Slashdot Mirror
NIST Proposes Abandoning DES
Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.
In '76 Lucifer was adopted and renamed "DES". Of course as computers became faster and more powerful, it was recognized that a 56-bit key was simply not large enough for high security applications. As a result of these and other serious flaws, NIST abandoned their official endorsement of DES in 1997 and began work on a replacement, to be called the Advanced Encryption Standard (AES). And so the story continues...
Sigs cause cancer.
.... I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks.
The horror... the horror...
Wait, ...ugh..., I didn't write that and more importantly, you didn't read it. It never happened. Nothing to see here. Just move on now.
All realistic encryption scemes have a lifespan.
The darkness... controls the music. The music... controls the soul.
I'm not one to point fingers, but if they do have to be pointed, they should be pointed at Mushrooms or toad licking. Not acid.
It is interesting to note that they recommend using a faster algorithm.
Of course us, of the tin-foil-hat, brigade know that the government has a very secure algorithm (gotten from area 51), but they never tell us about, just so we use an algorithm that we think is secure, but they have their own back-door.
Fight Spammers!
They want me to abandon DES and Internet Explorer? Please, NIST, why do you keep recommending against my favorite applications.
Let's hope we'll never see ICQ and Windows ME on that list.
Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.
Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!
-- If god wanted me to have a sig, he'd have given me a sense of humor.
Its be accepted by many in the industry that DES was too weak. However you can use DES repeatedly with different keys to make up for it and thus you get triple DES. It effectly gives you a key space of 56 * 3 = 168 bit keys which is much better. And you could always run the data through a few more times if you are realy paranoid.
Some would argue that DES has been insufficient for some time now.
Yeah, like since the day I first heard about it, back in 1995.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
"Some would argue that DES has been insufficient for some time now."
Insufficient for what? I hate to play semantics, and I'm no cryptographer, but as I understand it, the inadequacies of an encryption algorithm are primarily defined by the implementation and the reason for it [application]. OK, it's a weak cipher, but in certain instances, it may still be useful. Right?
Many cryptanalysts don't trust ECC yet because there has not been enough peer review (i.e. attmepts to break it) of the mathematics of the algorithm.
Nice to hear they got some good consulting.
I've been using AES-256 on all my projects that deal with sensitive data since ohhh -- 2001.
Considering that DES has been relegated to hack toy status for some time now and triple-DES is only marginally better since it's just DES encryption done threefold I think this is a very wise but belated move.
And when Hollywood even makes fun of an encryption grade by showing a guy breaking it in 60 seconds while getting a BLOWJOB, you KNOW it's time to stop using it!
no, the confusion comes from DES being 64-bit with a byte's worth of parity. effective length of single DES key is 56 bits.
now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.
Elliptic curve cryptography is a public/private key system like DSA or RSA. It's an asymmetric cipher method where the key used to encrypt is not the necessarily the same key used to decrypt.
DES and AES are symmetric ciphers, where you use the same key for both operations.
The two forms of crypto have different uses, and ECC isn't all that useful as a replacement for DES. That's what AES is for.
As an aside, Diffie-Hellman is a method of key agreement, and is not a cipher in itself, but rather it is used in conjunction with other crypto systems. (IPsec, for instance, uses DH, I believe.)
J
When I did my military service in Sweden 96/97 I came across the official introduction book to cryptology (the Swedish military has, as I assume every national military has, a book division making various manuals). It was pretty standard starting out with substitution and permutation and quickly moving past most techniques up to finite field equations. I don't know when the book was written (it didn't say), but probably in the mid to late 80's since the most recent book reference was from 85. The thing that really caught my eye was however a paragraph that essentially said "DES is not certified for secure transmissions in the Swedish military for reasons we will not discuss here". Given that they broke every crypto system transmitted over Sweden during WWII, I would take their advice if they say not to use a cipher.
One of the earliest critics of DES (FIPS-46) was Whitfield Diffie, a maverick of his time. The government, industry, and press all hailed the 56-bit DES as a milestone breakthrough. At that time, ITAR regulations limited encryption algorithms to 28 or 40 bits, a serious restriciton for international corporations. IBM was prohibited from using Lucifer with its offshore subsidiaries because the Feds equated it with nuclear weaponry.
Diffie is probably best renowned for his methodology known as knapsack encryption. This was alternative to RSA which was computationally prohibitive in the early 1980s.
