NIST Proposes Abandoning DES

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.

NIST endorsement of DES

[SIGALRM]

NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES)

Actually, NIST withdrew their endorsement of DES in 1997. DES as a standard was adopted in 1972. Back in '74 when the NSA was looking at Lucifer for NIST, they actually approved it despite a reduction in its original key length of 128 bits to 56 bits, weakening it significantly. The NSA was accused of planting a "back-door" in Lucifer that would allow agents to decrypt without the key, but of course such a thing was never found.

In '76 Lucifer was adopted and renamed "DES". Of course as computers became faster and more powerful, it was recognized that a 56-bit key was simply not large enough for high security applications. As a result of these and other serious flaws, NIST abandoned their official endorsement of DES in 1997 and began work on a replacement, to be called the Advanced Encryption Standard (AES). And so the story continues...

Re:NIST endorsement of DES

Ahhh yes, the controversy over the SBoxes...
I cant beleive they managed to put a full out secret back door by changing them, but i definately think they improved their odds either by making it easier, or by maybe having some sort of statistical analysis method they can use.

Re:NIST endorsement of DES

despite a reduction in its original key length of 128 bits to 56 bits, weakening it significantly

Doesn't SCO Openserver still use DES encryption for shadow passwords? Just curious, if anyone knows... I'm pretty sure they do.

Re:NIST endorsement of DES

[Spunk]

It was shown that S-Boxes chosen by the NSA made it more secure, not less. DES and Differential Cryptanalysis

Re:NIST endorsement of DES

[Paul+Crowley]

Lucifer was vulnerable to a DC attack that reduced the effective strength to around 56 bits.

Coppersmith maintains that the NSA had no hand in designing DES, and all the secret design features turned out to be there to make it stronger (eg against DC, which the IBM team kept secret).

Re:NIST endorsement of DES

Don't forget the fact that the 56-bit keys of DES were considered insufficient even back in the 70s by anyone knowledgeable in cryptography.

Even back then, 64-bit keys would've been much preferable. Now that we mostly standardize on 128-bit and longer keys for symmetric ciphers, we're much better off, assuming that algorithms are at least equally resilient...hopefully they are, considering how much peer-review they have gone through compared to past attempts.

In any case, DES was never trustworthy, based on the state-of-the-art at the time.

Re:NIST endorsement of DES

[cynic10508]

The NSA was accused of planting a "back-door" in Lucifer that would allow agents to decrypt without the key, but of course such a thing was never found.

I don't have sources to back it up, but I believe the story goes that NSA made certain change recommendations without specifying why. Long story short, about a decade later the differential cryptanalysis attack was discovered but somehow DES was resistant to it because of the changes NSA suggested. I think NSA even came out after that and admitted knowing about differential cyptanalysis for around twenty years.

Re:NIST endorsement of DES

[Tassach]

It's worth re-iterating that NSA has two different, but interelated missions:

1. Break the other guys' codes
2. Keep the other guys from breaking our codes

Most people, particuarly those in the tin-foil-hat brigade, forget about the second part of NSA's mission. Making the official cypher algorithm as strong and as resistant to attack as possible is a big part of their mission.

arrggghh...

.... I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks.

The horror... the horror...

Re:arrggghh...

[ticklemeozmo]

I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks

I seriously thought the sarcasm about the crappy color scheme was going to get old after a while, but actually it still seems appropriate. For Vishnu's sake, change the friggen colors!

Re:arrggghh...

OH MY GOD HOW TOTALLY OFF TOPIC! QUICK SLASHDOT EDITORS, EARN THE MONEY THEY PAY YOU AND -1 THIS ONE!!

Or, alternatively, go back through some of the bugs filed against slashcode that you closed without fixing, and fix them.

Re:arrggghh...

[Duncan3]

It's ment to look like an old faded newspaper... like the newspapers of years gone by that had ads for IT jobs in the USA ;)

Re:arrggghh...

[scruffy]

DES sucks and so does this color scheme. Maybe NIST can intervene on Slashdot, too.

Somebody, please stop the horror.

Now I'm going to have to go back to ...

[burgburgburg]

social engineering, keystroke capturing and torture to get information, instead of relying on key exhaustion.

Wait, ...ugh..., I didn't write that and more importantly, you didn't read it. It never happened. Nothing to see here. Just move on now.

Re:Now I'm going to have to go back to ...

the digit method.

Re:Now I'm going to have to go back to ...

[SpaceLifeForm]

Damn man, you sound like the bush administration.

It was bound to happen eventually.

[Jim+Starx]

All realistic encryption scemes have a lifespan.

Re:It was bound to happen eventually.

[Retric]

Not realy you can probably use an RSA encription methiod with a non fixed key lenght by testing the speed of your CPU and find a key you can generate in 1min and your set from now till QM comes around. Heh I still think QM is just going back to analog computing where acuracy is limited by your ability to detect the output in which case you can just use a Vary Good QM to create somthing that can't be broken in reasonable time.

Re:It was bound to happen eventually.

[Jim+Starx]

Not realy you can probably use an RSA encription methiod with a non fixed key lenght by testing the speed of your CPU and find a key you can generate in 1min and your set from now till QM comes around.

Untill of course someone finds a better way to factor numbers, or finds a diffrent attack on RSA.

Re:It was bound to happen eventually.

[Red+Pointy+Tail]

How about quantum encryption? Assuming that it can be done, it cannot be broken by any brute force and any false attempts will mess up quantum states.

Re:It was bound to happen eventually.

[Jim+Starx]

http://slashdot.org/comments.pl?sid=116189&cid=983 5207

Re:It was bound to happen eventually.

[Retric]

I said "probably use" shure there might be a methiod to crack it in non exponential time that works on any key lenght but it's basided on the idea that A key that just because you can factar X in reasonable time does not mean you can factor x^2 in reasonable time. Hell if something is only 1,000,000 times harder to crack than to generate it's almost worthless but if you spend 1 day generating it would still take 3 years on 1000 cpu's of your speed to crack which would make finantial transations safe.

Anyway Nobody has cracked a true one time pad because you CAN"T and at some point we are going to find that there are key lenght's that we can't crack ex: Chances are we will never be able to crack a 9^(9^(9^(9^(9^(9^(9^9)))))) bit key at the same time we will never be able to generate a key of that size hell I don't think we could ever store somthing that large.

Hint: I am talkinga about 9^(9^(9^(9^(9^(9^387420489)))))
9^387420489 has more than 3874204 decimal diget's
9^(9^387420489) has more than 10^3680493 diget's which would take about a 1mb of storage to hold and could be generated but 9^(9^(9^387420489)) is way to large to comprehend it's number of diget's let alone deal with.
9^(9^(9^(9^(9^(9^387420489))))) is way to large to comprehend it's number of diget's let alone deal with.

Even if computing power starts doubling every day there comes a point where that's not fast enough to deal with some problems before 10^1000 years have past.

Shure we might crack RSA in a fastion that makes it useless hell I think most people deside to use key lenghts that are way to short knowing that it's ok to have your encription broken in 20 years by anyone that want's to devote a few grand on it as long as 10 years from now it's not breakable by anyone. But, I don't think it's reasonable to say we will always beable to crack every system of sending data securly at some point.

DES3

[kippy]

I thought that DES3 solved the key length problem by bumping it up to 192 bits. Of course it runs 3 times as slow.

Not that I'm saying we should cling to DES for the next hundred years. I'm all about AES.

Re:DES3

PLEASE take a math course. 56 * 3 = 168 not 192. Thank you, please drive through

Re:DES3

[dekemoose]

Actually it results in an effective 168 bit key, 3*56. But yes, AES should definitely be the encryption of choice going forward, much easier on CPU power.

Re:DES3

[kippy]

From the link:

Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits.

I'm not sure if they are misunderstanding it but that's where I got the 192 number from.

Re:DES3

[wwest4]

no, the confusion comes from DES being 64-bit with a byte's worth of parity. effective length of single DES key is 56 bits.

now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

Re:DES3

The reason for the effective key length of 3DES being 112 bits is not because of only 2 keys being used, it's because of the meet in the middle attack against 2-key DES.

Re:DES3

[canajin56]

Sorry, you are thinking of DES2. DES2 uses two keys, and works like this Encrypt with A, decrypt with B, Encrypt with A. I'm not sure on the specifics, but using three encryptions makes it possible to exhaustivly search for A and B on their own, while using a decrypt (As far as is known) requires all combonations of A||B to be exhausted.

DES3 does, in fact, use 3 keys, and is encrypt with A, encrypt with B, encrypt with C.

Re:DES3

[sbowles]

now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

Actually, it is encrypted with A, decrypted with B, then encrypted again with A. This is known as 2-key 3DES.

If you use 3-key 3DES then the effective key length is 168 bits. Using 56-bit keys A, B & C the algorithm encyrpts with A, decrypts with B, then encrypts with C.

Re:DES3

[kasperd]

First of all it should be explained why they came up with 3-DES instead of just 2-DES. The reason is, that 2-DES would be vulnurable to a meet in the middle attack. If you knew just one plaintext/ciphertext pair you could efficiently compute a small set of possible keys. It would require a lot of disk space, but in the end you would be down to approximately 2^48 keys, and it would require only 2^57 cipher block operations. Another plaintext/ciphertext pair can easilly be tested against the remaining 2^48 keys to find the right one.

In other words 2-DES is not significantly more secure than DES, but 3-DES makes the meet in the middle attack more difficult. You can no longer meet exactly in the middle, but you could meet with 1 cipher on one side and 2 ciphers on the other side. That way you have to brute force the 2 ciphers and that way 3-DES presumably give you the security of a 112 bit key. This is also why you normally only use two different keys for 3-DES. The third key would add no extra security.

But 3-DES have inherited one of the weaknesses of DES. The block size is still only 64 bits. That makes you vulnurable to birthday attacks. For this reason I always advice against using the same 3-DES key for more than 512KB of data. With a 128 bit block like AES uses, a key can be safe for use for longer time, I would say 64GB should be secure.

Re:DES3

[cynic10508]

now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

Close. Triple DES with two keys works as follows:
Encrypt with key 1, decrypt with key 2, then finally encrypt again with key 1.
That'll give you a cipher with a 112-bit key strength.

But, you can also do 3DES with three keys as follows:
Encrypt with key 1, decrypt with key 2, encrypt with key 3.
Now you have the strength of a 168-bit key. AES could do 192-bit keys with fewer computations.

Re:DES3

[wwest4]

doh - as pointed out, it's encrypt with A, decrypt with B, then encrypt with A, and then only in "EDE" mode. you can also use 3 keys (EEE mode). sorry!

Re:DES3

[Chandon+Seldon]

How does a birthday attack apply to a cipher? It's clear how it would matter in the case of hash algorithims, but you can't get collisions with a cipher...?

Re:DES3

[Paul+Crowley]

No, they're thinking of 2-key 3DES. I've never heard of "DES2".

Re:DES3

[Chandon+Seldon]

Although 3des uses 3*56 = 168 key bits, the difficulty of breaking it is equivilent to 112 bits due to a meet in the middle attack. To complicate it further, I'm pretty sure the 112 bits is a data storage requirement (i.e. 6.5*10^32 bytes / 10^32 is about a million trillion trillion).

Re:DES3

[thogard]

Its not even 112 effective bits because the parity bits form a nice matrix of worthless bits in the cypher. So you the simple approach is two 64 bit keys x2 should gives the illusion of 128 bit crypto but in fact the parity bits of the 1st key effect the key strength of the second so its (64-8-8)+(64-8-8)=96 effective strength. Add in the fact that the s-boxes in DES also reduce the effective strength anywhere from 2 to 6 bits (depending who you ask) and you end up with 3DES being no stronger than 84 bits. When you start reducing your key space that much, there are a wide range of other attacks that you can do involving pre-calculating related keys. Long ago many people looked into the combining 3DES from DES(A)->DES(B)->DES(A) into F(C) and there had been some reasonable progress but it required a huge array of data and expanded the internals to a size that was undoable. There are chips from Altera now that can cope with the internal array size. To me, that means 3DES is dead.

Re:DES3

[kasperd]

but you can't get collisions with a cipher...?

Encryption is a litle more than just using a cipher. You need some mode of operation. ECB mode where you just split your message into 64 bit blocks and apply the cipher to each is weak. The problem is, that an attacker can easilly see which blocks contains the same cleartext, because they will all result in the same ciphertext. I once saw this illustrated by encrypting some black and white image where each 8x8 pixels where encrypted using DES in ECB mode. In the encrypted version you could still faintly see the outline of the original picture.

We have a definition of semantic security, that handles this and other problems. It is impossible to achieve semantic security with a deterministic encryption, you need a probabilistic encryption, where a litle randomness is added to the message. The encrypted message will then be larger than the original, and if the same cleartext is encrypted twice, you will get different ciphertexts. Typically you would use modes like CBC or CFB where the encrypted version is just one block longer than the original. So a 1000 bytes cleartext would be 1008 bytes encrypted. What happens in CBC mode is that each cleartext block is XORed with a random bitstring before being encrypted. Actually you only chose a random bitstring for the first block, for the remaining blocks you use the encrypted version of the previous block, but that is actually random because the cleartext was XORed with a random bitstring before being encrypted.

So in CBC mode you will not be encrypting your cleartext, but rather a sequence of random blocks. As long as you don't encrypt the same block more than once, the adversary cannot learn anything about your message, without actually performing an attack against the cipher. But if you keep using the same key for a long time, eventually two random blocks will be the same, and the adversary will be able to see this, and can use it to compute some information about the cleartext.

Re:DES3

[armb]

PKCS#11, for example, uses DES3 to mean three-key triple DES and DES2 to mean two-key triple DES.

Re:DES3

[Chandon+Seldon]

Your comment isn't 100% clear, but you seem to be saying that there is a birthday attack on CBC mode.

Thinking about it for a bit, the best attack I can visualize has a ciphertext requirement of at least block size squared blocks (i.e. 2^128 blocks for a cipher with a 64 bit blocksize), and only accomplishes making CBC mode equivilent to ECB mode.

Is there a legitimate attack on a smaller block size, or is it just an issue of speeding up the block algorithim? References?

As a self-appointed representative of ...

[burgburgburg]

America's LSD Manufacturers, I'd like to point out that at it's worst (as regards quality control), no US produced acid would ever have created colors like this.

I'm not one to point fingers, but if they do have to be pointed, they should be pointed at Mushrooms or toad licking. Not acid.

Re:As a self-appointed representative of ...

[cynic10508]

I'm not one to point fingers, but if they do have to be pointed, they should be pointed at Mushrooms or toad licking. Not acid.

Remember: when you lick a toad, you're licking every toad that toad has had sex with!

Computation power??

[www.sorehands.com]

It is always expected that any encryption will be crackable given sufficient computing power, and with Moore's law, that will always eventually happen. But of course by that time, a new more secure, algorithm that requires more computing power to encrypt will be available.

It is interesting to note that they recommend using a faster algorithm.

Of course us, of the tin-foil-hat, brigade know that the government has a very secure algorithm (gotten from area 51), but they never tell us about, just so we use an algorithm that we think is secure, but they have their own back-door.

Re:Computation power??

Here's what I don't understand: The story mentions key exhaustion as the perceived threat. AES is supposed to be a fast cypher, so how would a message which was encrypted with an AES key be any more immune against key exhaustion than a message encrypted with a DES key of the same length? The key space is the same, the algorithms are both fast and suitable for hardware implementation. What's the magic ingredient?

Besides, this color scheme sucks.

Re:Computation power??

[Ford+Prefect]

It is interesting to note that they recommend using a faster algorithm.

I'm disappointed they didn't recommend my favourite, triple-ROT13.

Virtually unbreakable...

Re:Computation power??

[mattjb0010]

It is always expected that any encryption will be crackable given sufficient computing power

Not one time pads, although they are unpractical, and quantum cryptography which is (currently) expensive, and also distance limited since repeaters can't be used.

Re:Computation power??

The point is that DES and AES don't have the same key length. The DES standard doesn't let you take the algorithm and somehow duct tape another 72 bits onto the keys. It just doesn't work like that.

DES did have some other problems in that you didn't have to exhaust the whole keyspace, or even close to it. IIRC, with a bit of cleverness, you had to run through something like 2**40 keys (as if it were a 40-bit key).

Re:Computation power??

I've gone you one better, as I use quadruple ROT13. So there.

Re:Computation power??

[Ford+Prefect]

I've gone you one better, as I use quadruple ROT13. So there.

Now that's just being unrealistic. How could anyone ever decrypt something like that?

Re:Computation power??

[AnotherBlackHat]

It is always expected that any encryption will be crackable given sufficient computing power, and with Moore's law, that will always eventually happen.

Moore's "law" will stop eventually.
It might take 200 years, but eventually you hit speed of light limits, Heisenberg limits on distance, and quantum limits on energy usage.
(Of course, non-fundamental limits are likely to put a stop to Moore's law first.)

