IETF puts weight behind Advanced Encryption Standard
Improved secrecy and security, one TLA at a time
The Internet Engineering Task Force (IETF) has published standards for improvements to SSL which add support for the recently ratified Advanced Encryption Standard.
Request for Comments (RFC) 3268 adds support for AES to the TLS protocol (Transport Layer Security - which was formerly known as SSL). As well as adding support for AES, the revision makes it easier and more efficient to support forward secrecy.
Forward secrecy protects past data if a server's key is stolen. Without this measure, if a server's key is compromised, an attacker might be able decrypt previous sessions and decrypt old traffic, thereby accessing sensitive data which might include credit card details and the like. Forward secrecy, which up to now how only been supported with computational intensive ciphers like Triple DES, guards against this type of attack by retiring a server's key.
Pete Chown, director of security developer Skygate, and author of the RFC, urged developers writing TLS software to include support for forward secrecy and AES in order to bolster Internet security.
AES, which was approved as the official encryption standard for the US federal government last December, has already been supported by some developers. Chown explained that the RFC outlines the IETF's preferred approach for introducing the technology.
Until the revision is taken up by browser developers, e-commerce transactions won't benefit from these enhancements. However the publication of the RFC adds impetus to the widespread adoption of AES throughout the industry. ®