[3974] in cryptography@c2.net mail archive
NIST Credits Deep Crack
daemon@ATHENA.MIT.EDU (John Young)
Fri Jan 15 11:24:40 1999
Date: Fri, 15 Jan 1999 10:10:02 -0500
To: cryptography@c2.net
From: John Young <jya@pipeline.com>
NIST credits Deep Crack as the reason for proposing
using 3DES in lieu of DES in its new FIPS 46-3 (previously
posted <http://jya.com/nist011599.txt>:
Quote:
Recently claims have been made of a special-purpose
hardware based attack on the DES. In light of this most
recent attack, NIST can no longer support the use of the
DES for many applications. As with other security tools,
encryption must balance cost against risk. The recent
brute force exhaustion attack by a ``cracking machine''
costing $250,000 took 56 hours to crack a single
message.
With this special-purpose technology, the average time
of cracking per message would be twice that, since only
a quarter of all keys were tested. In some cases this kind
of attack may not pose an immediate or significant threat
--for example where short-term protection of perishable
information is desired. However, advances in technology
are likely to further reduce the average cracking time.
Therefore, NIST recommends the following:
--For existing systems, develop a prudent transition strategy
to move to Triple DES. This strategy should match the
strength of the protective measures against the associated
risk. Critical systems should receive priority
--When building new systems, use Triple DES to protect
sensitive, unclassified data
End quote
BTW, we've not been able to access CSRC today to get
the new FIPS. Anybody got the same problem? Miles Smid's
phone has been continually busy as well. Moreover, BXA has
been having problems at its site. Any connection to yesterday's
article in Federal Computer Week about lax standards and
training for federal webmasters, or just the usual terrorist attack?
