`
`A Surveyof Encryption Standards
`
`
`
`Numerous encryption standards dot the microcomputer landscape, seemingly covering ev-
`ery application. One nevertheless finds much common ground underlying the many stan-
`dards. This survey discusses the standards andtheir algorithms, how they compare, how they
`differ, and where they’re headed.
`
`
`
`
`
`Burt Kaliski
`
`RSA Laboratories
`
`ryptography is the science, or some
`would saythe art, of secret codes. In
`its broadest sense cryptography ad-
`dresses a numberofpractical problems:
`
`e
`
`e confidentiality, keeping messages secret;
`© origin authentication, verifying a message's
`source;
`integrity, assuring that a message has not
`been modified; and
`e key management, distributing the secret
`“keys” for cryptographic algorithms.
`
`This survey focuses on encryption algorithms,
`the low-level, step-by-step transformations on
`messagesthat address these problems, as well as
`applications that involve encryption. It covers both
`approved standards and work in progress; the
`modifiers draft and proposed should help with
`the distinction.
`Since descriptions here are at a summarylevel,
`readers seeking greater depth mayrefer to the
`standards documents or to encryption surveys
`such as those by Diffie,! Simmons,’ which includes
`a reprint of Diffie’s article, and Fahn,*> which is
`available from RSA Laboratories or via anony-
`mousftp to rsa.com.Patel gives an earlier survey
`on security standards for the Open Systems In-
`terconnection (OSD reference model.*
`Muchofthe encryptionstandards work fits into
`one or more security “models.” The models do
`
`not specify algorithms; rather, they define scer-
`vices and give structures for encryption proto-
`cols. The OSI Security Architecture standard? is
`one helpful reference. Also on the road to inter-
`national standardization is the Generic Upper
`Layers Security (GULS) standard.6 GULS forms the
`basis for IEEE P802.10, a local-area network se-
`curity project, and the draft ANSI X9.41,’ a stan-
`dards effort for electronic data interchange.
`Many ways other than encryption exist to pro-
`tect data, from access control to tamper-resistant
`coatings, but they are outside the scope of this
`article. Even in systems based on cryptography,
`otherissues than just the codes comeinto play,
`such as random number sources and password
`selection guidelines. The US Department of
`Defense's “Orange Book”is one of many helpful
`references for these topics.
`Remember, draft standards and other works in
`progress are subject to change. Furthermore, with
`the large numberof standards efforts, I may not
`have covered some relevant efforts. An effort’s
`absence fromthis article in no way minimizesits
`importance.
`
`Algorithms
`An encryption algorithm is a method of trans-
`forming a message to add some cryptographic
`protection, such as confidentiality or integrity.
`Most encryption algorithms involve one or more
`keys, which are cryptographic variables, often
`
` |
`
`74 IEEE Micro
`
`0272-1732/93/1200-0074$03.00 © 1993 IEEE
`
`EMCVMW 1014
`EMCVMW1014
`
`
`
`
`
`
`
`Table 1. Encryption algorithm classes and their properties.
`
`C indicates confidentiality; OA, origin authentication; I, integrity; KM, key
`management.
`Prior requires that parties first agree on a secret key.
`
`
`
`unique to one user, that control the al-
`gorithm and provide security against
`attackers.
` Cryptographers often classify encryp- Class C OA I KM
`
`Prior
`
`
`
`
`
`tion algorithms according to the type of=[—_ —
`transformation and keys. Each class
`Secret-key cryptosystems
`Yes
`No
`No
`Yes
`Yes
`solves a different set of cryptographic
`Public-key cryptosystems
`Yes
`No
`No
`Yes
`No
`problems. Some classes require that
`Digital signature schemes
`No
`Yes
`Yes
`No
`No
`parties first agree on a secret key by
`Key-agreementalgorithms
`Yes
`Optional
`No
`Yes
`No
`
`
`secure meansthat are separate from the Cryptographic hash functions=No No Yes No No
`
`
`
`normal communication protocol; oth-
`
`Authentication codes Yes No Yes Yes No
`
`
`
`
`ers do not have this limitation. I describe
`the algorithms standards according to
`one such classification: secret-key
`cryptosystems, public-key crypto-
`systems,digital signature schemes, key-
`agreement algorithms, cryptographic
`hash functions. and authentication codes, Table 1 summa-
`rizes the classes and their properties.
