Re: AES suitable for protecting Top Secret information

[Arnold G. Reinhold]

I was the one who updated the Wikipedia entry . It was shortly before 
the cryptography list came back up.  I found the June 2003 CNSS fact 
sheet while looking for other information on NIST's standards 
program. The first reference that I found that suggested AES could be 
used for classified was in a slide presentation at a Dec. 4, 2002 
NIST Wireless Security workshop http://csrc.nist.gov/wireless  by 
Timothy Havighurst of NSA on DOD Wireless Policy 
http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20Requirements-th.pdf

One slide reads:

" SECRET and TOP  SECRET data must be approved with a Type I algorithm
        - BATON
        - AES (sufficient key length)
        - SKIPJACK"
(I believe the BATON algorithm itself is still classified.)

This is a major milestone in cryptography. I believe it is the first 
time in modern history that the public knowingly has access to a 
cipher that the U.S. Government currently considers strong enough for 
Top Secret information.

Note that the CNSS fact sheet goes on to say:

"The  implementation of AES in products intended to protect national 
security systems and/or  information must be reviewed and certified 
by NSA prior to their acquisition and use."

Another interesting  presentation at the same NIST workshop was by 
Bill Burr on NIST's Cryptographic Standards Program. 
http://csrc.nist.gov/wireless/S04_NIST_crypto_program_final-bb.pdf It 
has a nice chart comparing the strengths of various crypto primitives 
based on their key length (page 7).  Anther slide (page 13) contains 
the following interesting statement:

"Proposed 80-bit crypto end of use date: 2015"

Based on the page 7 chart, this presumably includes SHA1, Skipjack, 
1024-bit RSA/DSA and 160-bit ECC.

Arnold Reinhold

At 12:34 PM -0400 4/14/04, Vin McLellan wrote:
I missed that announcement too -- but Wikipedia, the web-based Free 
Encyclopedia, caught it!  See Wikipedia on AES at: 
http://en.wikipedia.org/wiki/AES

The Wikipedia module on AES Security has a link to the same NSA fact 
sheet Steve mentioned.

I was surprised.  I thought, as in so many other things, the NSA was 
going to say one thing and do another.

Suerte,
        _Vin
At 4/14/2004, Steve Bellovin wrote:

I haven't seen this mentioned on the list, so I thought I'd toss it
out.  According to http://www.nstissc.gov/Assets/pdf/fact%20sheet.pdf ,
AES is acceptable for protecting Top Secret data.  Here's the crucial
sentence:
   The design and strength of all key lengths of the AES algorithm
   (i.e., 128, 192 and 256) are sufficient to protect classified
   information up to the SECRET level. TOP SECRET information will
   require use of either the 192 or 256 key lengths.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]