 |
||||||||||||||
|
||||||||||||||
|
||||||||||||||
|
|
|
||
Plan to Migrate to Advanced Encryption Standard |
||||
|
|
|
|
|
Once considered invulnerable, the Data Encryption Standard that secures many banking and e-commerce transactions has been cracked. Enterprises should switch to the Advanced Encryption Standard when feasible. |
|||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
Event
On 8 November 2001, Cambridge University announced that two of its researchers had uncovered a weakness in the security systems that protect many banking and e-commerce transactions. Michael Bond and Richard Clayton, two Ph.D. students at the University of Cambridge's Computer Laboratory, hacked into a Data Encryption Standard (DES)-protected IBM computer system previously thought secure. |
|||
|
|
|
|
|
First Take
DES-protected ciphertext has been broken before. DES has become susceptible to brute-force attacks by networks of code-cracking computers, a fact punctuated by Bond's and Clayton's successful hack on a "secure" IBM cryptoprocessor. Accordingly, Gartner believes that DES has reached the end of its life, and a strong candidate for its replacement has already appeared: the new Advanced Encryption Standard (AES), also known as Rijndael. The U.S. Department of Commerce — specifically, the National Institute of Standards and Technology (NIST) — selected AES to protect electronic information and to officially replace the government-endorsed DES, which the government adopted in 1977. Gartner believes that AES will eventually become the preferred symmetric data encryption standard for most private enterprises. According to estimates, code-cracking computers would have to work 149 trillion years to decipher an AES encryption key. Under the rules of NIST's selection, the algorithm carries no royalties; however, software implemented using cryptographic toolkits may require per-seat or negotiated fees. Although NIST says that other considered algorithms such as Mars, RC6, Serpent or Twofish might be more efficient than AES in some applications or implementations, Gartner expects AES to become the most widely used algorithm because of the NIST's endorsement of it as the "standard." Despite its vulnerability, AES will likely not replace more than 30 percent of DES operations before 2004 due to inertia (0.7 probability). Enterprises using DES should plan on migrating to AES as soon as feasible. However, those using the stronger Triple DES (3DES) standard should wait until system upgrades permit a low-cost AES implementation unless they face unacceptable system sluggishness because of the performance characteristics of 3DES. Analytical Sources: Vic Wheatman and John Pescatore, Information Security Strategies Written by Dean Lombardo, gartner.com Need to Know: Reference Material and Recommended Reading
(You may need to sign in or be a Gartner client to access all of this content.) |
|||
|
|
|
|
|
|
|
|
|
|
Entire contents © 2001 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The content herein is often based on late-breaking events whose sources are believed to be reliable. The conclusions, projections and recommendations represent Gartner's initial analysis. As a result, our positions are subject to refinements or major changes as Gartner analysts gather more information and perform further analysis. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.
Resource ID: 349104 |
|
|
|
|