`Secret-key cryptosystems. These algorithms encrypt and
`decrypt messages with a key in such a waythatit is difficult
`to decrypt without the key. Because the encryption and
`decryption keys in a secret-key cryptosystem are the same,
`such systems are often called symmetric in theliterature.
`Most secret-key cryptosystems operate on messages one
`block at a time; a block maybe 64bits long, and the keys are
`usually short, say, 56 bits long. Ideafly, an attacker's only
`approachis trial and error, which amounts, for example, to
`2°trials for 56-bit keys. Secret-key algorithms are generally
`quite fast.
`Secret-key cryptosystems provide confidentiality and key
`management to parties who have previously agreed on a
`secret key. The Data Encryption Standard (DES)? is the pri-
`marystandard. Published in 1977 and recently affirmed for a
`fourth five-year period, DES defines the Data Encryption Al-
`gorithm (DEA). It also specifics how to implement DEA: in
`hardware. Technically, software implementations of DEA,
`which abound, do nat comply. ANSI standard X3.92" and
`Australian Standard A$2805.5"! specify DEA.
`Despite much controversy about the nature of IEA—the
`government neverrevealed its design criteria—the algorithm
`seems to be quite secure, as far as 56-bit algorithms go. It
`resists powerful attacks that have broken other systems.'??
`Along with DES come somestandard modesof operation,
`including electronic codebook, cipher block chaining, cipher
`feedback, and output feedback.'* These modes apply to any
`block cipher, not just DEA. ANSI X9.17" introduces the en-
`crypt-decrypt-encrypt (EDE) mode of encryption involving
`two DEAkeys.
`Two password-based encryption algorithms defined in the
`intervendor public-key cryptography standard (PKCS) #5?
`are also based on DEA.
`A potential new standard secret-key cryptosystem is Skip-
`
`
`
`jack, a classified part of the proposed escrowed encryption
`standard.” A panel of cryptography experts recentlycertified
`Skipjack, with 80-bit keys, as appearing secure,'® butits de-
`tails remain unpublished.
`Secret-key cryptosystems are rarcly standardized; somestan-
`dards bodies explicitly omit them from their scope. One of
`the fewother candidates is RC4, a fast secret-key cryptosystem
`with variable-length keys.” RC4 is adopted in the cellular
`digital packet data (CDPD)specifications.”
`Public-key cryptosystems. These algorithms encrypt and
`decrypt messages with two different keys in such a way that
`it is difficult to decrypt without the decryption key. The en-
`cryption key can be published without compromising secu-
`rity, and is called the public key forthis reason; the decryption
`keyis called the private key. Because the encryption and
`decryption keys in a public-key cryptosystem differ, such
`systems are often called asymmetric in the literature. The
`idea comes from Diffie and Hellman.”!
`Public-key cryptosystems provide confidentiality and key
`management. They can be as secure or more secure than
`secret-key cryptosystems, but they are generally slower. Their
`main advantage is that, since the encryption key can be pub-
`lished, parties need not first agree on a secret key. They are
`often combined with secret-key cryptosystems to gain the
`benefits of both: speed without prior secrets.
`Although there is no primary standard public-key
`cryptosystem, many consider a cryptosystem invented by
`Rivest, Shamir, and Adleman (RSA)in 1977 a de facto stan-
`dard. Public-keycryptosystems,like secret-key cryptosystems,
`are rarely standardized; when they are standardized, key
`management is a more likely purpose than confidentiality.
`Efforts toward RSA standardization include the intervendor
`PKCS #1,” which gives block formats for RSA operations,
`and the draft ANSI X9.31 part 4,% whichis currently based on
`PKCS #1. PKCS #1’s block formats have been adopted by
`Intemet privacy-enhanced mail” and, among other algorithms,
`
`December 1993 75
`
`
`
`
`
`
`
`
`Encryption standards
`
`
`
`The acronymsfor encryption standards and the groups developing them are considered by someas a form of encryp-
`tion in its own right. Following is an abridged “key” to the various acronyms andtheir meanings, as well as to several
`standards organizations.
