encryption standard is likely to go unnoticed by most people, said Phil Bullman, a spokesman for the National Institute of Standards and Technology, which helped select the new standard.

Although encryption is already used extensively by the financial industry for such things as online banking and automated teller machine transactions, the encryption is invisible to banking customers, and most users are probably unaware that it is occurring, he said.

Consumers also often use encryption when they make purchases via the Internet. Credit card numbers are often encrypted automatically when orders are placed.

In the longer term, however, more sophisticated encryption is expected to make more e-government functions possible, said Alan Balutis, former chief of NIST's Advanced Technology Program.

Strong encryption is essential to ensure the security and authenticity of the online transactions envisioned in e-government, such as digitally signing contracts and completing financial, legal and other transactions, he said. Today there are "relatively small pockets" where e-government has taken hold at the federal level, but stronger encryption could push e-government to "the cusp of a substantial takeoff," said Balutis, who now serves as the executive director of the Federation of Government Information Processing Councils and the Industry Advisory Council.

In a statement announcing the adoption of AES, Evans predicted that it will "promote efforts to provide secure electronic government services to our citizens."

At the heart of encryption technology is a complex mathematical formula known as an algorithm. AES employs a 128-bit encryption algorithm compared with DES' 56-bit one.

In guidance to federal agencies, the Office of Management and Budget noted that encryption is an important tool for protecting the confidentiality of sensitive information, but urged agency personnel to use the powerful new AES carefully.

Encrypting information with AES may mean losing it if agencies lose access to the cryptographic keys needed to decipher it.

OMB instructed NIST to "issue appropriate guidance to agencies by April 2002" on ensuring that encrypted data can be decrypted when necessary.