56 bits isn't enough to prevent brute forcing, but 512 bits certainly is.
At 256 bits, it's easier to look everywhere the key might be hidden, including inside the mind of the enemy.

Even if Moore's law continued to work, 128 bit keys should hold for another 100 years.

-- less is better.

Re:Computation power??

[gpinzone]

Unpractical? Anyway, quantum cryptography IS one time pads with a transmission method that ensures the key is delivered without being intercepted. Once the key is received, the encrypted data can be sent via any unsecured medium.

Re:Computation power??

Yeah, since it's well known we've arrived at the end of physics there will be no chance for faster computation.

Re:Computation power??

[Chandon+Seldon]

Actually, as key sizes get larger, the required effort to crack by brute force gets pretty silly.

According to Bruce Schneier's "Applied Cryptography" , I paraphrase:
With an ideal computer using the entire energy output of the sun for 32 years, you could cause a 192 bit counter to cycle through all it's possible values.

And, an actual quote:

"These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."

Re:Computation power??

[jaoswald]

We may not have reached the end of physics, but if you are relying on the claim that "undiscovered physics will allow transistors made smaller/faster than current physics permits" you aren't making a very persuasive argument.

Are you expecting atoms to be made smaller? Are you expecting light to go faster? Hoping won't make it so.

Or are you suggesting all the evidence for quantum and relativistic limits to be simply "not thinking hard enough"? If so, you have an insultingly low opinion of the physics community.

Re:Computation power??

Encryption cost typically goes up linearly with the length of the encryption key, or at worst N(log N) depending on the algorithms. Brute force decryption cost goes up exponentionally with key length. It is *trivial* to use a 1024 bit key that even with Moore's law will take hundreds of years to be able to crack.

No, the reasons for the limited key lengths is to deliberately make them vulnerable to the best available federal decryption technologies, as demonstrated by the EFF's published paper on parallel cracking of the older straight DES algorithm.

Re:Computation power??

[Dwonis]

Anyway, quantum cryptography IS one time pads with a transmission method that ensures the key is delivered without being intercepted

It wouldn't have to be. If you wanted to, you could exchange 3DES keys over a quantum cryptographic channel. (And if you're paying $0.10/bit to use the QC channel, you might just consider it. ;-) )

Re:Computation power??

[Dwonis]

There's always parallel processing. (Yes, this has limits too, but they're much higher than a lot of people would like to think.)

Re:Computation power??

[gpinzone]

The 3DES key is still not as strong as a OTP. In fact, nothing is.

Man, they are cruel

They want me to abandon DES and Internet Explorer? Please, NIST, why do you keep recommending against my favorite applications.

Let's hope we'll never see ICQ and Windows ME on that list.

Re:Man, they are cruel

[wayward]

Yeah, and the masterpiece known as Windows 98.

Which is why...

[baudilus]

Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

Re:Which is why...

[mattjb0010]

Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

You mean a one time pad?

Re:Which is why...

[kasperd]

Then we can use it forever.
You mean a one time pad?

You cannot use a one time pad forever. The name should be a pretty good hint about that. Unfortunately reusing a one time pad is suggested again and again by people not fully understanding what it is all about. In many cases a one time pad is unrealistic because you have to exchange new keys over a secure channel. And usually you want to use the one time pad because you don't have a secure channel. But actually some secure channels exists that can be used to exchange the key, but cannot be used for the data transfer. One such example is seen in quantum cryptography.

However though a one time pad is unconditionally secure, it only guarantees secrecy. Integrity is an interely different matter. Luckily there also exist unconditionally secure MACs for that, and they are a lot more realistic than a one time pad, because the key is smaller and most of the key can be reused. This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

But quantum cryptography is not the only way to exchange a one time pad. Other unrealistic ways to exchange a one time pad is using either noisy channels or assumptions about memory bounded adversaries. I call them unrealistic because they are both based on somewhat unrealistic assumptions and require extreme amounts of data to be transfered to create a small one time pad. The most realistic way to exchange a one time pad probably still is to do it in advance. In some cases the exchange in advance makes a lot of sense. Think for example wireless equipment. You'd consider a wire to be secure, but it is inconvenient. But you still have to connect a wire occationally to recharge your battery, at the same time a one time pad could be tranfered over a faster and more secure wired link.

Re:Which is why...

[mattjb0010]

You cannot use a one time pad forever.

That's not what I said, I said you can use the one time pad encryption scheme forever. Please read all the words next time.

This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

Quantum crypto key exchange is invulnerable to a man in the middle attack because in QM making a measurement disturbs the state of the system that is then detectable by the true receiver, it is not due to anything classical.

Re:Which is why...

[kasperd]

a measurement disturbs the state of the system that is then detectable by the true receiver

That is exactly where the integrity is required. Without the integrity between the two communicating parties, quantum cryptography is obviously vulnurable. A man in the middle could simply perform two completely independent instances of the quantum protocol to exchange the key. Neither party would realize, that they were talking with an adversary rather than the intended peer. In the end they would have two different keys, but the adversary knows both keys, and can decrypt and reencrypt the message as it passes by.

Re:Which is why...

[Jim+Starx]

I don't think that's entirely true though. You have to be able to observe the state to recieve information and you have to be able to transmit the state to send information. Someone can observe the state in the middle and then quickly retransmit a copy. The original signal is corrupted just as QM predicts but the copy is in it's place.

I have an incredibly hard time believing any claims of encryption being unbreakable solely

Re:Which is why...

[arose]

Quantum crypto key exchange is invulnerable to a man in the middle attack because in QM making a measurement disturbs the state of the system that is then detectable by the true receiver, it is not due to anything classical.

But there is still the "axe in the middle attack": if you can't listen to them, disturb them.

Re:Which is why...

[RetroGeek]

a one time pad is unconditionally secure

I wonder.

If the message is some text (as opposed to binary information), then a sufficiently powerful computer (whatever that means) can try out all possible combinations of bits in all possible positions given the length of the message to try to extract the information. Combine this with a dictionary and grammar rules, and eventually the message pops out.

Of course I will be retired by then.

It still comes down to the queston of "How long does it need to be secure?". Forever in encryption is a misnomer...

Re:Which is why...

[mattjb0010]

My bad, I got eavesdropping mixed up with man-in-the-middle attacks.

Re:Which is why...

[kasperd]

I wonder.
That is because you don't understand why a one time pad is secure. As soon as you understand the proof, you don't have to worry no more. A one time pad is unconditionally secure. Formally that means an adversary learns no information about the message by seeing the encryption.

Before seeing the encryption the adversary could make some guess about the contents of the message. Not all messages are equially likely, we assume the adversary know some probability distribution over possible messages. Now what happens is that a message and a key are chosen, the key is chosen uniformly random over the possible keys, and the message is encrypted. Now we have a probability distribution over pairs of message and keys. Of course as soon as we give the adversary the encrypted message, a lot of these pairs become impossible, as they don't result in that encrypted message. Now the adversary can compute a probability distribution of messages given this encrypted message (formally defined in probability theory). And unconditional security means this probability distribution is the same as the adversary started with. Which means after seeing the encryption the adversary cannot make a guess any better than he could have done without seeing the encrypted message.

If the message is some text (as opposed to binary information), then a sufficiently powerful computer (whatever that means) can try out all possible combinations of bits in all possible positions given the length of the message to try to extract the information. Combine this with a dictionary and grammar rules, and eventually the message pops out.
I knew somebody was going to say that. It happens every time it is stated that OTP is unconditionally secure. Yes, you can try every possible key, and every possible message of that length will eventually come out. You could have done exactly the same without seeing the encryption. Just write down all possible plain texts of a given length, and the right one will be somewhere. But you still don't know which one is the right one. Given an encryption and a plaintext, there is exactly one key that will decrypt the message to that plaintext.

Re:Which is why...

A one time pad IS forever!

I have plaintext p, and key k.

I use p[n] ^ k[n] = c[n] to generate ciphertext c.

Knowing only c, without knowing k, you cannot determine p - EVER!

For any c, different values of k are equally likely (assuming random k) - no computer, nothing can determine p knowing only c.

Re:Which is why...

[RetroGeek]

ya see, you DO learn stuff on /.

Re:Which is why...

[Gemini]

If the message is some text (as opposed to binary information), then a sufficiently powerful computer (whatever that means) can try out all possible combinations of bits in all possible positions given the length of the message to try to extract the information. Combine this with a dictionary and grammar rules, and eventually the message pops out.

It doesn't work that way, exactly.

A true one-time pad is unconditionally secure because there is no way to determine when your proposed powerful computer has cracked the message.