`
`Glossary
`
`ASC X9
`
`ANSI
`
`CCITT
`
`CFONB
`
`DAA
`
`DEA
`
`DES
`
`Diffie-
`
`Accredited Standards Committee X9 (Financial
`Services), a body that develops standards for
`the banking industry; accredited by ANSI
`American National Standards Institute, an or-
`ganization that accredits standards bodies
`Comité Consultatif International de Télé-
`graphique et Téléphonique,(Internationa! Tele-
`graph and Telephone Consultative Committee),
`an international standards body
`Comité Francais d’Organisation et de Normal-
`isation Bancaire, a French banking standards
`body
`Data Authentication Algorithm, a NIST stan-
`dard authentication code defined in FIPS PUB
`113
`Data Encryption Algorithm,
`cryptosystem specified by DES
`Data Encryption Standard, a NIST standard de-
`fined in FIPS PUB 46-1 that specifies DEA
`
`the secret-key
`
`
`
`
`
`
`
`GULS
`
`TEC
`
`IEEE
`
`Internet
`
`Iso
`
`MD2
`
`MD5
`
`MDC-2
`
`NBS
`NIST
`
`OIw
`
`OSI
`
`Generic Upper Layers Security, an OSI secu-
`rity architecture effort
`International Electrotechnical Commission, an
`international standards body
`Institute of Electrical and Electronics Engineers,
`an organization that develops transnational
`standards, that is, the standards are the con-
`sensus of individuals rather than national rep-
`resentatives
`
`A transnational body that develops standards
`for computer networking and publishes RFCs;
`also, the network of computers that implements
`those standards
`International Standards Organization, an inter-
`national standards body
`Message Digest Algorithm 2, a hash function
`developed by Ron Rivest thatis defined in In-
`ternet RFC 1319
`Message Digest Algorithm 5, another hash func-
`tion developed by Ron Rivest and defined in
`Internet RFC 1321
`Manipulation Detection Code 2, the bash func-
`tion specified in draft ANSI X9.31 part 2
`National Bureau of Standards; see NIST
`National Institute of Standards and Technol-
`ogy (formerly NBS), a US government agency
`that develops standards and publishes FIPS
`PUBs
`
`Open Systems Environment (formerly OSD
`Implementors’ Workshop, a group of devel-
`opersthat agrees on implementation issues such
`as algorithms
`OpenSystemsInterconnection, a standard net-
`working model
`
`DSA
`
`DSS
`
`EDE
`
`Hellman A key-agreement algorithm invented by
`Whitfield Diffie and Martin Hellman
`Digital Signature Algorithm, the digital signa-
`ture scheme specified by DSS
`Digital Signature Standard, a proposed NIST
`standard that specifics DSA
`Encrypt-decrypt-encrypt, a mode of DEA in-
`volving two keys and three DEA operations
`that is defined in ANSI X9.17
`Escrowed Encryption Standard, a proposed
`NIST standard that specifies Skipjack
`FIPS PUB Federal Information Processing Standard pub-
`lication, one of a series of standards published
`by NIST
`
`EES
`
`are cited in the OIW implementors’ agreements.”(As this
`article was going to press, J received a copy of Australian
`Standard AS28095.5.3, which specifies RSA.”)
`Digital signature schemes. These schemes “sign” mes-
`sages and verify the resulting signature with two different
`keys in such a waythat it
`is difficult to sign without the
`signing key. Similar to public-key cryptosystems,the verifica-
`tion key can be published without compromising security,
`and is called the public key; the signing keyis called the
`
`private key.
`Digital signature schemes provide integrity and origin au-
`thentication. Like public-key cryptosystems, they do not re-
`quire that parties first agree on a secret key, and they are
`generally somewhat slower than, for instance, secret-key
`cryptosystems and cryptographic hash functions. They are
`often combined with hash functions to gain the benefits of
`both.
`Public-key cryptosystems anddigital signature schemes are
`
`76 IEEE Micro
`
`
`
`
`
`
`
`
`
`Glossary (continued)
`
`PKCS
`
`RC4
`
`RFC
`RSA
`
`SC6
`
`Privacy-enhanced mail, a proposed Internet
`standard for encrypting and authenticating
`electronic mail; defined in Internet RFCs
`1421-1424
`Public-key cryptography standards, informal
`standards developed by RSA Laboratories
`with representatives of Apple, Digital, Lo-
`tus, Microsoft, MIT, Northern Telecom,
`Novell, and Sun; available from RSA Labora-
`tories or via electronic mail to pkcs@rsa.com
`Rivest Cipher4, a fast secret-key cryptosystem
`developed by Ron Rivest and proprietary to
`RSA Data Security
`“Request for Comments,” an Intemet publication
`Rivest-Shamir-Adleman algorithm, a public-
`key cryptosystem and digital signature
`scheme invented by Ron Rivest, Adi Shamir,
`and Len Adleman
`Subcommittee 6 (Telecommunications and.
`Information Exchange Between Systems), a
`joint subcommittee of ISO/IEC
`8C27/WG2 Subcommitiee 27 (information Technology),
`Working Group 2 (Security Techniques), a
`joint working group of ISO/IEC
`Secure Hash Algorithm,
`the hash function
`specified by SHS
`Secure Hash Standard, a NISYstandard de-
`fined in FIPS PUB 180 that specifies SHA
`Secure Interoperable Local Area Network Se-
`curity, an IEEE project; also called P802.10
`
`
`
`
` Skipjack Theclassified secret-key cryptosystem speci-
`
`proposedbythe US National Institute of Standards and Tech-
`nology (NIST).
`ISO/IEC 97967" almost creates a standard for RSA, but not
`quite. It defines a signature block: format; RSA is in an informa-
`tive (but nonstandard) annex. The block format prevents cer-
`tain mathematical relationships among possible RSA signatures.”
`The draft ANSI X9.31 part 1,° which is expected to become a
`standard late this year, is based on ISO/IEC 9796 and specities
`RSA. The intervendor PKCS #1% gives alternate block formats
`for RSA signatures. ISO/IEC’s joint working group SC27/WG2
`is developing other digital signature standards.
`NIST’s proposed Digital Signature Standard (DSS),*! which
`defines the Digital Signature Algorithm (DSA), has been the
`center of recent controversy.” DSA,an irreversible algorithm,
`is a variant of signature schemes due to Elgamal* and
`Schnorr.* It is intended to be combined with the Secure Hash
`Algorithm (SHA).* Mainly due to objections from industry,
`DSShasnot yet been approved. The draft ANSI X9.30 part 1°
`specifies DSA.
`Key-agreement algorithms. These algorithms manage
`keys through an exchange of messages derived from private
`values that are not shared. The result of the exchange is that
`parties agree on a secret key. It is difficult to determine the
`secret key from the exchanged messages withoutthe private
`values from which they are derived. Key-agreement algo-
`rithms are sometimes called key exchange algorithmsin the
`literature.
`Key-agreementalgorithms provide confidentiality and key
`management, and in some cases origin authentication. They
`do not require that parties first agree on a secret key. As with
`public-key cryptosystems, no primary standard key-agree-
`ment algorithm exists. Many consider an algorithm invented
`by Diffie and Hellman,”' usually called Diffie-Hellman, the
`de facto standard here.
`Efforts toward Diffie-Hellman standardization include the
`fied by EES
`Simple Network Management Protocol, an
`SNMP
`intervendor PKCS #3* and the draft ANSI X9.30 part 4% which
`Internet standard defined in Internet RFC
`is based onavariant of Diffie-Iellman having origin authen-
`1157
`tication. The cellular digital packet data (CDPD) specifica-
`tions” adopt Diffie-Hellman key agreement. ISO/TEC’s joint
`working group SC6 is developing standards for key agree-
`ment in the network and transport layers of the OSI refer-
`ence model,*®:" with Diffie-Hellman as a possible algorithm.
`Cryptographic hash functions. These functions reduce a
`messageofarbitrary length to a short codesothatit is difficult
`to find a message with a given hash code, and in some cases
`also to find two messages with the same hash code. Thereis
`no key. Hash functions are also called message digests and
`modification detection codesin theliterature.
