Non-government cryptologists have been saying this for some time -- some of them were saying it from the beginning -- but the US government has consistently ridiculed such suggestions.
A group of well-known cryptographers looked at key lengths in a 1996 paper. They suggested a minimum of 75 bits to consider an existing cipher secure and a minimum of 90 bits for new ciphers. More recent papers, covering both symmetric and public key systems are at cryptosavvy.com.
Any additonal transforms we eventually add to Linux FreeS/WAN will use at least a 128-bit key length.
In a
recent ruling,
a German court described DES as "out-of-date and not safe enough" and held a
bank liable for using it.
Dedicated hardware breaks DES in a few days
The question of DES security has now been settled once and for all. In
early 1998, the Electronic Frontier Foundation
built a
DES-cracking machine.
It can find a DES key in an average of a few days' search. It cost just
over $200,000 to design and build it. A copy based on the finished design
would of course cost less.
The details of all this, including complete code listings and complete
plans for the machine, have been published in
Cracking DES,
by the Electronic Frontier Foundation.
A large corporation could build one of these out of petty cash. The cost is low enough for a senior manager to hide it in a departmental budget and avoid having to announce or justify the project. Any government agency, from a major municipal police force up, could afford one too. Or any large criminal organisation, any reasonably large political group, labour union or religious group, . . .
One might wonder if a private security or detective agency would have one for rent. They wouldn't need many clients to pay off that investment.
As for the security and intelligence agencies of various nations, some of them may have had DES crackers for years. Possibly very fast ones! Cipher-cracking is one of the few known applications which is easy to speed up by just adding more processors and memory. Within very broad limits, you can make it as fast as you like if you have the budget. The EFF's $200,000 machine breaks DES in a few days. An aviation website gives the cost of a B1 bomber as $200,000,000. Spending that much, an intelligence agency could expect to break DES in an average time of six and a half minutes.
That estimate assumes they use the EFF's technology and just spend more money. They may of course have better technology, and they may have spent the price of an aircraft carrier, not just one aircraft. In short, we have no idea just how quickly these organisations can break DES. Unless they're grossly incompetent or using old technology, they can certainly do it at least as fast as the EFF, but beyond that we can't say. Pick any time unit between days and milliseconds. None of these is entirely unbelievable. More to the point, none of them is of any comfort if you don't want such organisations reading your communications.
Note that this may be a concern even if nothing you do is a threat to anyone's national security. An intelligence agency might well consider it to be in their national interest for certain companies to do well. If you're competing against such companies in a world market and that agency can read your secrets, you have a serious problem.
One might wonder about technolgy the former Soviet Union and its allies developed for cracking DES during the Cold War. They must have tried; the cipher was an American standard and widely used. How well did they succeed? Is their technology now for sale or rent?
It is now absolutely clear that DES is not secure against any
well-funded opponent.
Networks break DES in a few weeks
Before the definitive EFF effort, DES had been cracked several times
by people using many machines. See this
press release
for example.
A major corporation, university, or government department could break DES by using spare cycles on their existing collection of computers, by dedicating a group of otherwise surplus machines to the problem, or by combining the two approaches. It might take them weeks or months, rather than the days required for the EFF machine, but they could do it.
What about someone working alone, without the resources of a large organisation? For them, cracking DES will not be easy, but it may be possible. A few thousand dollars buys a lot of surplus workstations, and will buy even more as Year 2000 concerns drive more old machines into the surplus market. A pile of such machines will certainly heat your garage nicely and might break DES in a few months or years. Or enroll at a university and use their machines. Or use an employer's machines. Or crack security somewhere and steal the resources to crack a DES key. Or write a virus that steals small amounts of resources on many machines. Or . . .
None of these approaches are really easy or break DES really quickly, but an attacker only needs to find one that is feasible and breaks DES quickly enough to be dangerous. How much would you care to bet that this will be impossible if the attacker is determined and/or clever? How valuable is your data? Are you authorised to risk it on a dubious bet?
DES is not secure against any opponent (even a penniless
one) with access (even stolen access) to enough general purpose
computers.
DES is in the source code, because we need DES to implement our
default encryption transform, Triple DES.
We urge you not to use single DES. We do not
provide any easy way to enable it in FreeS/WAN, and our policy
is to provide no assistance to anyone wanting to do so.
We do not, and will not, implement any 40-bit cipher.
Meanwhile, there are two variants of DES which appear to be much
better than plain DES.
One is Triple DES, usually abbreviated
3DES, which applies DES three times, with three different keys. This is
tentatively believed to be much stronger than
single DES, and it quite definitely turns brute-force key search into a
ridiculous impossibility. 3DES is what much of our code now uses by
default. 3DES is, unfortunately, about 1/3 the speed of DES, but modern
CPUs still do it at quite respectable speeds.
The other DES variant is DESX, which adds
trivial XOR encryption before
and after a single DES. This is no stronger than plain DES in general,
but it appears to blow brute-force search out of the water just as
effectively as 3DES, and it is not significantly slower than plain DES.
We have not implemented DESX yet (as of Jan 1999) but may do so eventually.
This would be a good project for a volunteer.
Moore's Law implies that breaks will get faster
Machines get faster by roughly a factor of two every 18 months, or a
factor of 10 every five years. At that rate, in 10 years the EFF machine
to break DES in a few days might cost 100 times less: $2000. A $200,000
machine might break DES in under an hour.
The same applies to attacks by networks of computers or by lone rogue
programmers. In 10 years a few dozen machines will likely break DES as
quickly as a network of thousands does now. In 10 years a large network
will break it in days or hours.
We disable DES
DES can be broken either very quickly by specialised hardware or more
slowly by large collections of standard machines. That is why
Linux FreeS/WAN disables all transforms
which use plain DES for encryption.
40-bits is laughably weak
The same is true, in spades, of ciphers -- DES or others -- crippled
by 40-bit keys, as many ciphers were required to be until recently
under various export laws.
A brute force search of such a cipher's keyspace is 216
times faster than a similar search against DES. The EFF's machine
can do a brute-force search of a 40-bit key space in seconds.
One contest to crack a 40-bit cipher was won by a student
using a few hundred idle machines at his university. It
took only three and half hours.
Alternatives to DES
A number of non-DES encryption algorithms have been proposed. We will
implement some of them eventually, of course choosing ciphers with at
least 128-bit key length.
AES in IPSEC
The winning candidate from the AES
project to develop a replacement
for DES will almost certainly become widely used for IPSEC, but analysis
takes time and no winner is expected before the summer of 2000 AD.
Click below to go to: