If it's Good Enough for the President ...

New encryption standard approved for federal government, private sector

December 5, 2001  Secretary of Commerce Don Evans today announced approval of a new information technology encryption standard for the federal government at a meeting with members of the Business Software Alliance, a group made up of IT industry CEOs. The Advanced Encryption Standard, or AES, is expected to be used widely in the private sector to protect sensitive computerized information and financial transactions, benefiting millions of consumers and businesses.

"The AES will help the nation protect its critical information infrastructures and ensure privacy for personal information about individual Americans," said Evans. "It also will promote the President's efforts to provide secure electronic government services to our citizens."

Phillip J. Bond, under secretary of commerce for technology, noted that finalization of the standard will benefit many individuals and companies besides federal agencies. "The Secretary's approval means that the AES will now be available to provide the next generation of encryption protection for both government and industry, maintaining America's leadership in the Information Age. We are very pleased that AES development has been successfully completed," said Bond.

The new standard contains a sophisticated mathematical formula known as an algorithm. Algorithms are at the heart of computerized encryption systems, which can be used to encode all kinds of digital information, from electronic mail to the secret personal identification numbers, or PINs, that people use with bank teller machines.

Today's announcement marks the culmination of a four-year effort by computer scientists at the Commerce Department's National Institute of Standards and Technology to achieve a highly secure algorithm for the AES. This was done through an international competition, starting in September 1997, in which researchers from 12 different countries submitted encryption algorithms. Fifteen candidate formulas chosen by NIST in August 1998 were "attacked" for vulnerabilities and intensely evaluated by the worldwide cryptographic community to ensure that they met the AES criteria. After the field was narrowed down to five in April 1999, NIST asked for intensified attacks and scrutiny on the finalists. Evaluations of the encoding formulas examined factors such as security, speed and versatility.

The algorithm selected for the AES in October 2000 incorporates the Rijndael (pronounced Rhine-doll) encryption formula. Belgian cryptographers Joan Daemen (pronounced Yo-ahn Dah-mun) of Proton World International and Vincent Rijmen (pronounced Rye-mun) of Katholieke Universiteit Leuven developed Rijndael. Both men are highly regarded experts within the international cryptographic community. They have agreed that their algorithm may be used without royalty fees.

The AES has been designed to protect sensitive government information well into the 21st century. It will replace the aging Data Encryption Standard, which NIST adopted in 1977 as a Federal Information Processing Standard used by federal agencies to protect sensitive, unclassified information. DES and a variant called Triple DES are used widely in the private sector as well, especially in the financial services industry.

For more details see http://csrc.nist.gov/cryptval/