Internet Security Systems - AlertCon(TM)

Some Interesting Crypto Morsels

Posted by Tom Cross on January 05, 2007 at 12:46 PM EST.

Those of you who follow cryptography might find most of the information in this article old hat, but there are a few interesting data points. The first is a hint from the NSA about the resilience of AES to cryptanalysis with quantum computers. The second is an observation from Whitfield Diffie in response to a question about the differences between the sort of cryptography that the U.S. Government uses for Top Secret applications and the sort of cryptography that you are using for your VPN and file security: "the strength of cryptography is not the place to separate the two."

In fact, AES and a number of other common cryptosystems are approved for use for Top Secret applications. This situation is a far cry from the perception in the cryptography community a decade ago that the mathematical tools employed by the NSA were many years ahead of the understanding of academia. While the NSA does still have its own set of secret algorithms, this observation seems to suggest that their primary advantages over everyday crypto are in terms of implementation and operational procedures. 

The importance of those two factors should not be underestimated. The security of any communications system is only as good as it's weakest link, and in practice, code execution vulnerabilities in communications systems and poor key management procedures are almost always easier to exploit than flaws in encryption. However, the paranoid fantasy that major world powers have magic cipher crackers that cut through AES like butter should be put to rest.      

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.