AES suitable for protecting Top Secret information

Arnold G. Reinhold reinhold at world.std.com
Wed Apr 14 18:31:21 EDT 2004 

I was the one who updated the Wikipedia entry . It was shortly before 
the cryptography list came back up.  I found the June 2003 CNSS fact 
sheet while looking for other information on NIST's standards 
program. The first reference that I found that suggested AES could be 
used for classified was in a slide presentation at a Dec. 4, 2002 
NIST Wireless Security workshop http://csrc.nist.gov/wireless  by 
Timothy Havighurst of NSA on DOD Wireless Policy 
http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20Requirements-th.pdf

One slide reads:

" SECRET and TOP  SECRET data must be approved with a Type I algorithm
	- BATON
	- AES (sufficient key length)
	- SKIPJACK"

(I believe the BATON algorithm itself is still classified.)

This is a major milestone in cryptography. I believe it is the first 
time in modern history that the public knowingly has access to a 
cipher that the U.S. Government currently considers strong enough for 
Top Secret information.

Note that the CNSS fact sheet goes on to say:

"The  implementation of AES in products intended to protect national 
security systems and/or  information must be reviewed and certified 
by NSA prior to their acquisition and use."

Another interesting  presentation at the same NIST workshop was by 
Bill Burr on NIST's Cryptographic Standards Program. 
http://csrc.nist.gov/wireless/S04_NIST_crypto_program_final-bb.pdf It 
has a nice chart comparing the strengths of various crypto primitives 
based on their key length (page 7).  Anther slide (page 13) contains 
the following interesting statement:

"Proposed 80-bit crypto end of use date: 2015"

Based on the page 7 chart, this presumably includes SHA1, Skipjack, 
1024-bit RSA/DSA and 160-bit ECC.


Arnold Reinhold


At 12:34 PM -0400 4/14/04, Vin McLellan wrote:
>I missed that announcement too -- but Wikipedia, the web-based Free 
>Encyclopedia, caught it!  See Wikipedia on AES at: 
>http://en.wikipedia.org/wiki/AES
>
>The Wikipedia module on AES Security has a link to the same NSA fact 
>sheet Steve mentioned.
>
>I was surprised.  I thought, as in so many other things, the NSA was 
>going to say one thing and do another.
>
>Suerte,
>         _Vin
>
>At 4/14/2004, Steve Bellovin wrote:
>
>>I haven't seen this mentioned on the list, so I thought I'd toss it
>>out.  According to http://www.nstissc.gov/Assets/pdf/fact%20sheet.pdf ,
>>AES is acceptable for protecting Top Secret data.  Here's the crucial
>>sentence:
>>
>>    The design and strength of all key lengths of the AES algorithm
>>    (i.e., 128, 192 and 256) are sufficient to protect classified
>>    information up to the SECRET level. TOP SECRET information will
>>    require use of either the 192 or 256 key lengths.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list