[3047] in cryptography@c2.net mail archive
Re: DES Applicability Statement for Historic Status
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed Jul 22 23:47:16 1998
To: William Allen Simpson <wsimpson@greendragon.com>
Cc: cryptography@c2.net
From: Marc Horowitz <marc@cygnus.com>
Date: 22 Jul 1998 20:27:29 -0400
In-Reply-To: William Allen Simpson's message of Wed, 22 Jul 1998 13:29:07 -0400
While I agree in principle, DES is not suddenly useless for
everything.
William Allen Simpson <wsimpson@greendragon.com> writes:
>> Moveover, the cost of deploying and maintaining Internet firewalls
>> and Virtual Private Networks exceeds the cost of recovering the DES
>> confidential data. There is no longer any cost benefit over sending
>> the datagrams as cleartext.
This is not true in all cases. I agree, DES is useless against an
attacker interested in any single document. But to an attacker
"vacuuming" a large volume of encrypted transactions, DES is still an
issue. Let's assume that the time to crack DES scales linearly with
cost. Let's also assume an attacker who is willing to spend
$250,000,000 (1000 times the cost of the EFF machine) to steal credit
card numbers, pins, or something similar.
This machine can decode a DES-encrypted message in about 300 seconds
on average. Now, consider a T1 line carrying transactions, encrypted
in DES, which are one kilobyte each. Let's say it's mostly idle, and
carries only about 10% of maximum traffic. This equals about 20
transactions per second, or about 6000 transactions every 300 seconds.
The cracking machine can only break one out of every 6000 transactions
on this link. It can break even fewer if the transaction rate is
higher. Of course, from a security perspective, this is terrible.
However, to assert that there's no difference between this and no
encryption at all is dishonest. Certainly DES should be deprecated by
the IETF. Systems which use it should be upgraded. No new system
should use DES, although practical considerations may require it for
backward compatibility (raise your hand if you run a large site and
have managed to eliminate *plaintext* passwords from your network).
DES is very risky right now. But no cryptography is even riskier.
>> Existing data depending upon DES for confidentiality should be con-
>> sidered compromised.
Danger! Death of the national bank wire system predicted!
Marc
