The US Government's decision to adopt the Advanced Encryption
Standard (AES) for securing sensitive information will trigger a
move from the current, ageing Data Encryption Standard (DES) in the
private sector, according to users and analysts.
But it will not happen overnight. Technology standards bodies
representing industries such as financial services and banking need
to approve AES as well, and that will take time. Products such as
wireless devices and virtual private networks that incorporate AES
have also yet to be developed.
Companies using Triple DES technologies, which offer much stronger
forms of encryption than DES, will have to wait until low-cost AES
implementations become available before a migration to the new
standard makes sense from a price perspective.
"AES will likely not replace more than 30% of DES operations before
2004," said John Pescatore, an analyst at Gartner.
US secretary of commerce Don Evans announced the approval of AES as
the new Federal Information Processing Standard on 4 December. The
formal approval makes it compulsory for all US Government agencies
to use AES for encrypting information from 26 May.
AES is a 128-bit encryption algorithm based on a mathematical
formula called Rijndael (pronounced "rhine doll") that was
developed by cryptographers Joan Daemen at Proton World
International and Vincent Rijmen at Katholieke Universiteit Leuven,
both in Belgium.
Experts claim that the algorithm is small and fast, and that it
would take 149 trillion years to crack a single 128-bit AES key
using today's computers.
AES offers a more secure standard than the 56-bit DES algorithm,
which was developed in the 1970s and has already been cracked. AES
is considered even better than Triple DES, which is compatible with
DES but uses a 112-bit encryption algorithm that is considered
unbreakable using today's techniques.
In software, AES runs about six times as fast as Triple DES and is
less chip-intensive.
The advantages of AES make it inevitable that private companies
will start using it for encryption, said Paul Lamb, chief
technology officer at Oil-Law Records, which provides regulatory
and legal information to oil and gas companies. "[Companies will
adopt AES] because of the perceived problems with DES and the
greater sense of security with AES," he added.
"I would expect the adoption curve to be pretty steep," said Steve
Lindstrom, an analyst at Hurwitz Group. Any concerns companies had
about AES not being widely adopted have been put to rest with the
Government's decision, he added.