For example, given the string "jsdlf341kj,snvcq", it could translate to "What's new?" or "Attack at dawn!" depending on what the key is. Without the key, you might translate it into a parseable message, but you have no way of knowing if that is the real message.

Re:Which is why...

[pclminion]

You have to be able to observe the state to recieve information and you have to be able to transmit the state to send information. Someone can observe the state in the middle and then quickly retransmit a copy. The original signal is corrupted just as QM predicts but the copy is in it's place.

What you've just described is precisely what quantum cryptography makes impossible. You assume you can "restransmit a copy." However, it is impossible to clone a quantum state without destroying it.

Hence, as soon as an eavesdropper taps in, he is immediately detected, at which point both ends of the conversation simply stop talking.

Sure, you can DOS a QC channel, but you can do that to ANY channel. The beauty of QC is that it is physically impossible to eavesdrop on the channel in an undetectable way, and this is guaranteed by some very fundamental laws of physics.

Re:Which is why...

[Jim+Starx]

If you can't create a quantum state then how is data even encrypted? For that to be possible there MUST be some process that creates the desired quantum state.

Re:Which is why...

[Dwonis]

There's also the man-in-the-middle attack, as another poster pointed out.

Re:Which is why...

[kasperd]

If you can't create a quantum state then how is data even encrypted?

You can create a quantum state, but you cannot create a copy of an existing quantum state. You can create a qubit and decide which state you want it to be in. For quantum cryptograhpy only 4 states are used. But an adversary cannot find out which of the 4 states you used. The adversary can chose a state and create a qubit in that state, but he cannot know if it was the same state as the qubit he got from the channel.

Re:Which is why...

[Jim+Starx]

The state that's being used has to be told to the recieving party. He's free to eavesdrop on that transmission. Or simply observe only a few of the particles. Quantum states are probabilistic. Depending on the amount being transfered I'd think it would be quite feasable for you to interfere in a small portion on the qubit's, enough to have a greater then 50% chance of knowing the correct state, but not enough to signifigantly affect the final probabilities used to catch eavesdropping.

Re:Which is why...

[kasperd]

The state that's being used has to be told to the recieving party.
No, not the entire state, only the basis. If you know the basis you can perform a meassurement that will tell you the rest of information about the state. But what is important to notice here is, that the sender tell what basis was used after the intended recipient have acknowledged that the bits were received and meassured. If the adversary passed the right qubit to the receiver, he doesn't have it anymore at this point, so it cannot be meassured. If it wasn't passed on the the receiver, the receiver must have been meassuring on a wrong qubit, which will be detected.

Or simply observe only a few of the particles.
That is one of the reasons privacy amplification is applied to the common bitstring as the very last step to produce the common key. An adversary might get a few qubits right. But either the adversary meassure too few bits to learn anything about the outcome after privacy amplification, or the adversary meassure too many bits to do so undetected.

YES!!!

[Tenebrious1]

Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

Re:YES!!!

I can tell by your post that you do have any secrets that are worth wasting one's seductive powers. Go fig.

Re:YES!!!

I, for one, welcome our new sexy spy overlords.

Re:YES!!!

[dj245]

Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

In a related story, a mysterious female named "Alotta Patootie" was detained at a northern border crossing on suspicion of ill intent. Formal charges have not been anounced, but the woman did try to seduce four CBP (Customs and Border Protection) agents and succeeded in kicking a fifth in the tallywhacker.

Re:YES!!!

Upon being turned away, by U.S. authorites and trying to return to Canada, Canadian border authorites refused to believe she was not a professional stripper and required her to produce pictures of herself totally nude on stage. When they were informed she wasn't carrying any, the helpful Canadian authorities offered to take some for her.

NIST already said DES isn't sufficient

[chizu]

I thought NIST had already recommended replacing DES with AES several years ago. It's been fairly obvious for a while now that distributed computing could crack DES encoded data.

It will be AES's time before long anyways, with quantum computing these algorithms become fairly useless.

Re:NIST already said DES isn't sufficient

AES is vulnerable to algebraic attacks. Stick with Blowfish.

Re:NIST already said DES isn't sufficient

[ZenCaser]

I'm not sure. Quantum computing square roots the search time. This is impressive, but hardly enough I think. AES is 256, easy is 512, 4096 keys should be no big deal 'soon' [insert your own definition of 'soon' here], etc.

http://en.wikipedia.org/wiki/Quantum_computer

- Rob Vega

What about triple DES

[Slick_Snake]

Its be accepted by many in the industry that DES was too weak. However you can use DES repeatedly with different keys to make up for it and thus you get triple DES. It effectly gives you a key space of 56 * 3 = 168 bit keys which is much better. And you could always run the data through a few more times if you are realy paranoid.

Re:What about triple DES

[baudilus]

While your argument is valid, I fail to see the usefulness of spending more time to strengthen a weak algorithm rather than using one that is inherently more secure. It's like putting more and more duct tape over the hole rather than just changing the pipe.

Re:What about triple DES

that would be 56+56+56 which will give you the equivalent of about 58 bit of encryption - not 168

Re:What about triple DES

Actually, triple DES uses one of the keys twice, so you only get a key space of 112 (56 * 2) bits.

Re:What about triple DES

[cw0]

The algorithm itself was never weak. It was actually the key length that made it weak. That's why only brute force can be used to break it.

Re:What about triple DES

READ THE ARTICLE... You don't realy understand what you are talking about or you wouldn't have made such a stupid comment. You don't sum the keys and use the result you use three separate keys. The resulting is a total of 168 bits.

Re:What about triple DES

[akula1]

Triple DES actually has a key complexity of around 112 bits, but more importantly is signifigantly slower then AES due to the need for three sequential passes with three (or more often two) seperate keys.

As a result AES has more key complexity and runs faster, which is why it makes sense to drop DES/3DES.

Re:What about triple DES

[Slick_Snake]

If you would READ THE ARTICLE you would see that the reuse of one of the keys is optional. You can use a third key which is kinda the point of Triple DES.

Re:What about triple DES

[Mes]

Does AES really have 128 complexity? Without knowing, I would assume that it like DES and uses parity bits. 3DES has 128 bit keys, but uses 16 of them for parity.

Re:What about triple DES

[Thagg]

There are significant advantages of triple DES.

1) DES has been around a long time. People have attacked it for years, with every new and old technique of cryptanalysis. DES was created by IBM with help (no, really!) from NSA -- it was NSA that proposed adjustements in the S-Boxes that made DES more resistant to differential cryptanalysis. DES has proven to be secure, except for the obvious key-length problem, in the very best way you can prove an algorithm secure -- by having the best minds on the planet beat on it mercilessly for decades.

2) DES hardware exists, and is inexpensive and relatively secure. Using current hardware to impliment triple DES is easy.

3) It's upward compatible with existing systems. Using the same key three times yeilds is the same as doing regular 56-bit DES (The second DES is usually set up in decrypt mode.) One could well argue that the interoperability with single DES is not really a win, though -- that it allows users to be insecure.

While AES is great, and has been vetted as well as can be expected in the few years since its invention, triple DES is not a bad alternative.

thad

Re:What about triple DES

[michael_cain]

DES hardware exists, and is inexpensive and relatively secure. Using current hardware to impliment triple DES is easy.

Indeed. It is one thing for NIST to recommend that everyone using software implementations of DES should change to something else (although it appears that they are actually only recommending it to government users). It is a very different thing to deal with the millions of consumer devices out there with hardware DES which would have to be replaced.

Re:What about triple DES

[Slick_Snake]

Being a bit slower may actually be an advantage when the only method of attack is brute force. As for having a key complexity of 112 bits, that is only if you use two keys instead of three. If you are worried about people breaking it you would use three, but even if you used two lets take a look at it.

If you could try one key at every clock cycle, which would be amazing in and of itself, it would take you 54,844,652,936,586,090.5 years of computation on a 3 GHz machine to try every key. If you take half of that it gives you the average time to break the key. So to break it, on average, in one year you would 27,422,326,462,045 3 GHz computers all working together on it non-stop. Still too weak for you? Its amazing what doubling the bits can do to the complexity.

Re:What about triple DES

[man_ls]

One interesting tidbit (from "Applied Cryptography") was that the NSA adjustments to the S-boxes actually predicted and secured for a vaunerability that was discovered 30 years later.

When the S-box attacks came out in the 90s or so, people thought DES might be vaunerable to it -- but the adjustments the NSA had made decades before to the standard prevented its vaunerability.

That's impressive. Did they know, or was it just lucky.

Re:What about triple DES

No. Although you can use three separate keys, doing so will not be 3DES. Triple DES refers to encrypting three times (Well, encrypt/decrypt/encrypt) with two keys.

