Anyone who reads this blog or the computer press (or even the popular press) knows that cyber security is a big topic in the US as well as the rest of the world these days. In the last few months I have seen copious amounts of proposed solutions. The ideas from Eli Dourado (@elidourado) of the Mercatus Center at George Mason University are some of the best.
Doruado, along with Andrea Castillo and Michael Wilt, published an insightful article on the topic on the Mercatus Website earlier this month. They say, “The first step to improve protection from foreign cyber espionage is to encourage strong encryption that is turned on by default.” I completely agree. In fact, they go on to declare that “Weak encryption means weak national security!”
A fourth category − deprecated − was used in the previous version of this Recommendation, but is not currently being used. September 2015 66 Security Strength Through 2030 2031 and Beyond Processing Legacy use 128 Applying/Processing Acceptable Acceptable 192 Acceptable Acceptable 256 Acceptable Acceptable.
Encryption is central not only to confidentiality, but to authentication and integrity verification as we explain in in Learning Tree’s System and Network Security Introduction. While strong encryption isn’t everything, it is essential to those three attributes of security.
So what is “strong encryption?” To answer that let’s turn to NIST (the US National Institute of Standards and Technology) Publication 800-57 Recommendation for Key Management Part 1 (my references are for the Draft Revision 4 from September 2015). In that publication sensitive, unclassified information can be considered protected in terms of confidentiality using 128, 192, or 256-bit strength algorithms (e.g. AES-128, AES-192, AES-256) to “2031 and beyond.” There are, of course, many more rules and recommendations in that 156 page publication.
The Advanced Encryption Standard (AES) algorithm, is usually referenced these days as the standard for strong encryption. NIST 800-57 does that. That’s not to say that there are others. 800-57 references elliptic curve and other algorithms, for example.
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths.
In other words NIST and the NSA believe that AES is strong enough for SECRET or TOP SECRET data depending on key length. A longer key length, while providing more security by being more difficult to break, also takes longer processing time. For most users today, however, that is a small concern.
I urge you to read the entire Mercatus article as it has more appropriate ideas I don’t have time to cover here. You also might want to glance at NIST 800-57 and look over the recommendations, but the descriptions are sometimes technical and complex, so most people won’t want to wade into the “weeds” of the details. I haven’t address the integrity and authentication issues of encryption here, but will look at them in future posts.
To your safe computing,