NIST Proposes Abandoning DES

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.

NIST endorsement of DES

[SIGALRM]

NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES)

Actually, NIST withdrew their endorsement of DES in 1997. DES as a standard was adopted in 1972. Back in '74 when the NSA was looking at Lucifer for NIST, they actually approved it despite a reduction in its original key length of 128 bits to 56 bits, weakening it significantly. The NSA was accused of planting a "back-door" in Lucifer that would allow agents to decrypt without the key, but of course such a thing was never found.

In '76 Lucifer was adopted and renamed "DES". Of course as computers became faster and more powerful, it was recognized that a 56-bit key was simply not large enough for high security applications. As a result of these and other serious flaws, NIST abandoned their official endorsement of DES in 1997 and began work on a replacement, to be called the Advanced Encryption Standard (AES). And so the story continues...

Re:NIST endorsement of DES

[Spunk]

It was shown that S-Boxes chosen by the NSA made it more secure, not less. DES and Differential Cryptanalysis

Re:DES3

[wwest4]

no, the confusion comes from DES being 64-bit with a byte's worth of parity. effective length of single DES key is 56 bits.

now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

Re:Elliptic Curve Cryptosystem...

[dark_panda]

Elliptic curve cryptography is a public/private key system like DSA or RSA. It's an asymmetric cipher method where the key used to encrypt is not the necessarily the same key used to decrypt.

DES and AES are symmetric ciphers, where you use the same key for both operations.

The two forms of crypto have different uses, and ECC isn't all that useful as a replacement for DES. That's what AES is for.

As an aside, Diffie-Hellman is a method of key agreement, and is not a cipher in itself, but rather it is used in conjunction with other crypto systems. (IPsec, for instance, uses DH, I believe.)

J

Critics proven right

[msblack]

One of the earliest critics of DES (FIPS-46) was Whitfield Diffie, a maverick of his time. The government, industry, and press all hailed the 56-bit DES as a milestone breakthrough. At that time, ITAR regulations limited encryption algorithms to 28 or 40 bits, a serious restriciton for international corporations. IBM was prohibited from using Lucifer with its offshore subsidiaries because the Feds equated it with nuclear weaponry.

Diffie is probably best renowned for his methodology known as knapsack encryption. This was alternative to RSA which was computationally prohibitive in the early 1980s.

I remember my having difficulty in my old college days in obtaining a copy of RSA. My school had to obtain a copy of their paper from MIT through inter-library loan. I had not realized that RSA would gain such widespread adoption because ITAR would prevent international implementation for any US-based company.

Re:Which is why...

[kasperd]

Then we can use it forever.
You mean a one time pad?

You cannot use a one time pad forever. The name should be a pretty good hint about that. Unfortunately reusing a one time pad is suggested again and again by people not fully understanding what it is all about. In many cases a one time pad is unrealistic because you have to exchange new keys over a secure channel. And usually you want to use the one time pad because you don't have a secure channel. But actually some secure channels exists that can be used to exchange the key, but cannot be used for the data transfer. One such example is seen in quantum cryptography.

However though a one time pad is unconditionally secure, it only guarantees secrecy. Integrity is an interely different matter. Luckily there also exist unconditionally secure MACs for that, and they are a lot more realistic than a one time pad, because the key is smaller and most of the key can be reused. This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

But quantum cryptography is not the only way to exchange a one time pad. Other unrealistic ways to exchange a one time pad is using either noisy channels or assumptions about memory bounded adversaries. I call them unrealistic because they are both based on somewhat unrealistic assumptions and require extreme amounts of data to be transfered to create a small one time pad. The most realistic way to exchange a one time pad probably still is to do it in advance. In some cases the exchange in advance makes a lot of sense. Think for example wireless equipment. You'd consider a wire to be secure, but it is inconvenient. But you still have to connect a wire occationally to recharge your battery, at the same time a one time pad could be tranfered over a faster and more secure wired link.

Re:DES3

[kasperd]

First of all it should be explained why they came up with 3-DES instead of just 2-DES. The reason is, that 2-DES would be vulnurable to a meet in the middle attack. If you knew just one plaintext/ciphertext pair you could efficiently compute a small set of possible keys. It would require a lot of disk space, but in the end you would be down to approximately 2^48 keys, and it would require only 2^57 cipher block operations. Another plaintext/ciphertext pair can easilly be tested against the remaining 2^48 keys to find the right one.

In other words 2-DES is not significantly more secure than DES, but 3-DES makes the meet in the middle attack more difficult. You can no longer meet exactly in the middle, but you could meet with 1 cipher on one side and 2 ciphers on the other side. That way you have to brute force the 2 ciphers and that way 3-DES presumably give you the security of a 112 bit key. This is also why you normally only use two different keys for 3-DES. The third key would add no extra security.

But 3-DES have inherited one of the weaknesses of DES. The block size is still only 64 bits. That makes you vulnurable to birthday attacks. For this reason I always advice against using the same 3-DES key for more than 512KB of data. With a 128 bit block like AES uses, a key can be safe for use for longer time, I would say 64GB should be secure.

Re:Triple DES AES

[evilviper]

In 128-bit mode it's like a 12-inch wall with an 11-inch long crack in it. That last inch might hold, but I wouldn't bet on it.

Terrible, terrible, HORRIBLE analogy.

Cryptography rounds are not like walls... It's not like a wall, where defeating each one removes strenghth. In cryptography, even if you can break up to 127-bits, that last 1-bit stll means it's just as strong as ever.

A good example (besides AES) is skipjack... NSA's own. There would have been a vulnerability if it used one less round, but since it uses 1 more, it's still perfectly safe, and hasn't been broken yet...

In other words, find a new analogy, and don't tell people that AES is insecure. It's gone through detailed analysis to make sure it's secure... The same process that approved of DES years ago.

If you trust 3-DES, you should trust AES, too.

Personally, I use blowfish whenever possible, but I haven't seen any crypto hardware with blowfish built-in so I doubt it'll get more widespread anytime soon.