Tip

How will new encryption standards affect your network?

This tip originally appeared on SearchNetworking.com, a sister site of SearchCIO-Midmarket.com.

As you've no doubt noticed by now, the Advanced Encryption Standard (AES) has seen widespread adoption by network hardware

    Requires Free Membership to View

and software vendors recently. This gives network administrators an interesting dilemma, especially those interested in virtual private network appliances or software. In this tip, we'll look at the aspects of AES that you should consider if you're thinking about utilizing something that relies on this standard.

The two main concerns with an encryption algorithm are security and performance. In the first case, we have the 1970s-era DES encryption. In the world of security, a protocol with a life this long is generally a good thing. In DES's case, it's not, as its flaws have been shown over and over again; its successor is long overdue. These flaws are both fundamental vulnerabilities to types of attacks, and the simple fact that its short key length means brute force attacks are quick and effective.

In many ways, the AES algorithm addresses these concerns. In fact, the algorithm itself isn't known to be vulnerable to any of the attack methods that DES suffers from. And with real 128-bit encryption (as opposed to doing 56-bit encryption three times, like 3DES) and even 256-bit encryption, it's going to be quite a while (in theory) before brute force attacks are a problem.

Though, there is a downside to AES, and that's that it is a relatively new protocol, and as such, security researchers haven't had all that much time to try to crack it. We could find out at any time that it's vulnerable to an entirely new type of attack. In theory, at least.

When you're considering the performance requirements, AES also holds a theoretical advantage as its algorithm is much more efficient, especially compared to 3DES. However, it's worth noting that at this early date in the protocol's life, support for the algorithm in hardware may not be as mature as hardware support for the older 3DES algorithm. Thus, you'll likely find some platforms where 3DES is still faster (in terms of throughput) than AES-256 and others where AES-256 is faster. As you might suspect, AES-128 is almost always as fast or faster than AES-256. After a quick survey of marketing materials from various vendors, it appears the difference in throughput is usually on the order of 10% to 30%.

So as always, the right time to adopt the new standard will vary widely between organizations. The extra security will be worth the performance cost to some, while others will need budget ready for new hardware encryption models that support AES. Keep in mind that an upgrade could result in a performance improvement. In any case, be sure to do your homework before selecting a product.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex. Let us know what you think about this tip; email editor@searchcio-midmarket.com.


This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.