Re:What about triple DES

[provolt]

No. You're assumption is wrong. 128-keys use the full 128 bits.

Re:What about triple DES

[russotto]

They knew. The IBM team discovered differential cryptography (IIRC called it the "T attack") while developing the cipher. NSA already knew about it even then, though, so Biham and Shamir are at least the third set of inventors/discoverers of that technique.

Re:What about triple DES

VULNER... not VAULNER...

I nominate this for understatement of the day

[Marxist+Hacker+42]

Some would argue that DES has been insufficient for some time now.

Yeah, like since the day I first heard about it, back in 1995.

Re:I nominate this for understatement of the day

[Saeed+al-Sahaf]

Yeah, like since the day I first heard about it, back in 1995.

But of course back in 1972 around the time it was first developed, things where different, eh?

Re:I nominate this for understatement of the day

[Marxist+Hacker+42]

Just that when I first heard about it was when somebody created a beowulf cluster of Pentiums to break it- and thus, it's been pretty well useless ever since. Yes, I'd have to say that prior to that, things were different.

True, there's always been the rumor that the NSA had a back door to DES- but that was never proven AFAIK.

Computation power??-Thrice around the block.

So what does this mean for 3DES?

Why not run RC5-72?

[Agent+Green]

// karmaburn - Start

C'mon...even the distributed.net folks aren't gonna break that one anytime soon unless someone gets really lucky...which is why anyone involved in that project should really dump it an start running Predictor@Home or something useful.

// karmaburn - End

Re:Why not run RC5-72?

I like distributed.net but your 100% correct about RC5-72 - its going to be a long long project. I spend my CPU cycles on Seti, OGR, or even the prime number search but not RC5-72.
Aggregate Statistics
Total Blocks to Search: 1,099,511,627,776
Total Blocks Tested: 1,383,407,276
Overall Rate: 27 Blocks/sec
Total Keys to Search: 4,722,366,482,869,646,000,000
Total Keys Tested: 5,941,689,007,468,446,000
Overall Rate: 113,856,868,705 Keys/sec
Percent Complete: 0.126%
Time Working: 604 days

Perhaps instead of AES...

we should stick to a system that offers "everlasting security" and stop depending on CPU cycles to slow down attackers. Dr. Rabin's Hyper-Encryption, anyone?

http://www.india-today.com/ctoday/20010501/trends. html
http://humboldt.sunyit.edu/553/The%20Key%20Vanishe s-Scientist%20Outlines%20Unbreakable%20Code.htm

(p.s.: while they're not mirrors, the plaigiarism is close enough that you only need to read one)

Re:Perhaps instead of AES...

[obergeist666]

From the India Today article:

Two people wishing to exchange a secret message would need to set up a source of genuinely random numbers that broadcasts these numbers to both of them, and that produces so many random numbers that no eavesdropper could possibly record everything it broadcasts for whatever interval of time it takes to set up a message.

This sounds like yet another one-time pad scheme. One-time pads are provably unbreakable, but the problem is the key distribution and storage. The article continues:

The first step in sending a message would be for the sender to notify the receiver to start listening for random numbers at a certain time, or both parties might be continuously listening, so that the numbers to be used might be collected over days or weeks instead of minutes. Both parties would, according to a prearranged system governed by a key, listen for, and record, a minute subset of the broadcast random numbers, small enough that it could be recorded easily.

There's your weakness: there is a prearranged system governed by a key to record the one-time pad. How will you communicate that key? An eavesdropper could record that key.

And also, it could take days or even weeks to generate one single one-time pad. So it's not very practical. Remember, you cannot reuse a one-time pad. Reusing it makes it vulnerable to attacks.

Re:Perhaps instead of AES...

There's your weakness: there is a prearranged system governed by a key to record the one-time pad. How will you communicate that key? An eavesdropper could record that key. And also, it could take days or even weeks to generate one single one-time pad. So it's not very practical. Remember, you cannot reuse a one-time pad. Reusing it makes it vulnerable to attacks.

Not to imply RTFA here, because it looks like you did, but HyperEncryption is a scheme that, at least in my read, generates the one-time-pad dynamically as the message is being sent and doesn't store it. It wouldn't take days or weeks to generate the pad--it's done on the fly and is supposedly pretty efficient. You don't reuse the one-time-pad-- you reuse the key that generates the one-time-pad.

The big step HyperEncryption takes over basic one-time-pad schemes is that you don't need to distribute a new pad every time you want to communicate. You distribute one key, once, and then use that key for all time, provably unbreakable. DES and AES aren't much more innocent--you still need an initial key to do anything.

What HyperEncryption adds is the security that five years down the line, when computers are faster and processors better, someone can't crack your key and understand all your old messages. The only way to "break" HyperEncryption is to have the legitimate root key during the exact instant of broadcast--and if you've got that already, then no security method can stop you.

Re:Perhaps instead of AES...

[Black+Acid]

I haven't read anything about "HyperEncryption" but you may want to hear what Bruce Scheneier has to say about one-time pads. Although OTPs are proveably unbreakable, many cryptosystems that claim to be OTP actually generate the pads with stream ciphers, which invalidates the guarantee of OTP.

Re:Perhaps instead of AES...

Welcome to quantum entanglement, where in theory the states of remote quanta can be tangled such that information can be transmitted, but any man-in-the-middle attack will detangle them. It may make secure one-time pad approaches quite reasonable.

Elliptic Curve Cryptosystem...

[daffer]

Could anyone explain why EC systems are not adopted as a standard? From what I have studied, one can use a smaller numbers and get encryption just as strong as RSA or Diffie-Hellman. And it is a lot easier to implement than DES or AES.

Re:Elliptic Curve Cryptosystem...

Patents.

Re:Elliptic Curve Cryptosystem...

[daffer]

Oh yeah, that is an important fact I forgot about. Thank you.

Re:Elliptic Curve Cryptosystem...

[akula1]

Many cryptanalysts don't trust ECC yet because there has not been enough peer review (i.e. attmepts to break it) of the mathematics of the algorithm.

Re:Elliptic Curve Cryptosystem...

[jmdjmd]

Elliptic curve systems are way slower than AES (or DES). Also, the two are very different animals. AES and DES are symmetric ciphers, which means that the sender and receiver each need the same, secret key. On the other hand, elliptic curve systems (like RSA) are asymmetric (or public key) ciphers, which means that only the receiver's (private) key needs to be kept secret. The sender's key can be made public, hence the name ;-). The big disadvantage of public key ciphers are their relative slowness.

Re:Elliptic Curve Cryptosystem...

[dark_panda]

Elliptic curve cryptography is a public/private key system like DSA or RSA. It's an asymmetric cipher method where the key used to encrypt is not the necessarily the same key used to decrypt.

DES and AES are symmetric ciphers, where you use the same key for both operations.

The two forms of crypto have different uses, and ECC isn't all that useful as a replacement for DES. That's what AES is for.

As an aside, Diffie-Hellman is a method of key agreement, and is not a cipher in itself, but rather it is used in conjunction with other crypto systems. (IPsec, for instance, uses DH, I believe.)

J

Re:Elliptic Curve Cryptosystem...

[daffer]

Sorry, I meant the discrete logarithm cipher similar to RSA. El Gamal, I believe? Thank you for the feedback, though.

zerg

[Lord+Omlette]

Microsoft's .NET has AES built in and I'm pretty sure AES is what Trillian uses for encryption, so I say go for it!

Re:zerg

[ZenCaser]

Trillian uses Blowfish.

http://www.ceruleanstudios.com/products/tech_specs .php

Quick google for old Trillian encryption exploit. I don't know how it's faring now:

http://www.winnetmag.com/Article/ArticleID/26690/2 6690.html

I still use it, as I put it in the 'better than nothing' column. I also have IMSecure on (56-bit DES, oh no!) but I'm a community of one.

- Rob Vega

Re:zerg

[Lord+Omlette]

owned ;_;

Re:zerg

[antagonizt]

nope, trillian uses blowfish

Re:zerg

[cynic10508]

Microsoft's .NET has AES built in and I'm pretty sure AES is what Trillian uses for encryption, so I say go for it!

The vast majority of times the problem isn't with the algorithm, but rather with the implementation. So just because something has a certain crypto algorithm doesn't mean it will be invulnerable to attacks.

noooo!

[Destoo]

Or maybe they should drop it for me, Destoo.

I've been using that handle since around '89

Isufficient for what?

[m.h.2]

"Some would argue that DES has been insufficient for some time now."