`A hash code is typically 128 or 160 bits long. Ideally, an
`attacker’s only approachis trial and error, which amounts to
`2"trials to find a message with a given hash code (for a 128-
`bit hash), and 2°trials to find two messages with the same
`hash code. (This is akin to the “birthday paradox”: You need
`
`SHA
`
`SHS
`
`SILS
`
`Standards
`Australia An Australian standards body
`x9
`See ASC X9
`
`closelyrelated. In so-called reversible cryptography,signing in
`a digital signature schemeis the same as decryption in a pub-
`lic-key cryptosystem, while verification is the same as encryp-
`tion.In irreversible cryptography,the relationships do nothold,
`although a given public/private-key pair may work in both a
`digital signature scheme and a public-key cryptosystem.
`There is no primarystandard digital signature scheme, but
`two main efforts are in progress. One involves RSA, whichis
`reversible, and the other involves an irreversible algorithm
`
`December 1993 77
`
`
`
`
`
`Encryption standards
`
`
`
`
`
`
`to provide security for electronic mail.It is a text-based
`protocol compatible with most electronic-mail systems. PEM
`supports public-key and secret-key techniques; the former
`involves X.509certificates.” Currently, PEM has adopted RSA,
`DEA, MD2, and MDSalgorithms,” but the protocols are flex-
`ible and other suites of algorithms are likely to be added.
`Mailis not the only application of PEM, of course, although
`it is a primary one. The same protocol that adds encryption
`or authentication to a mai] message can enhanceanydigital
`document, such as a contract; the document need not be
`mailed to someone.
`The intervendor PKCS #7”is a binary extension of PEM;it
`offers the same services, but works with binary data and
`allows one to sign attributes such as the time of day along
`with the underlying message. Certain modes of PKCS #7 are
`cryptographically compatible with PEM,
`in the sense that
`messages can betranslated between the two protocols with-
`out anycryptographic operations. PKCS #7 does not specify
`a particular algorithm.
`Another approach to electronic-mail security is found in
`X.400 message-handling systems,” whichsolve the basic prob-
`lems of confidentiality, authentication, and key management.
`X.400 also provides special encryption-based services such
`as proof of submission and proofof delivery. (X.411 supplies
`the details.) X.400, like most international standards, does
`not specify particular algorithms. It supports both public-key
`and secret-key techniques. ISO 10021-1*is technically aligned
`with X.400.
`X.435, a standard for electronic data interchange over
`X.400, builds on X.411’s services, defining related services
`such as signed receipts.
`Secure communications. These standards focus on the
`security of local-area networks and wireless links.
`[EEE’s
`P802.10 project, Secure Interoperable LAN (local area net-
`work) Security (SILS), addresses privacy and authentication
`ofdata at the data link layer. Devices following the protocol
`encrypt data link frames as they pass through the network;
`the protocolis transparentto higherlayers. A proposed draft’?
`specifies Diffie-Hellman key agreement. The CDPD specifi-
`cations” define an encryption protocolfor wireless links based
`on Diffie-Hellman key agreement and RC4.
`IEEE project P802.11, focusing on wireless Sinks, has just
`started.
`Directory authentication and network management.
`X.509 directory authentication” applies public-key and se-
`cret-key techniques to the problem of determining the iden-
`tity of a user attempting to access an X.500 globaldirectory.*
`“Weak” authentication identifies a user by a password, while
`“strong” authentication involves digital signatures. The au-
`thentication protocols can also ensure that messages to and
`from the directory are not modified in transit.
`X.509 standardizes on no particular algorithm, although
`RSAis in an informative annex. Two additional contributions
`
`365 people in a room to be likely to find one with a given
`birthday, but only 23 to belikelyto find two with the same
`birthday.) Hash functions are generally quite fast. They pro-
`vide message integrity to parties knowing a message’s hash
`code. Theyare often combined with digital signature schemes,
`as noted earlier.
`The Secure Hash Standard (SHS),* which defines SHA,is
`the primary standard. SHA produces a 160-bit hash from a
`message of arbitrary length,
`it is intended to be combined
`with DSA! ANSI X9.30 part 2"! specifies SHA.
`Other hash algorithms suitable for standardization include
`MD2 and MD5, developed by Ron Rivest for RSA Data Secu-
`rity’? and adopted byInternet privacy-enhanced mail,* and
`MDC-2, which is specified in draft ANSI X9.31 part 2.4 SC27/
`WGz2is also developing standards for hash functions.
`Authentication codes. These codes reduce a message of
`arbitrary length to a short code undera secret key so thatit is
`difficult, without the key, to compute the authentication code,
`or to find a new message with a given authentication code.
