With recent world events, security has become an important issue with decision makers in both business and government. This focus on security is evident in the digital world where protecting sensitive information is mission critical. Exponential improvements in computing power over the last 20 years have forced cryptographers to design new algorithms that can stay secure for another 20 years.
The 56-bit Data Encryption Standard (DES) has now been replaced with the Advanced Encryption Standard (AES), which provides at least 128 bits of security and a scaleable key size that solves the demand for stronger security. However, a stronger algorithm like AES demands equivalent security for the accompanying digital signatures and key exchanges. Otherwise, AES can be compromised through the weaker security of public-key cryptography.
According to the National Institute of Standards and Technology (NIST), keys for symmetric ciphers such as AES must be matched in strength by public key algorithms such as RSA and Elliptic Curve Cryptography (ECC). For example a 128-bit AES key demands a 3072-bit RSA key while 256-bit AES demands an RSA key size of 15,360 bits for equivalent security. Clearly, 15,360 bits would bring almost any system to its knees since key size is directly related to computing resources.
Fortunately, ECC scales linearly with AES and maintains relatively compact key sizes at all security levels. ECC keys by comparison are only 512 bits for 256-bit AES and therefore do not hinder performance. AES, used in conjunction with ECC, allows for high security solutions that do not impact performance even on constrained devices such as PDAs and cell phones where computing power is only a fraction of what’s available on a desktop.
AES was selected through a public process that was in fact a contest conducted by the NIST, the US Government’s official standards organization. Fifteen candidates submitted symmetric encryption algorithms that met NIST requirements. Five of these contestants made it into the AES finals. The five finalists were all regarded to have similar security, but the submission from Rijndael was selected to become AES as it offered the best performance across all architectures.
In fact, NIST now specifies AES in the document Federal Information Processing Standard (FIPS) 197 (http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf), as the new standard for symmetric encryption. AES succeeds DES and Triple-DES, which are symmetric encryption algorithms that provide 56 and 112 bits of security, respectively, that were formerly approved for use by US government organizations.
To date, AES remains the only symmetric encryption algorithm providing at least 128 bits of security that is approved for use by US government organizations to protect sensitive, unclassified information. AES comes in three security strengths: 128 bits, 192 bits and 256 bits. The 128-bit strength should provide at least 30 years of protection. The higher strengths are available for even greater protection.
Surprisingly, not only does AES provide more security than 3DES, it also delivers better performance. Better performance and better security make AES a highly attractive alternative to 3DES and a good choice for symmetric encryption algorithm going forward.
Public Key Systems for AES
Symmetric-key cryptography algorithms are very fast but not that versatile. Key management with only symmetric-key algorithms is very difficult and non-repudiation is unattainable. Asymmetric-key cryptography, also known as public-key cryptography, resolves these problems. Public-key cryptography also provides digital signatures for non-repudiation and key agreement techniques that greatly simplify key management. Today, there are three types of public-key cryptographic systems that can be considered secure and efficient. These systems, classified according to the mathematical problem on which they are based, are: Integer Factorization systems (of which RSA is the best known example), Discrete Logarithm systems (such as the US Government’s DSA), and the Elliptic Curve Cryptosystem. The two major benchmarks when comparing these systems are security and efficiency.
As shown in Table 1, at all levels of security including 128 bits, ECC has smaller public key sizes than both RSA and DSA/DH. Because of its smaller key size, ECC outperforms both RSA and DSA/DH for most routine operations while offering comparable levels of security. The reason is that ECC provides greater efficiency in terms of computational overheads, key sizes and bandwidth. In implementations, these savings mean higher speeds, lower power consumption, and code size reductions. The gap between systems grows as the key sizes increase which is especially relevant to implementations of AES.
The performance advantage of ECC for AES would be all for naught if there was not widespread employment of the system in standards. ECC is a public-key cryptography technique approved for digital signatures used by the US Government, as specified by NIST in its publication FIPS 186-2. Organizations such as ANSI, IETF, ISO and IEEE have also endorsed ECC as a public-key cryptography standard.
The Advanced Encryption Standard has set a new bar for secure systems for years to come. The security of the public-key system must match AES. The NIST guidelines demonstrate that ECC’s key sizes scale perfectly with AES while the other systems clearly do not. The future of Internet security standards such as SSL/TLS, S/MIME and IKE/IPSec depends on public key systems that match the security of AES and offer performance that does not impact the user. ECC delivers the highest strength-per-bit of any public key cryptography known today.
This issue of Code & Cipher reviews the first annual Certicom ECC Conference and summarizes some of the key discussions at the event.