Insufficient for what? I hate to play semantics, and I'm no cryptographer, but as I understand it, the inadequacies of an encryption algorithm are primarily defined by the implementation and the reason for it [application]. OK, it's a weak cipher, but in certain instances, it may still be useful. Right?

Re:Isufficient for what?

[daffer]

I think at this point it is useful for playing around with buddies or planning a surprise birthday. The point is, with technological advances of recent, DES is now suseptable to brute force attacks, which is a very bad thing for sensitive data.

Re:Isufficient for what?

[Goodbyte]

According to this site How much is security worth (note from 1996). ...shows how someone with an investment of a less than a million dollars can build a hardware DES key-cracking machine capable of breaking DES keys in less than a day. For an investment of a few hundred thousand, an organization could build a device that could break 40 bit keys in less than a minute... So, toady 56bit DES shouldn't be too hard to break for larger corporations.

Re:Isufficient for what?

[nkntr]

I think that this falls under the category of "anything worth encrypting is worth encrypting well" category. If you are doing it for pure educational sake, use whatever you want. But if you are charged with a purpose of keeping some information private, then it is your responsibility to use an encryption method that is sufficient to keep it private.

Re:Isufficient for what?

[Paul+Crowley]

When using a fantastically good algorithm is free, why use a worse one? AES is not only vastly more secure than DES, it's also much simpler and somewhat faster.

Re:Isufficient for what?

[cynic10508]

Insufficient for what?

What it boils down to is that DES has a fixed key length of 56 bits. Sure, you can 3DES it but you've also tripled the number of computations you have to do for every block of data. So while DES's key size has remained fixed, computing power is expanding at Moore's law. So, inevitably, computing power will overwhelm DES's practicality. It's just a matter of time (read: now). While AES, on the other hand, allows you to expand the key size from 128-bits by 64-bit blocks. So we could be running encrypted communications channels with 512-bit (or higher) AES if we liked.

Good!

[l0ungeb0y]

Nice to hear they got some good consulting.

I've been using AES-256 on all my projects that deal with sensitive data since ohhh -- 2001.

Considering that DES has been relegated to hack toy status for some time now and triple-DES is only marginally better since it's just DES encryption done threefold I think this is a very wise but belated move.

And when Hollywood even makes fun of an encryption grade by showing a guy breaking it in 60 seconds while getting a BLOWJOB, you KNOW it's time to stop using it!

Re:Good!

[kakos]

Technically, it isn't AES if you are using a 256 bit key. AES specifically defines a 128 bit key. If you use anything higher than that, you're using Rijndael.

Re:Good!

[kakos]

Also, 3DES is about as good as AES with regards to security, but magnitudes slower. Thousands of cycles compared to AES's 100 cycles.

Re:Good!

[l0ungeb0y]

I always use Rijndael, since RijnDael is AES! And yes I use a 256bit key as my standard.

And as long as I've ever used AES I've been under the distinct impression that the AES (rijndael) algorithm uses three cipher key strengths: 128, 192, or 256-bit encryption key.

So feed me some links that show me I'm wrong here people.

Re:Good!

[provolt]

You are incorrect. AES specifies three key lengths (128, 192, 256). You are thinking of the blocksize. The blocksize for AES is 128 bits (and only 128 bits). The Rijndael algorithm can be easily adapted to allow other block sizes.

Say what you will about DES, but please ...

[burgburgburg]

don't cast aspersions on the practice of putting on more and more duct tape over a hole. Not only is this a sound, well-respected engineering practice (as is evidenced by my saying it), but America's Duct Tape Manufacturers need your every effort to keep our business on steady financial ground.

Whenever this is any doubt about the structural integrity of any item (from little glass figurine to 18 wheeler transporting corrosive chemicals), slap some duct tape on it. And then a little bit more. You'll be glad you did.

Re:Say what you will about DES, but please ...

[SpaceLifeForm]

Man, you really are part of the bush administration.

But, hey, get with the program dude, you forgot to mention the plastic.

And don't forget, WD-40 has a role also.

Re:Say what you will about DES, but please ...

[MalleusEBHC]

don't cast aspersions on the practice of putting on more and more duct tape over a hole.

Just a random guess, but do you work for Intel?

Triple DES AES

Although DES's key length is short, it's a remarkably strong cipher. There are some methods to crack DES where you can do a ~little~ better than trying all the combinations, but not much better.

Triple DES extends the key length to something acceptable and there isn't any serious cryptanalytic attack on it -- after decades of people hammering at it. Today we even know that the NSA did a good job choosing the S-boxes (although we could do a little better today.)

AES wasn't really designed to be secure, it was designed to have low CPU and power requirements so it could run on smart cards. As a result, they chose to use the absolute minimum number of rounds that they could get away with. Take away a few rounds and AES falls... If you have to use AES, use it in 192-bit mode or greater. Not for the key length but for the extra rounds.

AES is just a few years old and there are a lot of attacks that are nearly successful and practical. In 128-bit mode it's like a 12-inch wall with an 11-inch long crack in it. That last inch might hold, but I wouldn't bet on it. I tell my clients to use 3DES, and you should too...

http://www.cryptosystem.net/aes/
http://www.wor diq.com/definition/Advanced_Encrypti on_Standard

Disallowed for .se use for a while

When I did my military service in Sweden 96/97 I came across the official introduction book to cryptology (the Swedish military has, as I assume every national military has, a book division making various manuals). It was pretty standard starting out with substitution and permutation and quickly moving past most techniques up to finite field equations. I don't know when the book was written (it didn't say), but probably in the mid to late 80's since the most recent book reference was from 85. The thing that really caught my eye was however a paragraph that essentially said "DES is not certified for secure transmissions in the Swedish military for reasons we will not discuss here". Given that they broke every crypto system transmitted over Sweden during WWII, I would take their advice if they say not to use a cipher.

Re:Disallowed for .se use for a while

[p2sam]

DES is designed for non-military, non-classified, "sensitive" information. So give DES a break, would ya? :)

The business world (banks) has VAST amount of infrastructure and capital invested in DES and 3DES, and it will not go away anytime soon.

Critics proven right

[msblack]

One of the earliest critics of DES (FIPS-46) was Whitfield Diffie, a maverick of his time. The government, industry, and press all hailed the 56-bit DES as a milestone breakthrough. At that time, ITAR regulations limited encryption algorithms to 28 or 40 bits, a serious restriciton for international corporations. IBM was prohibited from using Lucifer with its offshore subsidiaries because the Feds equated it with nuclear weaponry.

Diffie is probably best renowned for his methodology known as knapsack encryption. This was alternative to RSA which was computationally prohibitive in the early 1980s.

I remember my having difficulty in my old college days in obtaining a copy of RSA. My school had to obtain a copy of their paper from MIT through inter-library loan. I had not realized that RSA would gain such widespread adoption because ITAR would prevent international implementation for any US-based company.

Re:Critics proven right

[hackstraw]

Diffie is probably best renowned for his methodology known as knapsack encryption.

I would think that he is known for Diffie-Hellman key exchange, especially since Hellman created the knapsack encryption :)

Diffie-Hellman key exchange is done every day when one makes a ssl or ssh connection.

As above, not *really* 168 bits

[eparusel]

Re:DES3 (Score:4, Informative) by wwest4 (183559) on Thursday July 29, @11:18AM (#9834409)
no, the confusion comes from DES being 64-bit with a byte's worth of parity. effective length of single DES key is 56 bits. now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

Also: http://encyclopedia.thefreedictionary.com/3DES

correct, DES is not DITSCAP compliant

[MarkEst1973]

I am a gov't contractor in the DC metro area. While not yet reaching the rest of the country, all projects in this area for the DoD must conform with DITSCAP guidelines (DoD Information Technology Security Certification and Accredidation Process). DES and Triple DES are not compliant with DITSCAP. For now, AES is the standard.

A DITSCAP security scan checks everything from hardware to OS to application, checking permissions, accounts that own processes and NT services, and a DITSCAP compliant application logs *everything*.

My applications logs every change to the database, when it happend, and by whom. They track who accesses what, whether or not they were given access, and alerts go out to security officers when anything out of the ordinary happens (read: often).

It takes months to secure an application for DITSCAP, and as a web guy I think some of it is bunk. Most of their guidelines were written for desktop apps where it is entirely possible to do things that are entirely impossible to do in a web environment. Nevertheless, we code to the letter of the law and attempt to address every security point brought up in a scan. Whether or not they are valid points (or even worthwhile to do because many of the points are easily fooled) is irrelevant because a scan is a scan and we must adhere to our security auditors' guidelines.

