These are exciting times in the encryption field, not only because of the RSA patent expiration, but also because the U.S. government has just announced a new encryption standard called Rijndael to be adopted by the entire government.
An encryption key is like the password or PIN that you use to log onto your computer network or to access your bank account, except that the keys used internally by most commercial applications are numbers and are substantially longer than the keys used by ordinary human beings.
Encryption programs use a key to take an e- mail message or a packet of data and scramble the data so that a hacker can’t read it while it’s being sent over the Internet. Once it reaches the target computer, a decryption program uses a key to descramble the bits. Both encryption and decryption use very advanced mathematical algorithms, though there are several different algorithms in use.
There are two major kinds of commercial encryption, depending on whether or not the decryption key is identical to the encryption key.
In “shared key” or “symmetric key” encryption, the encryption and decryption keys are identical.
The best-known symmetric key algorithm is the Data Encryption Standard (DES), so-called because it’s been the standard encryption method used by the U.S. government since the 1970s. DES is still widely used, even though it was “cracked” in the 1990s — a determined hacker can decrypt a DES-encrypted message in a few hours of computation on a powerful computer.
That’s why those who still use DES today actually use “triple DES,” or 3DES, which encrypts and decrypts the data three times, using three separate keys.
Because DES was cracked, the National Institute for Standards and Technology (NIST) announced in 1997 a worldwide competition to select a new Advanced Encryption Standard (AES) to replace DES. On October 2, 2000, NIST announced a winner: Rijndael (pronounced “RHINE doll”), named after its Belgian creators, Joan Daemen and Vincent Rijmen.
Unlike DES, AES will never be cracked — even if the entire universe were turned into a giant computer, it would still take trillions of years to crack Rijndael. Information on Rijndael can be found at http://www.nist.gov/aes.
Symmetric key encryption is easy to implement and manage when there are only two or three computers communicating over the internet, though even in that case you have the problem of how to transport the shared key securely from one computer to another. However, once you have numerous computers exchanging data over the Internet, and in particular once you have e-commerce applications involving thousands of computers, symmetric key encryption becomes unmanageable.
Dual key encryption uses different keys for encryption and decryption, one of which is known as a “public key,” and one of which is a “private key.” The public key can be made freely known, and anyone can use it to encrypt a message.
The private key is owned by an individual or a computer, and only that entity knows the private key and can decrypt the message encrypted with the public key. The de facto worldwide standard is the patented RSA algorithm, named after its inventors, Ronald Rivest, Adi Shamir and Leonard Adleman, all of MIT.
The idea is that each person doing business over the Internet will get his own public/private key pair. Assigning these pairs is a job of a Certificate Authority (CA), such as VeriSign Inc.