`
` it‘ll)!“
`
`
`
` l
`
`A Survey of Encryption Standards
`
`Burt Kaliski
`
`RSA Laboratories
`
`
`
`Numerous encryption standards dot the microcomputer landscape, seemingly covering ev-
`ery application. One nevertheless finds much common ground underlying the many stan-
`dards. This survey discusses the standards and their algorithms, how they compare, how they
`differ, and Where they’re headed.
`
`ryptography is the science, or some
`would say the art, of secret codes. In
`its broadest sense cryptography ad-
`dresses a number of practical problems:
`
`0
`
`0 confidentiality, keeping messages secret;
`o origin authentication, verifying a message’s
`source;
`integrity, assuring that a message has not
`been modified; and
`0 key management, distributing the secret
`“keys” for cryptographic algorithms,
`
`This survey focuses on encryption algorithms,
`the low—level, step-by—step transformations on
`messages that address these problems, as well as
`applications that involve encryption. It covers both
`approved standards and work in progress; the
`modifiers drafi and proposed should help with
`the distinction.
`Since descriptions here are at a summary level,
`readers seeking greater depth may refer to the
`standards documents or to encryption surveys
`such as those by Diflie,l Simmons,z which includes
`a reprint of Diffie’s article, and Fahn,‘ which is
`available from RSA Laboratories or via anony—
`mous ftp to rsa.com. Patel gives an earlier survey
`on security standards for the Open Systems In-
`terconnection (OSI) reference model.“
`Much of the encryption standards work fits into
`one or more security "models." The models do
`
`not specify algorithms; rather, they define ser-
`vices and give structures for encryption proto-
`cols. The 081 Security Architecture standard5 is
`one helpfial reference. Also on the road to inter—
`national standardization is the Generic Upper
`Layers Security (GULS) standard." GULS forms the
`basis for IEEE P802.10, a local-area network se-
`curity project, and the draft ANSI X941,7 a stan—
`dards effort for electronic data interchange.
`Many ways other than encryption exist to pro-
`tect data, from access control to tamper-resistant
`coatings, but they are outside the scope of this
`article. Even in systems based on cryptography,
`other issues than just the codes come into play,
`such as random number sources and password
`selection guidelines. The US Department of
`Defense's “Orange Book" is one of many helpful
`references for these topics?
`Remember, draft standards and other works in
`progress are subject to change. Furthermore, with
`the large number of standards efforts, I may not
`have covered some relevant efforts. An effort’s
`absence from this article in no way minimizes its
`importance.
`
`Algorithms
`An encryption algorithm is a method of trans?
`forming a message to add some cryptographic
`protection, such as confidentiality or integrity.
`Most encryption algorithms involve one or more
`keys, which are cryptographic variables, often
`
`74 IEEE Micro
`
`0272—1732/93/1ZOO-007430300 © 1993 IEEE
`
`
`
`EMCVMW 1014
`EMCVMW 1014
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Prior
`—l
`
`
`
`
`
`
`
`unique to one user, that control the al-
`gorithm and provide security against
`Table 1. Encryption algorithm classes and their properties.
`b———————
`attackers.
` Cryptographers often classify encryp— C lass C CA | KM
`
`tion algorithms according to the type of f
`Yes
`No
`No
`Yes
`transformation and keys. Each class
`Secret-key cryptosystems
`Yes
`No
`No
`Yes
`solves a different set of cryptographic
`Public-key cryptosystems
`No
`Yes
`Yes
`No
`problems. Some classes require that
`Digital Signature schemes
`Yes
`No
`Optional
`Yes
`parties first agree on a secret key by
`Key-agreement algorithms
`No
`Yes
`No
`No
`secure means that are separate from the
`Cryptographic hash functions
`No
`Yes
`Yes
`No
`Authentication codes
`normal communication protocol; oth—
`ers do not have this limitation I describe
`the algorithms standards according to
`one such classification: secretekey
`cryptosystems, public-key crypto-
`systems, digital signature schemes, key—
`agreement algorithms, cryptographic
`hash functions, and authentication codes. Table I summa—
`rizes the classes and their properties.
`Secret—key cryptosystem. These algorithms encrypt and
`decrypt messages with a key in such a way that it is difficult
`to decrypt without the key. Because the encryption and
`decryption keys in a secret-key cryptosystem are the same,
`such systems are often called symmetric in the literature.
`Most secretekey cryptosystems operate on messages one
`block at a time; a block may be 64 bits long, and the keys are
`usually short, say, 56 bits long. Ideally, an attackers only
`approach is trial and error, which amounts, for example, to
`25" trials for 56—bit keys. Secret—key algorithms are generally
`quite fast.
`Secret-key cryptosystems provide confidentiality and key
`management to parties who have previously agreed on a
`secret key. The Data Encryption Standard (DES)9 is the pri-
`mary standard. Published in 1977 and recently affirmed for a
`fourth five-year period, DES defines the Data Encryption Al-
`gorithm (DEA). It also specifies how to implement DEA: in
`hardware, Technically, software implementations of DEA,
`which abound, do not comply. ANSI standard X392” and
`Australian Standard ASZSOSS“ specify DEA.
`Despite much controversy about the nature of l)EA!the
`government never revealed its design criteria—the algorithm
`seems to be quite secure, as far as 56-bit algorithms go. It
`resists powerful attacks that have broken other systems.1m
`Along with DES come some standard modes of operation,
`including electronic codebook, cipher block chaining, cipher
`feedback, and output feedback.H These modes apply to any
`block cipher, not just DEA. ANSI X91715 introduces the en-
`crypt—decrypt-encrypt (EDE) mode of encryption involving
`two DEA keys.
`Two password-based encryption algorithms defined in the
`iiitervendor publicekey cryptography standard (PKCS) #515
`are also based on DEA,
`A potential new standard secret-key cryptosystem is Skip~
`
`Yes
`No
`No
`No
`No
`Yes
`
`C indicates confidentiality; OA, origin authentication; 1, integrity; KM, key
`management.
`Prior requires that parties first agree on a secret key.
`
`jack, a Classified part of the proposed escrowed encryption
`standard.“ A panel of cryptography experts recently certified
`Skipjack, with 80-bit keys. as appearing secure,18 but its de-
`tails remain unpublished.
`Secret—key cryptosystems are rarely standardized; some stan-
`dards bodies explicitly omit them from their scope. One of
`the few other candidates is RC4, a fasr secret-key cryptosystem
`with variable—length keys,19 RC4 is adopted in the cellular
`digital packet data (CDPD) specifications.20
`Public-key cryptosystem. These algorithms encrypt and
`decrypt messages with two different keys in such a way that
`it is difficult to decrypt without the decryption key. The en-
`cryption key can be published without compromising secu-
`rity, and is called the public key for this reason, the decryption
`key is called the private key. Because the encryption and
`decryption keys in a public-key cryptosystem differ, such
`systems are often called asymmetric in the literature. The
`idea comes from Diffie and Hellman.21
`Public-key cryptosystcms provide confidentiality and key
`management. They can be as secure or more secure than
`secret—key cryptosystems, but they are generally slower. Their
`main advantage is that, since the encryption key can be pub—
`lished, parties need not first agree on a secret key. They are
`often combined with secret-key cryptosystems to gain the
`benefits of both: speed without prior secrets.
`Although there is no primary standard public-key
`cryptosystem, many consider a cryptosystem invented by
`Rivest, Shamir, and Adleman(RSA)22 in 1977 a de facto stan—
`dard. Public-key cryptosystems, like secret—key cryptosystems,
`are rarely standardized; when they are standardized, key
`management is a more likely purpose than confidentiality.
`Efforts toward RSA standardization include the inten’endor
`PKCS #1,“ which gives block formats for RSA operations,
`and the draft ANSI X931 part 4,24 which is currently based on
`PKCS #1. PKCS #1’5 block fomiats have been adopted by
`Intemet privacyenhanced mail25 and, among other algorithms,
`
`December 1993 75
`
`
`
`
`
`Encryption standards
`
`
`
`The acronyms for encryption standards and the groups developing them are considered by some as a form of encryp—
`tion in its own right. Following is an abridged "key" to the various acronyms and their meanings, as well as to several
`standards organizations.
`
`Glossary
`
`Hellman A key—agreement algorithm invented by
`Whitfield Diffie and Martin Hellman
`Digital Signature Algorithm, the digital signa—
`ture scheme specified by D55
`Digital Signature Standard, a proposed NIST
`standard that specifies DSA
`Encrypt-decrypbencrypt, a mode of DEA inf
`volving two keys and three DEA operations
`that is defined in ANSI X917
`Open Systems Environment (formerly OSI)
`:1 proposed
`Escrowed Encryption Standard,
`Implementors’ Workshop, a group of devel—
`NIST standard that specifies Skipjack
`opers that agrees on implementation issues such
`as algorithms
`FIPS PUB Federal Information Processing Standard pulr
`lication, one of a series of standards published
`Open Systems Interconnection, a standard net—
`working model
`by NIST
`
`
`
`
`
`
`
`
`
`
`ASC X9
`
`ANSI
`
`CCI'IT
`
`CFONB
`
`DAA
`
`DEA
`
`DES
`
`Diffic—
`
`Accredited Standards Committee X9 (Financial
`Services), a body that develops standards for
`the banking industry; accredited by ANSI
`American National Standards Institute, an or—
`ganization that accredits standards bodies
`Comite Consultatif International de Tele-
`graphique et Telephonique, (Intemational Tele—
`graph and Telephone Consultative Committee),
`an international standards body
`Comité Francais d’Organisation et de Normal—
`isation Bancaire, a French banking standards
`body
`Data Authentication Algorithm, a NIST stan—
`dard authentication code defined in FIPS PUB
`1 15
`Data Encryption Algorithm,
`cryptosystem specified by DES
`Data Encryption Standard, 21 NIST standard de—
`fined in FIPS PUB 46—1 that specifies DEA
`
`the secret—key
`
`GULS
`
`IEC
`
`IEEE
`
`Internet
`
`ISO
`
`M02
`
`MDS
`
`DSA
`
`D65
`
`EDE
`
`EES
`
`MlXI-Z
`
`NBS
`NIST
`
`01W
`
`081
`
`Generic Upper layers Security, an 051 secu—
`rity architecture effort
`International Electrotechnical Commission, an
`international standards body
`Institute of Electrical and Electronics Engineers,
`an organization that develops transnational
`standards; that is, the standards are the cone
`sensus of individuals rather than national rep-
`resentatives
`
`A transnational body that develops standards
`for computer networking and publishes RFCs;
`also, the network of computers that implements
`those standards
`International Standards Organization, an inter?
`national standards body
`Message Digest Algorithm 2, a hash function
`developed by Ron Rivest that is defined in In—
`ternet RFC 1519
`Message Digest Algorithm 5, another hash func»
`tion developed by Ron Rivest and defined in
`Internet RFC 1321
`Manipulation Detection Code 2, the hash func-
`tion specified in draft ANSI X931 part 2
`National Bureau of Standards; see NIST
`National Institute of Standards and Technol—
`ogy (formerly NBS), a US government agency
`that develops standards and publishes FIPS
`PUBs
`
`are cited in the ON! implementors' agreements.26 (As this
`article was going to press, I received a copy of Australian
`Standard A52809555, which specifies RSAF’)
`Digital signature schemes. These schemes “sign” mes-
`sages and verify the resulting signature with two different
`keys in such a way that it
`is difficult to sign without the
`signing key. Similar to publicrkey cryptosystems, the verifica-
`tion key can be published without compromising security,
`and is called the public key; the signing key is called the
`
`private key.
`Digital signature schemes provide integrity and origin au—
`thentication. Like public—key cryptosystems, they do not re—
`quire that parties first agree on a secret key, and they are
`generally somewhat slower than, for instance, secret-key
`cryptosystems and cryptographic hash functions. They are
`often combined with hash functions to gain the benefits of
`both,
`Public—key cryptosystems and digital signature schemes are
`
`76 IEEE Micro
`
`
`
`
`
`
`
`
`
`Glossary (continued)
`
`PEM
`
`PKCS
`
`Privacy—enhanced mail, a proposed Internet
`standard for encrypting and authenticating
`electronic mail; defined in Internet RFCs
`1421-1424
`Pu blic-key cryptography standards, informal
`standards developed by RSA Laboratories
`with representatives of Apple, Digital, Lo-
`tus, Microsoft, MIT, Northern Telecom.
`Novel], and Sun; available from RSA Labora—
`tories or via electronic mail to pkcs@rsa.com
`Rivest Cipher 4, a fast secret-key cryptosystem
`developed by Ron Rivest and proprietary to
`RSA Data Security
`“Request for Comments,” an Internet publication
`Rivest—Shamir—Adleman algorithm, a public-
`key cryptosystern and digital signature
`scheme invented by Ron Rivest, Adi Shamir,
`and Len Adleman
`Subcommittee 6 (Telecommunications and
`Infonnation Exchange Between Systems), a
`joint subcommittee of ISO/IEC
`SC27/WGZ Subcommittee 27 (Information Technology),
`Working Group 2 (Security Techniques), a
`joint working group of ISO/IEC
`Secure Hash Algorithm,
`the hash function
`specified by SHS
`Secure Hash Standard, at NIST standard de—
`fined in FIPS PUB 180 that specifies SHA
`Secure Interoperable Local Area Network Se—
`curity, an IEEE project; also called P802.10
`
`RC4
`
`RFC
`RSA
`
`5C6
`
`SHA
`
`SHS
`
`5113
`
`
`
` Skipjack The classified secret—key cryptosystem speci—
`
`SNMP
`
`fied by EES
`Simple Network Management Protocol, an
`Internet standard defined in Internet RFC
`1157
`
`Standards
`Australia An Australian standards body
`X9
`See ASC X9
`
`
`closely related. In so-called reversible cryptography, signing in
`a digital signature scheme is the saute as decryption in a pub»
`lic~key cryptosystem, while verification is the same as encryp-
`tion. In irreversible cryptography, the relationships do not hold,
`although a given public/private—key pair may work in both a
`digital signature scheme and a publicekey cryptosystem.
`There is no primary standard digital signature scheme, but
`two main efforts are in progress. One involves RSA, which is
`reversible, and the other involves an irreversible algorithm
`
`
`
`proposed by the US National Institute of Standards and Tech—
`nology (NIST).
`ISO/IEC 979628 almost creates a standard for RSA, but not
`quite. It defines a signature block format; RSA is in an informa—
`tive (but nonstandard) annex. The block format prevents cer—
`tain mathematical relationships among possible RSA signatures.”
`The draft ANSI X931 part 1,50 which is expected to become a
`standard late this year, is based on ISO/IEC 9796 and specifies
`RSA. The intervendor PKCS #115 gives alternate block formats
`for RSA signatures. ISO/’IEC’S joint working group SC27/WGZ
`is developing other digital signature standards.
`NIST’s proposed Digital Signature Standard (DSS)?l which
`defines the Digital Signature Algorithm (DSA), has been the
`center of recent controversy.32 DSA, an irreversible algorithm,
`is a variant of signature schemes due to Elgamal55 and
`Schnorr.“ It is intended to be combined with the Secure Hash
`Algorithm (SI-LA).js Mainly due to objections from industry,
`DSS has not yet been approved, The draft ANSI X930 part 136
`specifies DSA.
`Key‘agreement algorithms. These algorithms manage
`keys through an exchange of messages derived from private
`values that are not shared. The result of the exchange is that
`parties agree on a secret key. It is difficult to determine the
`secret key from the exchanged messages without the private
`values from which they are derived. Key-agreement algo-
`rithms are sometimes called key exchange algorithms in the
`literature.
`Key—agreement algorithms provide confidentiality and key
`management, and in some cases origin authentication. They
`do not require that parties first agree on a secret key. As with
`public-key cryptosystems, no primary standard key-agree—
`ment algorithm exists. Many consider an algorithm invented
`by Diffie and Hellman,21 usually called Diffie—IIellman, the
`de facto standard here.
`Efforts toward Diffie—Hellman standardization include the
`intervendor PKCS #337 and the draft ANSI X950 part 4,58 which
`is based on a variant of Diffie—Ilellman having origin authen—
`tication. The cellular digital packet data (CDPD) specificar
`tions2n adopt Diffie-Hellman key agreement. ISO/IEC’s joint
`working group 5C6 is developing standards for key agree-
`ment in the network and transport layers of the OSI refer—
`ence model,3“)-“" with Diffie—Hellman as a possible algorithm.
`Cryptographic hash functions. These functions reduce a
`message of arbitrary length to a short code so that it is difficult
`to find a message With a given hash code, and in some cases
`also to find two messages with the same hash code. There is
`no key. Hash functions are also called message digests and
`modification detection codes in the literature.
`A hash code is typically 128 or 160 bits long. Ideally, an
`attackers only approach is trial and error, which amounts to
`2”" trials to find a message with a given hash code (for a 128—
`bit hash), and 26‘ trials to find two messages with the same
`hash code. (This is akin to the “birthday paradox”: You need
`
`December 1993 77
`
`
`
`
`
`
`
`Encryption standards
`
`
`
`365 people in a room to be likely to find one with a given
`birthday, but only 25 to be likely to find two with the same
`birthday.) Hash functions are generally quite fast. They pro-
`vide message integrity to parties knowing a message’s hash
`code. They are often combined with digital signature schemes,
`as noted earlier.
`The Secure Hash Standard (SI-18),“ which defines SHA, is
`the primary standard. SHA produces a 160-bit hash from a
`message of arbitrary length; it is intended to be combined
`with DSA.31 ANSI X9390 part 241 specifies SHA.
`Other hash algorithms suitable for standardization include
`MDZ and MDS, developed by Ron Rivest for RSA Data Secu-
`my“42 and adopted by Internet privacyrenhanced mailf‘ and
`MDC—Z, which is specified in draft ANSI X951 pan 2.“ SC27/
`W62 is also developing standards for hash functions.
`Authentication codes. These codes reduce a message of
`arbitrary length to a short code under a secret key so that it is
`difficult, without the key, to compute the authentication code,
`or to find a new message with a given authentication code.
`Authentication codes provide message integrity and origin
`authentication to parties who have previously agreed on a
`secret key. The message itself need not be encrypted.
`An authentication code is typically 52 or 64 bits long, and
`the keys are 56 bits long. Ideally, an attacker’s only approach
`is trial and error on the keys: arbitrary message modifications
`have some probability of success, but the attacker cannot
`check for success without the help of the real user. Authen—
`tication codes, like hash functions, are generally quite fast.
`The primary standard is Fll’S PUB 113,“ which defines the
`Data Authentication Algorithm. The algorithm is a variant of
`DEA; it produces a 32—bit authentication code from a mes-
`sage of arbitrary length and a 56—bit key. ANSI X99” and
`Australian standard 25.528034“ specify DAA.
`
`Applications
`The applications standards described next combine fami—
`lies of algorithms, and sometimes specify particular algorithms,
`to solve confidentiality, integrity, origin authentication, and
`key management problems. Although many of the standards
`specify much more than just cryptography, encryption plays
`an important role.
`Ideally, an algorithm should work in many applications,
`and many algorithms should work in a given application.
`The design of applications and algorithms is in this sense
`“orthogonal,” and the designers have generally done a good
`iob at providing orthogonality.
`Do not confuse these applications with the applications
`layer of the OSI reference model; some may well run at that
`layer, and others at lower layers.
`Secure electronic mail. Six years in development and
`now a proposed standard, Internet privacy—enhanced mail
`(PEM) combines secret-key cryptosystems, public-key
`Cryptosystems, hash functions, and digital signature schemes
`
`78 IEEE Micro
`
`
`
`
`is a text-based
`to provide security for electronic mail.“ It
`protocol compatible with most electronic—mail systems. PEM
`supports public—key and secret—key techniques; the former
`involves X509 certificates.” Currently. FEM has adopted RSA,
`DEA, MDZ, and MDS algorithms,ZS but the protocols are flex—
`ible and other suites of algorithnrs are likely to be added.
`Mail is not the only application of PEM. of course, although
`it is a primary one. The same protocol that adds encryption
`or authentication to a mail message can enhance any digital
`document, such as a contract; the document need not be
`mailed to someone.
`The intervendor PKCS #7“ is a binary extension of PEM; it
`offers the same services, but works with binary data and
`allows one to sign attributes such as the time of day along
`with the underlying message. Certain modes of PKCS #7 are
`cryptographically compatible with PEM,
`in the sense that
`messages can be translated between the two protocols with—
`out any cryptographic operations, PKCS #7 does not SpeCify
`a particular algorithm.
`Another approach to electronic—mail security is found in
`X400 message-handling systems,‘1 which solve the basic prob-
`lems of confidentiality, authentication. and key management.
`X400 also provides special encryption—based services such
`as proof of submission and proof of delivery. (X411 supplies
`the details“) X400, like most international standards. does
`not specify particular algorithms. It supports both public-key
`and secret—key techniques. ISO 10021—1;5 is technically aligned
`with X400.
`X455,“ :1 standard for electronic data interchange over
`X400, builds on X/ill’s services, defining related services
`such as signed receipts.
`Secure communications. Thesc standards focus on the
`security of local—area networks and wireless links.
`IEEE‘s
`P802.10 project, Secure Interoperable LAN (local area net-
`work) Security (SILS), addresses privacy and authentication
`of data at the data link layer. Devices following the protocol
`encrypt data link frames as they pass through the network;
`the protocol is transparent to higher layers. A proposed draftas
`specifies Diffie—Hellman key agreement, The CDPD specifi—
`cations20 define an encryption protocol for wireless links based
`on Diffie-Hellman key agreement and RC4.
`IEEE project PSOZJI, focusing on wireless links, has just
`started.
`Directory authentication and network management.
`X509 directory authenticatiorr’9 applies public-key and se-
`cret-key techniques to the problem of determining the iden—
`tity of a user attempting to access an X500 global directory.“
`“Weak” authentication identifies a user by a password, while
`"strong" authentication involves digital signatures. The aui
`thentication protocols can also ensure that messages to and
`from the directory are not modified in transit.
`X509 standardizes on no particular algorithm, although
`RSA is in an informative annex. Two additional contributions
`
`
`
`
`
`
`
`
`
`of X509 are certificates, which bind a public key to a user’s
`name with a digital signature, and certificate-revocation lists,
`which break the binding. These elements have found their
`way into other applications such as privacy-enhanced mail
`and the X950 and X931 drafts. Although directories are just
`emerging, users’ names in the related applications are de—
`signed in anticipation of a future directory entry. ISO 9594857
`is technically aligned with X509.
`In a proposed security standard for the Internet’s Simple
`Network Management Protocol (SNMP)? parties identify each
`other with a secret shared key.59 Network management re—
`quests are hashed together with the secret key under MDS to
`produce an authentication code. Encryption with DEA is also
`anloption.
`SC27/WG2 is developing authentication protocols involw
`ing public—key and secret-key techniques.
`Banking. The primary key management standard for the
`banking industry is ANSI X917. It is based entirely on DEA
`and related algorithms, including the EDE mode of DEA. To
`date, X9’s standards have all involved secret—key techniques;
`work on public-key techniques is in progress in X930 and
`X931. Other banking standards efforts include
`
`0 draft Australian standard A52805.6.5.?5,m which specifies
`RSA;
`0 CFONB ETEBAC—S,61 a French banking standard that
`specifies RSA and DEA; and
`ISO CD 11666, a draft standard for banking key inan—
`agement that specifies RSA.“63 Whether it will be ap—
`proved is unclear, as its architectural features have been
`criticized.“
`
`I
`
`Escrowed encryption. A likely candidate to surpass even
`the DSS controversy is the proposed Escrowed Encryption
`Standard (EES)," part of the US government’s Capstone project
`for encryption standards. It implements an April 1995 presi-
`dential order that certain encryption devices provide entry
`points for
`legitimate law—enforcement Wiretaps. The
`govemment‘s Clipper chips are the first examples of such
`devices.‘”
`EES is based on the Skipiack algorithm and involves a clas—
`sified law—enforcement access field (LEAF). Each hardware
`device complying with EES (software is not allowed) has a
`secret key; the key is split at the factory and “escrowed” with
`(that is, put into the custody of, as with money or deeds) two
`government agencies. Under court order, the agencies recon-
`struct the key. With the secret key and LEAF, authorized ()ffie
`cials can decrypt messages encrypted by the device. Neither
`escrow agency can decrypt messages by itself.
`What is contrt.)versial about EES appears not so much to
`be government wiretapping, which has always been contro-
`versial, but the issues of algorithm secrecy, hardware—only
`implementation, and potential security risks in the manufac-
`
`
`
`turing and key escrow processes. The panel that reviewed
`the Skipjack algorithm is also evaluating the manufacturing
`and key escrow processes.
`
`CRYPTOGRAPHY IS FINDING BROAD APPLICATION in the
`computer world. There is much common ground in the un~
`derlying algorithms. Interestingly, solutions to the confidenti-
`ality problem—encryption in the pure sense—seem to be
`the hardest to standardize. Much more activity focuses on
`peripheral cryptographic problems such as authentication and
`key management, as well as algorithm-independent standards.
`As evidenced by the parallel X930 and X9251 efforts, the
`controversy over DSS has brought about parallel standards,
`one involving the reversible model (for example, RSA). Here,
`signing is the same as encryption, and verification is the same
`as decryption. The other standard involves the irreversible
`model (for example, DSA) without such relationships.
`Reversibility is considered by some to open the door to con
`fidentiality of unlimited security, a problematic feature for
`law enforcement and national security concerns. Others see
`dual standardization to be problematic for industry concerns.
`Since NIST may have reaffimied DES for the last time, what
`comes next? The Internet's PEM working group has been
`looking at new encryption algorithms, among them the so-
`called triple-DES with three DEA operations, of which X9. 175
`EDE is one example. Whether the factoreofethree slowdown
`in performance is too much remains to be seen, but in light
`of the secrecy around the Skipjack algorithm and the few
`published alternatives, most likely triple—DES will become a
`standard encryption algorithm in some comer of the stanr
`dards world. RC4 may play a role as well.
`While all of this is sorting itself out, a new IEEE project,
`sponsored by the Computer Society’s Microprocessor and
`Microcomputer Standards Committee, aims to complete the
`family of public-key standards. These standards will be based
`on the RSA and Diffie-Hellman algorithms, covering key
`management, encryption, authentication, key generation, and
`hardware support. The lEEE authorized P1365, “RSA, Diffic—
`Hellman, and related public—key techniques" this June, and
`an initial meeting is being planned as of this writing. [SI
`
`Acknowledgments
`I am grateful to Richard Ankney for sharing his standards
`expertise.
`
`
`
`References
`1. W. Diffie, "The First Ten Years of Public-Key Cryptography,"
`Proc. IEEE, 1988, pp. 560-577.
`2. 6.). Simmons, ed., Contemporary Cryptology: The Science of
`
`December 1993
`
`79
`
`
`
`
`
`Encryption standards
`
`
`
`iEEE, New York, 1992.
`Information Integrity,
`P. Fahn, Answers to Frequently Asked QuestionsAbout Today‘s
`Cryptography, Version 2.0, RSA Laboratories, Redwood City.
`Calif, Sept. 1993.
`A. Patel, "Emerging Network Security Standards in an OSI
`Environment," Computer Standards & Interfaces, 1989/1990,
`pp. 239-247.
`Recommendation X. 800: SecurityArchItecture for Open Systems
`Interconnection for CCITTApp/ications, CCITT, Geneva, 1991.
`ISO/IEC DIS 11586: Generic Upper Layers Security,
`iSOIiEC,
`Geneva, 1993.
`Accredited Standards Committee X9, Working Draft: American
`National Standard X94 I - 1993: Security Services Management
`for the Financial Services Industry, American Bankers Assoc,
`Washington. DC, Aug. 1993.
`DOD 5200.28—5TD: DepartmentofDefense (DOD) Trusted Computer
`System Evaluation Criteria (TCSEC), US Department of Defense,
`Washington, DC, 1985.
`FIPS Publication 46— 1 :Data Encryption Standard, N IST, Washington,
`D.C., Jan. 22, 1988; originally issued by the National Bureau of
`Standards.
`Accredited Standards Committee X3, ANSIX3.92: Data Encryption
`Algorithm (DEA), ANSI, New York, 1981.
`Australian Standard 2805.5 1985; Electronics Funds Transfer—-
`Requirements for/nterfaces: Part S—Da ta Encryption Algorithm,
`Standards Assoc. of Australia, North Sydney, NSW, 1985.
`E. Biham and A. Shamir, ”DifferentialCryptanaiysis ofthe Full 16—
`Round DES, " Proc. Crypto 92, Advances in Cryptology, Springer-
`Verlag, New York, 1993, to appear.
`D. Coppersmith, "The Data Encryption Standard (DES) and Its
`Strength Against Attacks," tech. report RC 18613 (81421), IBM
`Research Div., Yorktown Heights, N.Y.. Dec 1992.
`FIPS Publication 81: DES Modes ofOperation, N IST, Dec. 2, 1980.
`Accredited Standards CommitteeX9, American NaNona/Standard
`X9. 17: Financial Institution Key ManagementWVho/esa/e), ANSI,
`1985.
`PKCS #5: Password-Based Encryption Standard, Version 1.4, RSA
`Data Security, inc., Redwood City, Calif, June 1991.
`NIST, “A Proposed Federal Information Processing Standard for
`an Escrowed Encryption Standard (EES),” Federal Register, Vol.
`58, No. 145, July 30, 1993.
`E.F. Brickell et al., "Skipiack Review, Interim Report: The Skipyack
`Algorithm,” July 28, 1993; contact author for copies.
`Rt. Rivest, The RC4 Encryption Algorithm, RSA Data Security,
`Inc, Mar. 12, 1992.
`Ameritech Mobile Communications et al., Cellular DigitalPacket
`Data System Specifications: Part 406: Air/ink Security, CDPD
`Industry Input Coordinator, Costa Mesa, Calif, July 1993.
`W. Diffie and ME. Hellman, “New Directions in Cryptography, "
`IEEE Trans. Information Theory, Vol. IT-22, 1976, pp. 644-654.
`R. L. Rivest, A. Shamir, and L. Adleman, ”A Method for Obtaining
`Digital Signaturesand Public-Key Cryptosystems, " Comm. ACM,
`Vol. 21, N0. 2, Feb. 1978, pp. 120-126.
`
`10.
`
`11.
`
`12.
`
`13.
`
`14.
`15.
`
`16.
`
`17.
`
`18.
`
`19.
`
`20.
`
`21.
`
`22.
`
`80 IEEE Micro
`
`
`
`23.
`
`24.
`
`25.
`
`26.
`
`27.
`
`28.
`
`29.
`
`30.
`
`31.
`
`32.
`
`33.
`
`34.
`
`35.
`
`36.
`
`37.
`
`38.
`
`39.
`
`PKCS #1: RSA Encryption Standard, Version 1.4, RSA Data
`Security, inc., June 1991.
`Accredited Standards Committee X9, Working Draft: American
`National Standard X9.31— 1993: Public Key Cryptography Using
`Reversible Algorithms for the Financial Services Industry: Part 4:
`Management of Symmetric Algorithm Keys Using RSA, Am.
`Bankers Assoc, June 4, 1993.
`D. Balenson, RFC 1423:Pn'vacyEnhancement forlnternetE/ectronic
`Mail: Part III—Algorithms, Modes, and Identifiers, Trusted
`Information Systems, Inc, Glenwood. Md., Feb. 1993.
`SpecialPublication 500- 183: Stable ImplementationAgreements
`forOpen SystemsInterconnection Protocols: Part IZ—OS Security,
`NIST, June 1992.
`Australian Standard 2805. 5.3—E/ectronic Data Transfer—
`Requirements forlnterfaces: Part5.3: Data EnciphermentAlgorithm
`2, Standards Assoc. of Australia, 1992,
`International Standard 9796: Information Technology, Security
`Techniques: DigitalSignature Scheme Giving Message Recovery,
`ISO/IEC, 1991.
`LC. Gurliou et al., “ Precautions Taken Against Various Potential
`Attacks in ISOiiEC DIS 9796," Proc. Eurocrypt 90, Advances in
`Cryptology, I.B. Damgard, ed., Springer-Veriag, 1991, pp. 465—
`473.
`Accredited Standards Committee X9, Working Draft: American
`National Standard X9.31- 1992: Public Key Cryptography Using
`Reversible Algorithms for the Financial Services Industry; Part 1:
`The RSA SignatureA/gorithm, Am. BankersAssoc., Mar. 7, 1993.
`Publication XX: Announcement and Specifications for a Digital
`Signature Standard (055), NIST, Aug. 19, 1992.
`NIST, "The Digi