Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Proposes Abandoning DES

Posted by ryuzaki0 on from the thanks-for-all-your-hard-work dept.

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.

21 of 205 comments (clear)

  1. NIST endorsement of DES by SIGALRM · · Score: 5, Informative
    NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES)
    Actually, NIST withdrew their endorsement of DES in 1997. DES as a standard was adopted in 1972. Back in '74 when the NSA was looking at Lucifer for NIST, they actually approved it despite a reduction in its original key length of 128 bits to 56 bits, weakening it significantly. The NSA was accused of planting a "back-door" in Lucifer that would allow agents to decrypt without the key, but of course such a thing was never found.

    In '76 Lucifer was adopted and renamed "DES". Of course as computers became faster and more powerful, it was recognized that a 56-bit key was simply not large enough for high security applications. As a result of these and other serious flaws, NIST abandoned their official endorsement of DES in 1997 and began work on a replacement, to be called the Advanced Encryption Standard (AES). And so the story continues...
    --
    Sigs cause cancer.
    1. Re:NIST endorsement of DES by Spunk · · Score: 4, Informative

      It was shown that S-Boxes chosen by the NSA made it more secure, not less. DES and Differential Cryptanalysis

  2. arrggghh... by Anonymous Coward · · Score: 5, Funny


    .... I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks.

    The horror... the horror...

    1. Re:arrggghh... by ticklemeozmo · · Score: 4, Insightful

      I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks

      I seriously thought the sarcasm about the crappy color scheme was going to get old after a while, but actually it still seems appropriate. For Vishnu's sake, change the friggen colors!

      --
      When modding "Informative", please make sure it both has a source and IS actually informative.
  3. Now I'm going to have to go back to ... by burgburgburg · · Score: 4, Funny
    social engineering, keystroke capturing and torture to get information, instead of relying on key exhaustion.

    Wait, ...ugh..., I didn't write that and more importantly, you didn't read it. It never happened. Nothing to see here. Just move on now.

  4. It was bound to happen eventually. by Jim+Starx · · Score: 4, Insightful

    All realistic encryption scemes have a lifespan.

    --
    The darkness... controls the music. The music... controls the soul.
  5. As a self-appointed representative of ... by burgburgburg · · Score: 4, Funny
    America's LSD Manufacturers, I'd like to point out that at it's worst (as regards quality control), no US produced acid would ever have created colors like this.

    I'm not one to point fingers, but if they do have to be pointed, they should be pointed at Mushrooms or toad licking. Not acid.

  6. Computation power?? by www.sorehands.com · · Score: 4, Insightful
    It is always expected that any encryption will be crackable given sufficient computing power, and with Moore's law, that will always eventually happen. But of course by that time, a new more secure, algorithm that requires more computing power to encrypt will be available.

    It is interesting to note that they recommend using a faster algorithm.

    Of course us, of the tin-foil-hat, brigade know that the government has a very secure algorithm (gotten from area 51), but they never tell us about, just so we use an algorithm that we think is secure, but they have their own back-door.

    --
    Fight Spammers!
  7. Man, they are cruel by Anonymous Coward · · Score: 5, Funny

    They want me to abandon DES and Internet Explorer? Please, NIST, why do you keep recommending against my favorite applications.

    Let's hope we'll never see ICQ and Windows ME on that list.

  8. Which is why... by baudilus · · Score: 5, Funny

    Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

    1. Re:Which is why... by mattjb0010 · · Score: 4, Funny

      Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

      You mean a one time pad?

    2. Re:Which is why... by kasperd · · Score: 4, Informative

      Then we can use it forever.
      You mean a one time pad?

      You cannot use a one time pad forever. The name should be a pretty good hint about that. Unfortunately reusing a one time pad is suggested again and again by people not fully understanding what it is all about. In many cases a one time pad is unrealistic because you have to exchange new keys over a secure channel. And usually you want to use the one time pad because you don't have a secure channel. But actually some secure channels exists that can be used to exchange the key, but cannot be used for the data transfer. One such example is seen in quantum cryptography.

      However though a one time pad is unconditionally secure, it only guarantees secrecy. Integrity is an interely different matter. Luckily there also exist unconditionally secure MACs for that, and they are a lot more realistic than a one time pad, because the key is smaller and most of the key can be reused. This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

      But quantum cryptography is not the only way to exchange a one time pad. Other unrealistic ways to exchange a one time pad is using either noisy channels or assumptions about memory bounded adversaries. I call them unrealistic because they are both based on somewhat unrealistic assumptions and require extreme amounts of data to be transfered to create a small one time pad. The most realistic way to exchange a one time pad probably still is to do it in advance. In some cases the exchange in advance makes a lot of sense. Think for example wireless equipment. You'd consider a wire to be secure, but it is inconvenient. But you still have to connect a wire occationally to recharge your battery, at the same time a one time pad could be tranfered over a faster and more secure wired link.

      --

      Do you care about the security of your wireless mouse?
  9. YES!!! by Tenebrious1 · · Score: 4, Funny

    Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

    --
    -- If god wanted me to have a sig, he'd have given me a sense of humor.
  10. I nominate this for understatement of the day by Marxist+Hacker+42 · · Score: 4, Insightful

    Some would argue that DES has been insufficient for some time now.

    Yeah, like since the day I first heard about it, back in 1995.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  11. Isufficient for what? by m.h.2 · · Score: 4, Insightful

    "Some would argue that DES has been insufficient for some time now."

