[2687] in Kerberos
Re: The Clipper Chip:....DES
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Wed Apr 21 10:02:36 1993
From: smb@research.att.com
To: bf4grjc@bell-atl.com
Cc: kerberos@Athena.MIT.EDU
Date: Wed, 21 Apr 93 09:26:19 EDT
>
> DES is most likely to be recertified for another 5 years.
>
The above message from Dorothy Denning, if confirmed, would meant that
the Clipper chip has no real impact on the Kerberos community.
That was certainly the impression given by a NIST representative at
Interop. In contrast to five years ago, there is virtually no opposition
to recertification. There's even talk about permitting software
implementations.
Also: For all this talk in the media about how DES can be
broken 'easily' the truth is that there simply IS NO attack
better than Shamir's 2^(48) differential cryptanalysis attack
(on chosen plaintext) and that there is no efficient method of
breaking DES for a reasonable (i.e. reasonable to a hacker,
not an intelligence agency) price on a "general purpose" m/c
(Not including the DEC spl. purpose chip, etc.).
I think that the Garon and Outerbridge paper (July '91 Cryptologia)
establishes the parameters fairly well. In essence, a well-funded
criminal organization can achieve a profitable return on their investment
in a DES-cracker *if* they can recover a master key used to transmit
session keys for an EFT system (and, of course, if there are no other
safeguards). They recommend triple-encryption during key distribution,
to prevent recovery of the master key. The session key can be recovered,
but that's comparatively valueless; it will have expired before the
cracker retrieves it. That's a change that Kerberos might want to
consider.
