[1023] in cryptography@c2.net mail archive
Cracking a DES Message
daemon@ATHENA.MIT.EDU (Rick Smith)
Thu Jun 19 19:29:58 1997
In-Reply-To: <199706191544.IAA28325@blacklodge.c2.net>
Date: Thu, 19 Jun 1997 16:28:37 -0600
To: cryptography@c2.net
From: Rick Smith <smith@securecomputing.com>
Two questions come to mind as I read these messages about the successful
DES crack.
1) What entries does this put in the Guiness' Book of World Records?
Obviously, the "largest crypto key broken by brute force search"
Peter Trei suggested "largest calculation ever performed" which sounds like
a fair claim. Seems there's also something like the "most people involved
in computing a single answer to a problem" and/or "most computers
involved..." and/or "most distributed computation" however that might be
interpreted.
Whatever the records are, it's a mind boggling achievement.
All this crypto activity in the news this spring has been personally
annoying. I've been finishing a book on cryptographic products for Internet
security ("Internet Cryptography," Addison-Wesley, out next month, see
http://www.visi.com/crypto/ for more). Since finishing the draft in January
I've had to modify the export control discussion, the 40 bit cracking
examples, and the escrowed encryption discussion. It just went to press so
it's too late to add the DES cracking achievement.
2) How does this *really* affect user security today?
I've been doing computer security long enough to know that it takes a good
deal less than 457,000 MIP years to break into any computer on the planet.
Remember Cryptanalysis Rule 1: go after the plaintext first.
I agree that there's no benefit to using shorter key lengths when longer
ones are available. But is it *really* justified to send everyone
immediately to the store to replace their existing DES devices?
Personally I suspect users will open more holes by scrambling to replace
their hardware than they have by leaving existing (working) protections in
place. Long term, orderly migration makes more sense than panic, eh?
Rick.
smith@securecomputing.com secure computing corporation
