[3049] in cryptography@c2.net mail archive
Re: DES Applicability Statement for Historic Status
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Thu Jul 23 09:32:15 1998
Date: Thu, 23 Jul 98 04:30:00 GMT
From: "William Allen Simpson" <wsimpson@greendragon.com>
To: Marc Horowitz <marc@cygnus.com>
Cc: cryptography@c2.net
> From: Marc Horowitz <marc@cygnus.com>
> While I agree in principle, DES is not suddenly useless for
> everything.
>
"Suddenly"?!?! Some folks have been saying it was useless for _most_
things for years now. Some folks have been saying it was probably
cracked by even medium sized governments and organizations.
RFC-1829:
It is suggested that DES is not a good encryption algorithm for the
protection of even moderate value information in the face of such
equipment. Triple DES is probably a better choice for such purposes.
But other folks would not listen. Other folks would not even let us
proceed to make Triple DES a Proposed Standard, forcing it to be
published as "Experimental" instead.
As recently as two months ago, folks on the IPSec list (TimeStep, Cisco)
were calling for standardizing 40-bit DES. They already have drafts for
40-bit RC5 and 40-bit CAST -- "a lot better than ... not having any
sales" -- "reality dictates".
Now, plain old single 56-bit DES has been _proven_ useless for
everything. But it wasn't sudden or a surprise. Just reality!
> This machine can decode a DES-encrypted message in about 300 seconds
> on average. Now, consider a T1 line carrying transactions, encrypted
> in DES, which are one kilobyte each. Let's say it's mostly idle, and
> carries only about 10% of maximum traffic. This equals about 20
> transactions per second, or about 6000 transactions every 300 seconds.
>
I'm willing to quibble with your assumption here, which is that each
of those 6000 transactions has its own key. How did that happen?
In our current world, all 6000 have the same key, and so would the other
transactions in that month. I don't see anybody manually keying DES
every day and certainly not every 5 minutes or 50 milliseconds.
The latter is probably technically infeasible, due to the RTT for key
establishment being limited by the annoyingly slow speed of light.
And perhaps you can tell us about SET.... And various credit cards....
And other vending solutions....
Do you know anyone planning on quickly rekeying them?
> >> Moveover, the cost of deploying and maintaining Internet firewalls
> >> and Virtual Private Networks exceeds the cost of recovering the DES
> >> confidential data. There is no longer any cost benefit over sending
> >> the datagrams as cleartext.
>
> However, to assert that there's no difference between this and no
> encryption at all is dishonest. Certainly DES should be deprecated by
> the IETF. Systems which use it should be upgraded. No new system
> should use DES, although practical considerations may require it for
> backward compatibility (raise your hand if you run a large site and
> have managed to eliminate *plaintext* passwords from your network).
>
Read it again. It says "cost benefit". It is now cheaper to crack the
DES keys than for you to generate and maintain them. If nothing else,
you have to deploy and maintain 2 boxes, and they only need 1.
The only time I can see any benefit to having DES would be where the
attacker both does not _yet_ and will _never_ have access to a cracking
machine. They don't meet any definition of "determined". And, they
probably are not sophisticated enough to tap your lines, either. If all
you want to do is protect against casual or accidental snooping by your
own staff, then ROT13 is probably good enough.
If nobody is looking, you've wasted your money. If they _are_ looking,
and you are only using DES, then you've wasted your money.
As Hettinga keeps reminding us, it all comes down to money.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