As far as this thread goes, only AES will pass a security scan. Nothing else qualifies and you would be forced to implement all your encryption with AES.

But who wants a totally secure system?

[panurge]

I'm reminded of Terry Pratchett's Havelock Vetinari, (various Discworld books) who gets his pet scientist to devise him cyphers that are merely fiendishly difficult - because he wants his enemies to think they know what he is thinking.
This is actually a valid point about intelligence. Although it's obvious that there are places where uncrackable encryption should be used if at all possible, there are many others where disinformation can be used to great effect. An example is where a message crackable in finite time is allowed to be intercepted because by the time it is decrypted it is too late to take action, the object being to build up the credibility of an information source prior to shovelling out a great load of disinformation. I believe this technique was used ahead of the D-Day landings as part of the plan to persuade the Germans that the invasion would actually be in the Pas de Calais.

For this reason I would have thought it was unwise for official bodies to make statements about the use of different forms of encryption - unless it's a double bluff and DES will continue to be used for short-life messages.
Tinfoil hat? Stress-relieved oxygen-free copper plated mumetal in my case.

Cracking yesterday's secrets?

[danharan]

Secrets normally take years, often decades to be out in the public domain. What was daunting before EFF's 1998 achievement is looking more and more trivia for a government that wouldn't blink at the cost of buying a 1,000 node super-computer.

To future-proof secrets, you'd have to encrypt at a level that not only would be ridiculously expensive to crack today, but as long as you need to keep them, well, secret. Imagine some of the files from the time of the UNSC's Iraq debates a year-and-a-half ago getting cracked today or before the next US presidential election.

Re:Cracking yesterday's secrets?

[Paul+Crowley]

Secrets encrypted properly with an AES-based system should be secure against purely cryptanalytic recovery for on the order of a century or more, if Moore's law holds.

DES

So they aren't going to admit that the only reason for recommending it in the first place was that they had the ability to break it all along? And now that lots of others can, it gives them no advantage...

Quantum Computing

[KrisHolland]

Anyone know any cyphers that are immune to Shor's algorthim? I don't think AES is...

Re:Quantum Computing

Anything that's not public key, such as AES.

Re:Quantum Computing

[Abcd1234]

Well, given that AES isn't an asymmetric cipher, and hence doesn't use products of primes, I don't see what Shor's algorithm (a prime factorization algorithm) as to do with anything.

Slight correction

[rkit]

The knapsack algorithm was devised by Ralph Merkle and Martin Hellman. Knapsacks would still be computationally prohibitive if they had not been broken.
Also, Whitfield Diffie is certainly best renowned for the Diffie-Hellman algorithm for key exchange.

Corrections to the above history

[Paul+Crowley]

Diffie didn't invent knapsack encryption. Diffie and his colleague, Martin Hellman, invented the first public key cryptosystem, Diffie-Hellman, and founded the modern field of cryptography. We all owe them (and Ralph Merkle, who basically did the same things at the same time) an enormous debt.

There were no ITAR limits on key length. The law simply stated that you needed a license to export products that included cryptography; strictly interpreted that would have included a Secret Decoder Ring. It wasn't until Lotus wanted to export Notes with crypto built in that the NSA got involved in the process of making it possible for products that used crypto to be granted export licenses by demanding features such as CDWF, which made it easy for the NSA to break messages while keeping it hard for everyone else.

Lucifer was vulnerable to a differential cryptanalytic attack that reduced the effective key strength to around 56 bits. However, IBM and the NSA kept their knowledge of DC secret until Biham and Shamir rediscovered it in 89.

RSA was invented later. It was never prohibitively slow, though of course it's got much faster over the years.

If you wanted a description of RSA, why didn't you just buy a copy of Scientific American, where it was first published in Martin Gardener's "Mathematical Games" column?

AES is *much* stronger than 3DES

[Paul+Crowley]

AES certainly was designed to be secure. You exaggerate the extent of what people have against it so far by an absolutely gargantuan margin.

In addition, you are clearly unaware of Stefan Lucks's attacks on 3DES, which take it down to about 72 bits of security - far from the 112 it promises. You might as well just use DESX, which is about as strong but three times faster.

Further clarification

[jhantin]

Actually, 3DES uses encrypt with A, decrypt with B, encrypt with A. This makes the degenerate case where A equals B backwards-compatible to single-key DES, and is why 3DES is also called DES-EDE.

However, using 3 keys with any cipher only squares the time to key recovery, regardless of whether the first key and the last key are equal. Assuming you know both the plaintext P and ciphertext C for a given message, compute a table of all possible results of encrypting P with keys 1 and 2, and a table of all possible results of decrypting C with key 3, then join on the intermediate ciphertext. If only 2 keys were used, computing and joining two single-key tables would bring the time cost down to only 1 additional bit of key strength.

Or since 1972 when it was first proposed

[Paul+Crowley]

Diffie and Hellman attacked the short key length of DES from the day it was proposed, arguing for keys of at least 128 bits in length. Michael Wiener proposed a $1 million hardware cracking machine not long afterwards, to demonstrate the vulnerability. People could do the sums even then and see that 56 bits was far from being enough.

Effective strength of 3DES: about 90 bits

[Paul+Crowley]

It was known when 3DES was proposed that the "meet in the middle" attack reduced the effective strength to 112 bits. Lucks's attacks reduce that strength to 90 bits. See

http://th.informatik.uni-mannheim.de/People/Luck s/ papers.html

Re:Effective strength of 3DES: about 90 bits

[Slick_Snake]

Even with a reduced strength of 90 bit brute force still requires 13,075,984,224.46 years with 3 billion keys a second. How secure do you need it to be? Even the best super computer would have to be really really lucky to break it in its operational lifetime. To put it in clearer terms if you gave everyone in the world a mondern computer and had them ALL work on breaking it together it would on average take 1000 years.

Re:Effective strength of 3DES: about 90 bits

[Paul+Crowley]

Your sums are correct, and indeed an 80 bit difficulty is usually considered sufficient to be beyond the reach of any attacker. However, it makes it far from clear that we can have more confidence in 3DES than in AES.

In addition, you have to consider "key collision attacks". Under some circumstances your attacker can arrange for the same text to be encrypted many times with many different keys. They can then attempt a brute force attack where they can efficiently test each guess against any of the keys used. This attack has been used to break the security of ATM machines using a relatively tiny hardware DES cracker. To resist this attack, your keyspace must be larger than the product of the number of keys you use and the number your attacker can test. If you use 500 keys a second, you might generate 2^34 keys in just over a year, at which point the difficulty of breaking one of them is comparable to the difficulty of breaking DES.

Re:Effective strength of 3DES: about 90 bits

[Chandon+Seldon]

if you gave everyone in the world a mondern computer and had them ALL work on breaking it together it would on average take 1000 years.

That means that if you gave everyone in the world a million modern computers, it would take a little under 9 hours.

The problem is, "modern computers" can be replaced with "dedicated processors" and "everyone in the world" can be replaced with "each slot in the cracking array", so:

If you gave each slot in the 7 billion slot cracking array a million dedicated processors, you could break almost three keys a day.

Then if we increase the speed of a dedicated processor by a factor of... you see where this is going.

Re:Effective strength of 3DES: about 90 bits

[Slick_Snake]

That is the dumbest thing I've ever heard. Even if every processor cost a penny and there was not cost to set such a system up it would cost $70,000,000,000,000. But processors don't cost a penny and there is always setup cost. Then there would be cooling issues, and energy cost. Lets not forget there would have to be a secure location for such an expensive system so there would have to be cost for building, security, and other personel. If you are going to be a smartass about something, think it through before you just make an ass out of yourself. In most cases when people talk about something being secure they mean computationaly secure which basicly says that as long as it costs more to break than the information is worth it is adequately protected.

This should clear things up... I hope

[Slick_Snake]

FROM THE ARTICLE WHICH MANY OF YOU DIDN'T BOTHER TO READ:

Triple Data Encryption Algorithm or ''TDEA.'' TDEA encrypts each block three times with the DES algorithm, using either two or three different 56-bit keys. This approach yields effective key lengths of 112 or 168 bits. TDEA is considered a very strong algorithm. The original 56-bit DES algorithm can be modified to be interoperable with TDEA.

Are you more of an expert than those at NIST?

90 bits, not 72 bits

[Paul+Crowley]

I misremembered the efficacy of Lucks's attacks - it's more like 90 bits. See

http://th.informatik.uni-mannheim.de/People/Luck s/ papers.html

pipes leak at both ends

Encryption is just a kind of fancy FedEx for fancy information. There's no value after delivery, because somebody signs for it, and that person is vulnerable to blandishment, threat, seduction, coercion and Vulcan mind melds. The inadequacy of DES for most purposes if matched by the inadequacy of ANY scheme where secure pipes join, meter, valve or misalign.