`Authentication codes provide message integrity and origin
`authentication to parties who have previously agreed on a
`secret key. The messageitself need not be encrypted.
`An authentication codeis typically 32 or 64 bits long, and
`the keys are 56 bits long. Ideally, an attacker's only approach
`is trial and error on the keys; arbitrary message modifications
`have some probability of success, but the attacker cannot
`check for success without the help of the real user. Authen-
`tication codes, like hash functions, are generally quite fast.
`The primary standard is FIPS PUB 113,° which defines the
`Data Authentication Algorithm. The algorithmis a variant of
`DEA; it produces a 32-bit authentication code from a mes-
`sage of arbitrary length and a 56-bit key. ANSI X9.9" and
`Australian standard AS2805.4” specify DAA.
`
`Applications
`The applications standards described next combine fami-
`lies of algorithms, and sometimes specify particular algorithms,
`to solve confidentiality, integrity, origin authentication, and
`key management problems. Although manyofthe standards
`specify much more than just cryptography, encryption plays
`an importantrole.
`Ideally, an algorithm should work in many applications,
`and manyalgorithms should work in a given application.
`The design of applications and algorithms is in this sense
`“orthogonal,” and the designers have generally done a good
`job at providing orthogonality.
`Do not confuse these applications with the applications
`layer of the OSI reference model; some maywell run atthat
`layer, and others at lowerlayers.
`Secure electronic mail. Six years in development and
`now a proposed standard, Internet privacy-enhanced mail
`(PEM) combines secret-key cryptosystems, public-key
`cryptosystems, hash functions, and digital signature schemes
`
`78 SEEE Micro
`
`
`
`
`
`turing and key escrow processes. The panel that reviewed
`the Skipjack algorithm is also evaluating the manufacturing
`and key escrow processes.
`
`of X.509 are certificates, which bind a public key to a user's
`namewith a digital signature, and certificate-revocationlists,
`which break the binding. These elements have found their
`way into other applications such as privacy-enhanced mail
`and the X9.30 and X9,31 drafts. Although directories are just
`emerging, users’ names in the related applications are de-
`signedin anticipation of a future directory entry. ISO 9594-8”
`is technically aligned with X.509.
`In a proposed security standard for the Internet's Simple
`Network Management Protocol (SNMP),* parties identify each
`other with a secret shared key.” Network managementre-
`quests are hashed together with the secret key under MD5 to
`produce an authentication code. Encryption with DEAis also
`an option.
`$C27/WG2 is developing authentication protocols involv-
`ing public-keyand secret-key techniques.
`Banking. The primary key managementstandard for the
`banking industry is ANSI X9.17. It is based entirely on DEA
`andrelated algorithms, including the EDE mode of DFA. To
`date, X9’s standards haveall involved secret-keytechniques;
`work on public-key techniques is in progress in X9.30 and
`X9.31. Other banking standards efforts include
`
`e draft Australian standard AS2805.6.5.3,° which specifies
`RSA;
`¢ CFONB ETEBAC-5,"! a French banking standard that
`specifies RSA and DEA; and
`ISO CD 11666, a draft standard for banking key man-
`agement that specifies RSA.Whether it will be ap-
`provedis unclear, as its architectural features have been
`criticized.
`
`e
`
`Escrowed encryption.A likely candidate to surpass even
`the DSS controversy is the proposed Escrowed Encryption
`Standard (EES),” part of the US government’s Capstone project
`for encryption standards.It implements an April 1993 presi-
`dential order that certain encryption devices provide entry
`points for
`legitimate law-enforcement wiretaps. The
`government's Clipper chips are the first examples of such
`devices.
`EES is based on the Skipjack algorithm and involvesa clas-
`sified law-enforcement access field (LEAF). Each hardware
`device complying with EES (software is not allowed) has a
`secret key; the key is split at the factory and “escrowed” with
`(that is, put into the custodyof, as with money or deeds) two
`government agencies. Under court order, the agencies recon-
`struct the key. With the secret key and LEAF, authorized offi-
`cials can decrypt messages encrypted bythe device. Neither
`escrow agency can decrypt messagesbyitself.