    Insufficient for what? I hate to play semantics, and I'm no cryptographer, but as I understand it, the inadequacies of an encryption algorithm are primarily defined by the implementation and the reason for it [application]. OK, it's a weak cipher, but in certain instances, it may still be useful. Right?

  12. Re:DES3 by wwest4 · · Score: 4, Informative

    no, the confusion comes from DES being 64-bit with a byte's worth of parity. effective length of single DES key is 56 bits.

    now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

  13. Re:Elliptic Curve Cryptosystem... by dark_panda · · Score: 4, Informative

    Elliptic curve cryptography is a public/private key system like DSA or RSA. It's an asymmetric cipher method where the key used to encrypt is not the necessarily the same key used to decrypt.

    DES and AES are symmetric ciphers, where you use the same key for both operations.

    The two forms of crypto have different uses, and ECC isn't all that useful as a replacement for DES. That's what AES is for.

    As an aside, Diffie-Hellman is a method of key agreement, and is not a cipher in itself, but rather it is used in conjunction with other crypto systems. (IPsec, for instance, uses DH, I believe.)

    J

  14. Critics proven right by msblack · · Score: 4, Informative

    One of the earliest critics of DES (FIPS-46) was Whitfield Diffie, a maverick of his time. The government, industry, and press all hailed the 56-bit DES as a milestone breakthrough. At that time, ITAR regulations limited encryption algorithms to 28 or 40 bits, a serious restriciton for international corporations. IBM was prohibited from using Lucifer with its offshore subsidiaries because the Feds equated it with nuclear weaponry.

    Diffie is probably best renowned for his methodology known as knapsack encryption. This was alternative to RSA which was computationally prohibitive in the early 1980s.

    I remember my having difficulty in my old college days in obtaining a copy of RSA. My school had to obtain a copy of their paper from MIT through inter-library loan. I had not realized that RSA would gain such widespread adoption because ITAR would prevent international implementation for any US-based company.

    --
    signature pending slashdot approval
  15. But who wants a totally secure system? by panurge · · Score: 4, Interesting
    I'm reminded of Terry Pratchett's Havelock Vetinari, (various Discworld books) who gets his pet scientist to devise him cyphers that are merely fiendishly difficult - because he wants his enemies to think they know what he is thinking.
    This is actually a valid point about intelligence. Although it's obvious that there are places where uncrackable encryption should be used if at all possible, there are many others where disinformation can be used to great effect. An example is where a message crackable in finite time is allowed to be intercepted because by the time it is decrypted it is too late to take action, the object being to build up the credibility of an information source prior to shovelling out a great load of disinformation. I believe this technique was used ahead of the D-Day landings as part of the plan to persuade the Germans that the invasion would actually be in the Pas de Calais.

    For this reason I would have thought it was unwise for official bodies to make statements about the use of different forms of encryption - unless it's a double bluff and DES will continue to be used for short-life messages.
    Tinfoil hat? Stress-relieved oxygen-free copper plated mumetal in my case.

    --
    Panurge has posted for the last time. Thanks for the positive moderations.
  16. Re:DES3 by kasperd · · Score: 4, Informative

    First of all it should be explained why they came up with 3-DES instead of just 2-DES. The reason is, that 2-DES would be vulnurable to a meet in the middle attack. If you knew just one plaintext/ciphertext pair you could efficiently compute a small set of possible keys. It would require a lot of disk space, but in the end you would be down to approximately 2^48 keys, and it would require only 2^57 cipher block operations. Another plaintext/ciphertext pair can easilly be tested against the remaining 2^48 keys to find the right one.

    In other words 2-DES is not significantly more secure than DES, but 3-DES makes the meet in the middle attack more difficult. You can no longer meet exactly in the middle, but you could meet with 1 cipher on one side and 2 ciphers on the other side. That way you have to brute force the 2 ciphers and that way 3-DES presumably give you the security of a 112 bit key. This is also why you normally only use two different keys for 3-DES. The third key would add no extra security.

    But 3-DES have inherited one of the weaknesses of DES. The block size is still only 64 bits. That makes you vulnurable to birthday attacks. For this reason I always advice against using the same 3-DES key for more than 512KB of data. With a 128 bit block like AES uses, a key can be safe for use for longer time, I would say 64GB should be secure.

    --

    Do you care about the security of your wireless mouse?
  17. Re:Triple DES AES by evilviper · · Score: 4, Informative
    In 128-bit mode it's like a 12-inch wall with an 11-inch long crack in it. That last inch might hold, but I wouldn't bet on it.

    Terrible, terrible, HORRIBLE analogy.

    Cryptography rounds are not like walls... It's not like a wall, where defeating each one removes strenghth. In cryptography, even if you can break up to 127-bits, that last 1-bit stll means it's just as strong as ever.

    A good example (besides AES) is skipjack... NSA's own. There would have been a vulnerability if it used one less round, but since it uses 1 more, it's still perfectly safe, and hasn't been broken yet...

    In other words, find a new analogy, and don't tell people that AES is insecure. It's gone through detailed analysis to make sure it's secure... The same process that approved of DES years ago.

    If you trust 3-DES, you should trust AES, too.

    Personally, I use blowfish whenever possible, but I haven't seen any crypto hardware with blowfish built-in so I doubt it'll get more widespread anytime soon.
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant