History of Encryption Standards: Starting with DES

Back in 1972, the U.S. government (via the NIST) did a study and concluded that government computer systems needed a standard method of encryption to protect data. Also in 1972, the Atalla Corporation created the first hardware-level security model, which raised some eyebrows at IBM, who didn't want the competition.

When the government finally started seeking proposals for a new encryption system, IBM submitted their work spurned on by the success of the "Atalla Box". What would eventually become the DES standard was eventually published in 1975, with public comments requested.

NSA Skullduggery and DES Criticism

Some early cryptological experts were critical of DES, especially of the NSA's involvement in the specification. This is because the NSA argued for a shorter key length (48 bits instead of 64; they compromised on 56), making it more vulnerable to brute force attacks. The dire implication was that the NSA was purposefully weakening the encryption method so that they (and they alone) could decrypt whatever they wanted. It was also suggested that the S-Boxes used were entirely changed by the NSA, which was absolutely true. The "S-Box" is a critical facet of symmetric encryption used to hide the relationships between a key and cipher text; compromising this would compromise the entire algorithm.

Regardless, DES was approved as a standard in 1976; it would remain the standard for almost 30 years (although changed to "triple DES") until AES finally replaced it in 2001.

It wasn't until 1990 that the NSA's real "involvement" in the DES development become more known, when researchers found a general method to break block ciphers using a technique called "differential cryptanalysis". Fifteen years after the initial publication of DES, someone had finally found a serious flaw.

This, however, made it clear that the NSA knew what it was doing back in the 70s. It specifically designed the S-boxes used for DES to resist this backdoor after IBM researchers discovered the flaw (again in the 70s). It took that long for independent researchers to discover the technique, which perhaps gives more weight to the NSA decision to render this information classified. They literally locked this knowledge away in safes to prevent this from becoming public, which apparently worked for almost two decades!

Although now insecure, it might not be a surprise that some entities still use triple DES even though AES is now over 20 years old.

AES and AES-GCM

It should now be clear why the NIST needed a replacement for DES, which they finally solicited in 1997. Submitted as a variant of the "Rijndael" algorithm (pronounced like "rain dahl") by two dutch cryptographers, AES became the government standard in 2002. While DES was only approved for non-classified systems, AES is the only publicly available cipher approved for use with "top secret" information.

That isn't a surprise, as there's no known exploit for beating AES. Even with today's computers, theoretical hacks would take billions of years to crack. Even if the NSA did uncover some flaw in AES (this is obviously an area of active research for an agency like the NSA and always will be), history would suggest that they never tell us.

AES is fantastic technology and as a symmetric cipher it's fairly quick, too. However, it doesn't guarantee that data is unaltered. For systems that require data integrity, symmetric encryption might not be good enough.

Why, though, if AES is secure? AES-GCM prevents an exploiter from "messing with" data -- just because an attacker can't decrypt data doesn't mean they can't change it. Flipping a few bits around and retransmitted the data (even without decrypting it) could be a problem.

Using AES-GCM introduces an integrity check that authenticates the data, making it more ideal for secure, mission-critical communications.

PHP 8.4 and AEGIS

The main benefit for AEGIS compared to AES-GCM is improvements to speed (by a factor of 2-3), as AEGIS can better utilize modern multi-core processors and is more efficient in general. As we (hopefully) already know, PHP is single-threaded but still takes advantage of process-based concurrency...so improved concurrency helps even in "simple" single-threaded systems like PHP.

Would I be eager to use AEGIS when it comes out with PHP 8.4? No...because encryption isn't something to gamble with, and AEGIS needs time before its battle-tested and proven. If you are an organization that needs AES-GCM, you probably aren't the sort of organization to gamble on newer algorithms.

That said, it's worth watching the security blogs carefully because AEGIS promises major gains in performance that may be very crucial to organizations working with encrypted data at scale.