I remember my having difficulty in my old college days in obtaining a copy of RSA. My school had to obtain a copy of their paper from MIT through inter-library loan. I had not realized that RSA would gain such widespread adoption because ITAR would prevent international implementation for any US-based company.
signature pending slashdot approval
This is actually a valid point about intelligence. Although it's obvious that there are places where uncrackable encryption should be used if at all possible, there are many others where disinformation can be used to great effect. An example is where a message crackable in finite time is allowed to be intercepted because by the time it is decrypted it is too late to take action, the object being to build up the credibility of an information source prior to shovelling out a great load of disinformation. I believe this technique was used ahead of the D-Day landings as part of the plan to persuade the Germans that the invasion would actually be in the Pas de Calais.
For this reason I would have thought it was unwise for official bodies to make statements about the use of different forms of encryption - unless it's a double bluff and DES will continue to be used for short-life messages.
Tinfoil hat? Stress-relieved oxygen-free copper plated mumetal in my case.
Panurge has posted for the last time. Thanks for the positive moderations.
Secrets normally take years, often decades to be out in the public domain. What was daunting before EFF's 1998 achievement is looking more and more trivia for a government that wouldn't blink at the cost of buying a 1,000 node super-computer.
To future-proof secrets, you'd have to encrypt at a level that not only would be ridiculously expensive to crack today, but as long as you need to keep them, well, secret. Imagine some of the files from the time of the UNSC's Iraq debates a year-and-a-half ago getting cracked today or before the next US presidential election.
Information: "I want to be anthropomorphized"
First of all it should be explained why they came up with 3-DES instead of just 2-DES. The reason is, that 2-DES would be vulnurable to a meet in the middle attack. If you knew just one plaintext/ciphertext pair you could efficiently compute a small set of possible keys. It would require a lot of disk space, but in the end you would be down to approximately 2^48 keys, and it would require only 2^57 cipher block operations. Another plaintext/ciphertext pair can easilly be tested against the remaining 2^48 keys to find the right one.
In other words 2-DES is not significantly more secure than DES, but 3-DES makes the meet in the middle attack more difficult. You can no longer meet exactly in the middle, but you could meet with 1 cipher on one side and 2 ciphers on the other side. That way you have to brute force the 2 ciphers and that way 3-DES presumably give you the security of a 112 bit key. This is also why you normally only use two different keys for 3-DES. The third key would add no extra security.
But 3-DES have inherited one of the weaknesses of DES. The block size is still only 64 bits. That makes you vulnurable to birthday attacks. For this reason I always advice against using the same 3-DES key for more than 512KB of data. With a 128 bit block like AES uses, a key can be safe for use for longer time, I would say 64GB should be secure.
Do you care about the security of your wireless mouse?
Diffie didn't invent knapsack encryption. Diffie and his colleague, Martin Hellman, invented the first public key cryptosystem, Diffie-Hellman, and founded the modern field of cryptography. We all owe them (and Ralph Merkle, who basically did the same things at the same time) an enormous debt.
There were no ITAR limits on key length. The law simply stated that you needed a license to export products that included cryptography; strictly interpreted that would have included a Secret Decoder Ring. It wasn't until Lotus wanted to export Notes with crypto built in that the NSA got involved in the process of making it possible for products that used crypto to be granted export licenses by demanding features such as CDWF, which made it easy for the NSA to break messages while keeping it hard for everyone else.
Lucifer was vulnerable to a differential cryptanalytic attack that reduced the effective key strength to around 56 bits. However, IBM and the NSA kept their knowledge of DC secret until Biham and Shamir rediscovered it in 89.
RSA was invented later. It was never prohibitively slow, though of course it's got much faster over the years.
If you wanted a description of RSA, why didn't you just buy a copy of Scientific American, where it was first published in Martin Gardener's "Mathematical Games" column?
Xenu loves you!
I misremembered the efficacy of Lucks's attacks - it's more like 90 bits. See
k s/ papers.html
http://th.informatik.uni-mannheim.de/People/Luc
Xenu loves you!
Terrible, terrible, HORRIBLE analogy.
Cryptography rounds are not like walls... It's not like a wall, where defeating each one removes strenghth. In cryptography, even if you can break up to 127-bits, that last 1-bit stll means it's just as strong as ever.
A good example (besides AES) is skipjack... NSA's own. There would have been a vulnerability if it used one less round, but since it uses 1 more, it's still perfectly safe, and hasn't been broken yet...
In other words, find a new analogy, and don't tell people that AES is insecure. It's gone through detailed analysis to make sure it's secure... The same process that approved of DES years ago.
If you trust 3-DES, you should trust AES, too.
Personally, I use blowfish whenever possible, but I haven't seen any crypto hardware with blowfish built-in so I doubt it'll get more widespread anytime soon.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant