[2188] in cryptography@c2.net mail archive
Re: Efficient DES Key Search
daemon@ATHENA.MIT.EDU (Rick Smith)
Wed Feb 25 20:01:39 1998
In-Reply-To: <199802252142.QAA02351@thetoybox.org>
Date: Wed, 25 Feb 1998 17:44:06 -0600
To: yhp <iclysdal@thetoybox.org>
From: Rick Smith <rsmith@securecomputing.com>
Cc: cryptography@c2.net
ian clysdale wrote:
>Just because software is not an efficient way to break DES doesn't mean
>that it is a safe method for cryptography.
and in his .sig quoted:
> * "i would say our bank loses far more credit cards
> * numbers to privileged employees than to fourteen
> * year old hackers" - paul wing, vp, scotiabank
The point is that being "safe" is a function of far more than the crypto
key length. If an enterprise has a security system in place that uses DES
and also protects against, say, insider theft of credit cards, they face a
serious risk if the throw it out and put in a completely different system.
DES key cracking is not always a site's principal threat. The name of the
game is risk reduction, and you don't do it by obsessing on a single
security feature, like key length.
Keep in mind that you can attack the Windows, Unix, or Mac system that
applies the crypto more easily than you can attack DES ciphertext. If
computing power keeps increasing, perhaps someday DES will be as insecure
as the platforms it runs on. Not yet.
That nice, heavy padlock is really impressive, but it doesn't give much
protection when hanging on a cheap, hollow core door.
Rick.
rsmith@securecomputing.com Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores
