The U.S. State Department says AES and DES are unsafe, so what should we use?

Question

Recently the State Department has released a document saying that AES and DES are unsafe for classified material. This statement from the State Department may be alluding to an attack against these algorithms that is not publicly known.

Under no circumstances should DES- or AES-equipped radios be used for the transmission of classified information, as defined by Executive Order 12958.

AES and 3DES are still on the list of approved algorithms by NIST. However, so is SHA-1, in the case of SHA-1 this is probably because even though it is very broken no one has generated a collision.

So what should a security conscious developer use instead of AES? Why should someone use this algorithm? Are there regulations that govern this alternative (HIPAA,PCI-DSS...)?

Answer 1

I think you've misunderstood what the document is talking about. It doesn't say the algorithms are weak. It says that the equipment is not strong enough to protect top secret information. This doesn't mean, though, that AES is not secure anymore. Actually, some weaknesses of AES were known from the very beginning although they were not disclosed widely. It's just a question of time and efforts needed to attack the information. Often rubber-hose cryptanalysis proves to be much more effective, than cracking the algorithm. And this is exactly why the same document says

"All DES/AES radio equipment in storage or maintenance channels must be zeroized of all key codes. If not equipped with a zeroize feature, a randomly produced key code must be loaded in order to overwrite the mission's actual operational code."

. I.e. the point is to protect the keys from being extracted from portable hardware, not to claim weakness in AES.