The wide adoption of these modes may however encounter a few roadblocks. The new modes produce 224- and 256-bit message digests using the SHA-512 to hash the message and truncate the result. In theory, the new modes are meant to compete against the SHA-224 and SHA-256 modes in that they use a 64-bit data path and cryptographically more importantly, they use more rounds of the internal (Feistel network) transform.

But, SHA-256 is over twice as fast as SHA-512 on ARM and PPC 32-bit processors. Meaning that for all BUT the highest end processors, SHA-512_224 and SHA-512_256 hashes are going to be much slower.  Additionally, hardware designs require re-spins to support the two new modes. Are the re-spin costs worth undertaking?

Another impediment may be the lack of ASN.1 OIDs for standards such as PKCS #1, X9.62, and X.509.

And how about SHA-3, the more cryptographically sound standard supposed to be the next generation for the currently adopted SHA algorithms? SHA-3 is going through the last round of evaluation with 5 finalists left remaining in the competition and a decision on the final implementation may not be that far away.

NIST Draft Publication Link

We will explore today a few of the selection points that need to be taken into account when looking for AES based solutions.

Selection point one: what security applications in what overarching application are you going to use AES for? Is it IPsec, SSL/TLS, Wi-Fi, MACsec, WiMAX, LTE-Advanced, Storage, etc? Knowing which application space for AES will usually tell you a lot about the modes, key size requirements, and throughput requirements. This helps narrow things down a lot for the next steps.

Selection point two: software, hardware, or both? This usually touches on throughput and latency requirements, and the form of the data to be processed. Software running on an embedded processor is very versatile, but not nearly as efficient (per clock cycle) as dedicated hardware. In a processor-centric system where offload hardware is on a shared bus, getting data to and from the dedicated hardware can sometimes be a noticeable fraction of total processing time. If the throughput requirement is quite modest – say 10’s of Mbps, then the AES job may be best handled on the processor with tuned cryptographic software. If the throughput requirement is relatively high, say 100’s of Mbps, then the AES job is likely best handled by dedicated hardware (in fact the processor probably couldn’t do it even if it did nothing else), with data either being moved to/from that hardware by the processor or moved by the hardware (with e.g. an embedded DMA system) with the host processor freed to do other things in parallel. The form of the data to be processed matters as well. Cryptographic operations often have overheads associated with them which are amortized out over larger chunks…

Selection point three: what level of security is being sought? Key sizes 128/192/256 are available, but the longer the key the greater the level of security in a well-designed system. There are trade-offs to be considered. Bigger keys either mean lower throughput or, in hardware in particular, more gates. You might add support in hardware for keys you won’t use now to allow for future requirements (brute force attackers keep getting faster computers), but that will cost something.

There are other factors that come into play when selecting an AES solution, like power and cost.

In conclusion, AES is a very popular, versatile block cipher, with a multitude of modes and a long list of applications and protocols which continues to grow. If you are looking for and “AES encryption” solution, realize that it’s going take more than a few minutes to find what you need. The selection process needs to be done hand-in-hand with more information about the application space, protocols, modes, software versus hardware, power, and the list can go on …

At Elliptic we offer certified software and hardware AES solutions for a broad range of applications. See www.elliptictech.com for more information, or contact info@elliptictech.com.