Re:pipes leak at both ends

Yes, but just because the pipes leak doesn't mean you abandon them and run open sewers down the middle of the street. Limiting the leaks to both ends has value in and of itself.

(The fallacy should have a name. You commonly see people critizing partial solutions to problems merely because they are not complete solutions. In fact, most solutions to most problems are partial ones. Layering and data flow exist as means to organize partial solutions into more complete ones.)

Re:Triple DES AES

From the damn last link:

To prove the insecurity of DES, EFF built the first unclassified hardware for cracking messages encoded with it. On Wednesday, July 17, 1998 the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize. It took the machine less than 3 days to complete the challenge, shattering the previous record of 39 days set by a massive network of tens of thousands of computers.

"remarkably strong" my ass.

Huh?!?

They're just now getting around to this?!?

...Some would argue that DES has been insufficient for some time now.
Well, duh!

I switched to blowfish and IDEA years ago.

Typical of how our government is ages behind the times.

Patents?

[IGnatius+T+Foobar]

Anyone know what the patent encumbrance status of AES is? Will it be usable by open source software?

Re:Patents?

[Gemini]

It is not at all encumbered, and in fact GnuPG uses it. No patent, no royalty. No muss, no fuss.

of course DES should be abandoned

[tahini]

It's a strong estrogen and a causative factor in several forms of cancer, in infertility and reproductive abnormalities in those exposed in utero and even in their progeny.

Diethylstilbestrol is, like most hormones, a hazard to those who handle it, and there's precious few excuses for using it anymore; its use as an anti-abortive was based on faulty evidence.

Patents

[Kourino]

I don't know if the Rijndael cipher (the algorithm that one the AES contest, essentially) is covered by any patents, but it doesn't matter - the winner agrees to allow anyone to use the cipher regardless of patent coverage, essentially.

RC5, however, does use techniques covered by patents. You'll find that some GNU/Linux distributions, such as Red Hat, don't even include the OpenSSL support for it for that reason. (RH7x also left out IDEA, but unfortunately I don't know about more recent releases.) And I know I've read accounts of people having to build OpenSSL with no-rsa or no-rc5 because RSA approached them and asked them to license the technology.

Everyone is guaranteed use of AES. Besides, it's not like Rijndael is some crappy old cipher (probably), so why use something else?

If you replace the pipe, the terrorists have won.

[gwalla]

America's Duct Tape Manufacturers need your every effort to keep our business on steady financial ground

If America's Duct Tape Manufacturers falter, the impact to the American economy
could be catastrophic! And no patriotic American wants that. So be patriotic! Buy more patriotic American duct tape, and shore up the patriotic American economy, so all of our American children can grow up safe, strong, and patriotically American in good old patriotic American America!

ObSimpsons

[sharkey]

Mr. Simpson, are you going to buy those toads or just lick them?

Re:ObSimpsons

How is that comment obligatory? Hmm?

Re:Triple DES AES

[evilviper]

In 128-bit mode it's like a 12-inch wall with an 11-inch long crack in it. That last inch might hold, but I wouldn't bet on it.

Terrible, terrible, HORRIBLE analogy.

Cryptography rounds are not like walls... It's not like a wall, where defeating each one removes strenghth. In cryptography, even if you can break up to 127-bits, that last 1-bit stll means it's just as strong as ever.

A good example (besides AES) is skipjack... NSA's own. There would have been a vulnerability if it used one less round, but since it uses 1 more, it's still perfectly safe, and hasn't been broken yet...

In other words, find a new analogy, and don't tell people that AES is insecure. It's gone through detailed analysis to make sure it's secure... The same process that approved of DES years ago.

If you trust 3-DES, you should trust AES, too.

Personally, I use blowfish whenever possible, but I haven't seen any crypto hardware with blowfish built-in so I doubt it'll get more widespread anytime soon.

DES is dead

I just heard some sad news on talk radio - data encryption standard DES was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

Government Conspiracy

Just wait for the email from NIST forcing you to upgrade your DES or Tripple DES keys to new AES keys free of charge.

And you thought the patriot act was bad...

Don't Forget FIPS Validation!

[xxxJonBoyxxx]

In addition to suggesting algorithms, NIST also VALIDATES code and devices to make sure they do exactly what they should when it comes to cryptography. (No back doors, no shortcuts, etc.)

More information about the Cryptographic Module Validation Program (the current standard for encryption is FIPS 140-2) can be found here: http://csrc.nist.gov/cryptval/140-2.htm

Also, here's a group which has both Windows and Linux versions of a FIPS 140-2 AES implementation, if you want to know what it looks like in action: http://www.standardnetworks.com/moveitcrypto

S-Boxes are FALSE STRONGENESS, 40 bits, not 56.

A total of the half of (40 bits*3) = the half of (120 bits) = 60 bits are sufficient to crack any message with a good space-time supercomputer.

open4free © : i'm using the old russian effective 256-bit key GOST

Back door in the hardware.

Imagine a cheap secret "flash" 1 GiB of main keys inside of an AES cipher hardware, sufficiently to hide the stolen keys for 200 years or more.

Can anyone demonstrate that it doesn't exist with the dangerous current technologies of cheap UVLSI-chips?

There are many traps!!!.

open4free ©

Trap!!! AES's backdoor in hardware!!!

Imagine a cheap secret "flash" 1 GiB of main keys inside of an AES cipher hardware, sufficiently to hide the stolen keys for 200 years or more.

Can anyone demonstrate that it doesn't exist with the dangerous current technologies of cheap VLSI-chips?

There are many traps!!!.

open4free ©

The solution to the one-time pad

[kaligraphic]

take two. Use one for the message and one to transmit two more pads. lather, rinse, repeat.

Re:The solution to the one-time pad

[lachlan76]

Ummmm.....the pad needs to be the same size as the data you send, and since you can't reuse the pad, any system like that won't work.

Re:Critical Deadline Approaching!

[dnahelix]

I'll feel better if just the one with the most votes gets elected.

Mod down, this is wrong

[bluGill]

You are incorrect, 3DES normally uses just 2 keys, A-B-A. There is a known attack on 2DES (read other posters for an explanation, I'm not going to repeat what they said better than I can) making 2Des where you use encrypt with A, then B equivalent to a 57 bit total key length. 3Des defeats that attack and as used with 2 keys gives you 112 bits of equivalent key length.

There are many different ways to implement 3DES (and I know of no theoretical reason you couldn't use 3 different keys), the most common one is to encrypt with key A, then DECRYPT with key B, then encrypt with key A. Note that the middle step is decryption with the wrong key. I'm not sure what the reasoning behind this is anymore. Nobody has used any form a DES for a few years now if they had any other choice.

Re:Mod down, this is wrong

[armb]

Use with three different keys is actually quite common.
The decrypt in the middle is for backward compatibility with single DES - a hardware 3DES implementation will do single DES if all three keys are the same. (So will a software implementation of course, but with hardware being able to just use the same stuff is more of a saving.)

Re:Hyperspace computing?

Mabye they will come up with a way to make computers work at speeds faster than light, perhaps some kind of hyperspace/subspace/tachyon/whatever system. Or just go quantum computing or even better, superstring computing (or brane computing, or whatever they come up with). How about manipulating black holes to create a new universe in which the speed of light is much faster than in ours? There are many possibilities beyond the current limits of physics.

In related news...

[enginuitor]

Earlier today, the IAB drafted an RFC regarding HTTP which was quickly DTCF, much to the BA of several CCNPs who AHAIFSD until finally they GUAH and said "TFWT". FFTA, but IMHO that's just a bunch of FU FUD. TIWNBTS. NIGGATASBIASTSRPENMAR.

Re:Hyperspace computing?

[jaoswald]

Sure, and maybe we'll have robots with positronic brains by 1985. Oops. You are talking about science fiction. Putting "superstring" and "brane" or "black hole" in your post is not the same as making a scientific argument.

There are many possibilities outside the realm of current physics theories. It's trivially easy to come up with some, as you have. The problem is not to come up with ideas beyond current physics, it is to come up with ideas which are WITHIN this tricky thing called REALITY. And modern physics does a damn good job of describing reality already. Improving it is hard work.

Might as well hope that future scientific discoveries allow "chocolate cake for everyone! Yay!"

I hate to break it to you

[Pan+T.+Hose]

Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

I hate to break it to you but I think you might have misunderstood the concept of "rubber-hose cryptanalysis."