Opinion: Security adviser: A race against the clock

Some of you have wondered along with me if the U.S. government is ever going to get around to approving an updated encryption standard. Although the Commerce Department announced on Dec. 4 that AES (Advanced Encryption Standard) would be mandatory for all federal departments using encryption starting on May 29 of this year, I have a funny feeling that deadline’s going to slip. One thing everyone’s seen lately is how good the government is at setting deadlines for itself that it can’t keep – think baggage screening, folks.

Here’s some background for those who aren’t crypto junkies: Most of us have heard of DES (Data Encryption Standard), and its successor, Triple DES. The original DES was developed using a 64-bit algorithm back in the 1970s; but it was deployed in a 56-bit version that is considered to be only somewhat better than a Lone Ranger decoder ring, having been cracked years ago. Triple DES is, as you might imagine, compatible with DES, uses a 112-bit key, and today is considered unbreakable, which simply means no one’s tried hard enough yet.

AES, on the other hand, is a 128-bit algorithm that’s based on a formula developed by a couple of Belgian researchers called “Rijndael.” The Computerworld piece I was reading referred to claims that “AES would take 149 trillion years to crack a single 128-bit AES key using today’s computers.”

Unfortunately, today’s computers are next year’s junk, as seen by the brisk market in Cray parts that can be used as paperweights and doorstops. I’m not sure what exactly the cited experts meant. Were they talking about a corporate desktop or some monster buried below the NSA grounds at Fort Meade? Did they consider 10,000 workstations crunching numbers in their spare time?

This doesn’t mean that I’m against AES. To the contrary, if AES really is a better performer than Triple DES (the piece in our sister publication claimed that it is less CPU-intensive and runs in software six times faster than Triple DES) then certainly AES is a good thing. But I wish that we could get away from the idea that ciphers can be truly “unbreakable.”

It’s a numbers game, folks. Crunch enough numbers fast enough and you’ve broken the cipher. Granted, a 128-bit cipher is pretty formidable. But I suspect that if we wait long enough for Moore’s Law to have its inexorable effect, eventually we’ll see hardware capable of cracking AES. I reckon it might take until 2010, but it will happen, and you read it here first.

Now that AES has the government seal of approval and a Memorial Day deadline for adoption, the private sector is also expected to adopt it pretty darn quick. This should help the sales of security vendors, or at least the ones dealing in crypto tools.

P.J. Connolly (pj_connolly@infoworld.com) covers collaboration, networking, operating systems, and security for the Test Center. Get this column free via e-mail each week. Sign up at www.iwsubscribe.com/newsletters

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now