`What is controversial about EES appears not so much to
`be government wiretapping, which has always been contro-
`versial, but the issues of algorithm secrecy, hardware-only
`implementation, and potential security risks in the manufac-
`
`
`
`
`CRYPTOGRAPHY IS FINDING BROAD APPLICATION in the
`computer world. There is much common groundin the un-
`derlying algorithms. Interestingly, solutions to the confidenti-
`ality problem—encryption in the pure sense—seem to be
`the hardest to standardize. Much more activity focuses on
`peripheral cryptographic problems such as authentication and
`key management,as well as algorithm-independentstandards.
`As evidenced bythe parallel X9.30 and X9.31 efforts, the
`controversy over DSS has brought aboutparallel standards,
`one involving the reversible model (for example, RSA). Here,
`signing is the same as encryption, andverification is the same
`as decryption. The other standard involves the irreversible
`model (for example, DSA) without such relationships.
`Reversibility is considered by some to open the door to con-
`fidentiality of unlimited security, a problematic feature for
`law enforcement and national security concerns. Others see
`dual standardization to be problematic for industry concerns.
`Since NIST may havereaffirmed DESforthelast time, what
`comes next? The Internet's PEM working group has been
`looking at new encryption algorithms, among them the so-
`called triple-DES with three DEA operations, of which X9.17’s
`EDE is one example. Whether the factor-of-three slowdown
`in performance is too much remains to be seen, but in light
`of the secrecy around the Skipjack algorithm and the few
`published alternatives, most likely triple-DES will become a
`standard encryption algorithm in some corer of the stan-
`dards world. RC4 mayplaya role as well.
`While all of this is sorting itself out, a new IEEE project,
`sponsored by the Computer Society’s Microprocessor and
`Microcomputer Standards Committee, aims to complete the
`family of public-key standards. These standards will be based
`on the RSA and Diffie-Hellman algorithms, covering key
`management, encryption, authentication, key generation, and
`hardware support. The IEEE authorized P1363, “RSA, Diffie-
`Hellman, and related public-key techniques” this June, and
`an initial meeting is being planned as ofthis writing.
`
`Acknowledgments
`I am grateful to Richard Ankneyfor sharing his standards
`expertise.
`
`
`
`References
`1. W.Diffie, “The First Ten Years of Public-Key Cryptography,”
`Proc. (EEE, 1988, pp. 560-577.
`2. G.J. Simmons, ed., Contemporary Cryptology: The Science of
`
`December 1993
`
`79
`
`
`
`
`
`Information Integrity, EEE, New York, 1992.
`P. Fahn, Answers to Frequently Asked Questions About Today’s
`Cryptography, Version 2.0, RSA Laboratories, Redwood City,
`Calif., Sept. 1993.
`A. Patel, “Emerging Network Security Standards in an OSI
`Environment,” Computer Standards & interfaces, 1989/1990,
`pp. 239-247.
`Recommendation X.800: SecurityArchitecture for Open Systems
`Interconnection for CCITT Applications, CCITT, Geneva, 1991.
`ISOMEC DIS 11586: Generic Upper Layers Security,
`ISOAEC,
`Geneva, 1993.
`Accredited Standards Committee X9, Working Draft: American
`National Standard X9.41-1993: Security Services Management
`for the Financial Services Industry, American Bankers Assoc.,
`Washington, D.C., Aug. 1993.
`DoD 5200.28-STD: DepartmentofDefense (DoD) Trusted Computer
`System Evaluation Criteria (TCSEC), US Departmentof Defense,
`Washington, D.C., 1985.
`FIPS Publication 46-1: Data Encryption Standard, NIST, Washington,
`D.C., Jan. 22, 1988; originaily issued by the National Bureau of
`Standards.
`Accredited Standards Committee X3, ANS/X3. 92: Data Encryption
`Algorithm (DEA), ANSI, New York, 1981.
`Australian Standard 2805.5 1985:Electronics Funds Transfer—
`Requirementsforinterfaces: Part 5—Data Encryption Algorithm,
`Standards Assoc. of Australia, North Sydney, NSW, 1985.
`E. Bihamand A,Shamir,“Differential Cryptanalysis of the Full 16-
`Round DES,” Proc. Crypto 92, Advances in Cryptology, Springer-
`Verlag, New York, 1993, to appear.
