[3878] in cryptography@c2.net mail archive
Re: Triple DES "standard"?
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Dec 30 20:11:35 1998
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: Cryptography@c2.net, vin@shore.net
Reply-To: pgut001@cs.auckland.ac.nz
Date: Wed, 30 Dec 1998 17:49:33 (NZDT)
Vin McLellan <vin@shore.net> writes:
>I understood that the NSA lobbied bitterly against the X9 effort to
>standardize 3DES as an ANSI standard, insisting that DES would surfice until
>its successor was chosen.
>
>A couple years ago, when the X9 committee -- or maybe one of the X9 crypto
>subcommittees -- rejected that advice and initially recommended that 3DES be
>made a standard, I was told that the NSA rep angrily declared that 3DES
>would _never_ get an export license and would never be shipped overseas.
>(Which may have put a damper on the 3DES standardization effort;-)
>
>Unfortunately, these standards development efforts usually escape the media's
>attention. Anyone on the list active in X9 and can give us the real story?
The NSA's objections, presented by Jerry Rainville of the NSA prior to ANSI
letter ballot, were (my comments in []'s):
- The financial community should transition to a new generation of algorithms
rather than something DES-based [What the "new generation" is is never
specified, presumably either CCEP or FUD].
- Change to a new algorithm is expensive [No sh*t, Sherlock].
- Tripling of any algorithm is cryptographically unsound. Tripling DES, at
best, only doubles the length of the cryptovariable [obviously thinking of
two-key EDE triple DES here]. We cannot vouch that any of the schemes for
doubling the cryptovariable length of DES truly squares the security
[ignoring the fact that X9.17 has done this for years].
- The government is committed to key escrow encryption, we do not believe the
proposal for triple DES is consistent with this objective [Finally, the real
reason for NSA objections].
- The US does not allow the export of DES, let along triple DES [If DES is
non-exportable then having triple-DES non-exportable isn't going to change
much. OTOH if DES is as insecure as the NSA claims, why is it
non-exportable?].
- Proliferation of triple-DES is counter to national security concerns [Again,
the real reason for trying to kill it].
It should be noted that financial institutions are only now, several years
later, slowly and painfully making the transition to triple DES, and even then
only in response to auditors requiring it after Deep Crack and the German
court ruling that DES was unsound.
At about this time there was also an NSA-sponsored effort to create a new ISO
group under TC68/SC2 to develop a standard international crypto policy (no
prizes for guessing what that would have been), does anyone know any more
about this?
The FUD approach has been used before to upset crypto standards, in the
mid-80's the Australian DSD used similar tactics to attempt to derail ISO
standardisation of DES (DEA-1 in ISO terminology). In this instance someone
claiming to be from the (Australian) DoD turned up (uninvited) and circulated
a document claiming that if the ISO standardised DEA-1 the Japanese would make
cheap equipment to the standard which would then be used by terrorists and
other equestrians. This apparently caused some amusement among the committee
members, not helped by the fact that the author wouldn't identify himself
because his identity was 'classified'. The standard was approved with one
'no' vote, the dissenting comments for the no vote are traditionally included
with the ISO ballot return but in this case were omitted because it was felt
they were silly (although it wasn't phrased quite like that :-), and in any
case would probably offend a major Australian trading partner.
After the DSD (or whoever the classified person represented) failed at this
point and Australia voted for DEA-1 as a standard, there was a really strange
screwup with the paperwork and the almost unanimous 'yes' vote somehow
magically changed itself into a unanimous 'no' vote before the ballot got to
Geneva.
A lot of this stuff was written up in a Communications Australia article about
10 years ago.
Peter.
