US companies to embrace encryption standard

The US Government's decision to adopt the Advanced Encryption Standard (AES) for securing sensitive information will trigger a...

The US Government's decision to adopt the Advanced Encryption Standard (AES) for securing sensitive information will trigger a move from the current, ageing Data Encryption Standard (DES) in the private sector, according to users and analysts. 

But it will not happen overnight. Technology standards bodies representing industries such as financial services and banking need to approve AES as well, and that will take time. Products such as wireless devices and virtual private networks that incorporate AES have also yet to be developed.

Companies using Triple DES technologies, which offer much stronger forms of encryption than DES, will have to wait until low-cost AES implementations become available before a migration to the new standard makes sense from a price perspective.

"AES will likely not replace more than 30% of DES operations before 2004," said John Pescatore, an analyst at Gartner.

US secretary of commerce Don Evans announced the approval of AES as the new Federal Information Processing Standard on 4 December. The formal approval makes it compulsory for all US Government agencies to use AES for encrypting information from 26 May.

AES is a 128-bit encryption algorithm based on a mathematical formula called Rijndael (pronounced "rhine doll") that was developed by cryptographers Joan Daemen at Proton World International and Vincent Rijmen at Katholieke Universiteit Leuven, both in Belgium.

Experts claim that the algorithm is small and fast, and that it would take 149 trillion years to crack a single 128-bit AES key using today's computers.

AES offers a more secure standard than the 56-bit DES algorithm, which was developed in the 1970s and has already been cracked. AES is considered even better than Triple DES, which is compatible with DES but uses a 112-bit encryption algorithm that is considered unbreakable using today's techniques.

In software, AES runs about six times as fast as Triple DES and is less chip-intensive.

The advantages of AES make it inevitable that private companies will start using it for encryption, said Paul Lamb, chief technology officer at Oil-Law Records, which provides regulatory and legal information to oil and gas companies. "[Companies will adopt AES] because of the perceived problems with DES and the greater sense of security with AES," he added.

"I would expect the adoption curve to be pretty steep," said Steve Lindstrom, an analyst at Hurwitz Group. Any concerns companies had about AES not being widely adopted have been put to rest with the Government's decision, he added.

Read more on Antivirus, firewall and IDS products