`D, Coppersmith, “The Data Encryption Standard (DES) and its
`Strength Against Attacks,” tech. report RC 18613 (81421), IBM
`Research Div., Yorktown Heights, N.Y., Dec. 1992.
`FIPS Publication 81: DES Modes ofOperation, NIST, Dec. 2, 1980.
`Accredited Standards CommitteeX9, American NationalStandard
`X9.17: Financialinstitution Key Management (Wholesale), ANSI,
`1985.
`PKCS #5: Password-Based Encryption Standard, Version 1.4, RSA
`Data Security, inc., RedwoodCity, Calif., June 1991.
`NIST, “A Proposed Federal Information Processing Standard for
`an Escrowed Encryption Standard (EES)," Federa/ Register, Vol.
`58, No. 145, July 30, 1993.
`E.F. Brickell et al., “Skipjack Review,Interim Report: The Skipjack
`Algorithm,” July 28, 1993; contact authorfor copies.
`R.L. Rivest, The RC4 Encryption Algorithm, RSA Data Security,
`Inc., Mar. 12, 1992.
`Ameritech Mobile Communicationsetal., Ceflular Digital Packet
`Data System Specifications: Part 406: Airlink Security, CDPD
`Industry Input Coordinator, Costa Mesa, Calif., july 1993.
`W.Diffie and M.E. Hellman, “New Directionsin Cryptography, “
`IEEE Trans. Information Theory, Vol. IT-22, 1976, pp. 644-654.
`R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining
`Digital Signatures and Public-Key Cryptosystems,” Comm. ACM,
`Vol. 21, No. 2, Feb. 1978, pp. 120-126.
`
`13.
`
`14.
`15.
`
`20.
`
`21.
`
`22.
`
`80
`
`IEEE Micro
`
`Encryption standards
`
`23.
`
`24.
`
`25,
`
`26.
`
`27.
`
`28,
`
`29.
`
`30.
`
`31,
`
`32.
`
`33.
`
`34,
`
`35.
`
`36.
`
`37,
`
`38.
`
`39,
`
`PKCS #1: RSA Encryption Standard, Version 1.4, RSA Data
`Security, Inc., June 1991.
`Accredited Standards Committee X98, Working Draft: American
`National Standard X9.31-1993: Public Key Cryptography Using
`Reversible Algorithmsfor the Financial Services industry: Part 4:
`Management of Symmetric Algorithm Keys Using RSA, Am.
`Bankers Assoc., June 4, 1993.
`D.Balenson, RFC 1423: PrivacyEnhancementforinternetElectronic
`Mail: Part {!—Algorithms, Modes, and Identifiers, Trusted
`Information Systems, Inc., Glenwood, Md., Feb. 1993.
`SpecialPublication 500-183: Stable implementationAgreements
`forOpen Systemsinterconnection Protocols: Part 72—OS Security,
`NIST, June 1992.
`Australian Standard 2805.5.3—£lectronic Data Transfer—
`Requirements forinterfaces:Part5.3: Data EnciphermentAlgorithm
`2, Standards Assoc. of Australia, 1992.
`International Standard 9796:Information Technology, Security
`Techniques:DigitalSignature Scheme Giving Message Recovery,
`ISOAEC, 1991.
`L.C. Guillou et al., “Precautions Taken Against Various Potential
`Attacks in ISOAEC DIS 9796,” Proc. Eurocrypt 90, Advancesin
`Cryptology, |.B. Damgard, ed., Springer-Verlag, 1991, po. 465-
`473.
`Accredited Standards Committee X9, Working Draft: American
`National Standard X9.31-1992: Public Key Cryptography Using
`Reversible Algorithms for the Financial Services Industry: Part 1:
`The RSA SignatureAlgorithm, Am. Bankers Assoc., Mar. 7, 1993.
`Publication XX: AnnouncementandSpecifications for a Digital
`Signature Standard (DSS), NiST, Aug. 19, 1992.
`NIST, “The Digital Signature Standard, Proposal and Discussion,”
`Comm. ACM, Vol. 35, No.7, July 1992, pp. 36-54.
`T. Elgamai, “A Public-Key Cryptosystem and a Signature Scheme
`Based on Discrete Logarithms,” /FEF Trans. information Theory,
`Vol. IT-31, 1985, pp.