NIST Proposes Abandoning DES

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.

NIST endorsement of DES

[SIGALRM (784769)]

NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES)

Actually, NIST withdrew their endorsement of DES in 1997. DES as a standard was adopted in 1972. Back in '74 when the NSA was looking at Lucifer for NIST, they actually approved it despite a reduction in its original key length of 128 bits to 56 bits, weakening it significantly. The NSA was accused of planting a "back-door" in Lucifer that would allow agents to decrypt without the key, but of course such a thing was never found.

In '76 Lucifer was adopted and renamed "DES". Of course as computers became faster and more powerful, it was recognized that a 56-bit key was simply not large enough for high security applications. As a result of these and other serious flaws, NIST abandoned their official endorsement of DES in 1997 and began work on a replacement, to be called the Advanced Encryption Standard (AES). And so the story continues...

DES3

[kippy (416183)]

I thought that DES3 [tropsoft.com] solved the key length problem by bumping it up to 192 bits. Of course it runs 3 times as slow.

Not that I'm saying we should cling to DES for the next hundred years. I'm all about AES.

Re:DES3

[kasperd (592156)]

First of all it should be explained why they came up with 3-DES instead of just 2-DES. The reason is, that 2-DES would be vulnurable to a meet in the middle attack. If you knew just one plaintext/ciphertext pair you could efficiently compute a small set of possible keys. It would require a lot of disk space, but in the end you would be down to approximately 2^48 keys, and it would require only 2^57 cipher block operations. Another plaintext/ciphertext pair can easilly be tested against the remaining 2^48 keys to find the right one.

In other words 2-DES is not significantly more secure than DES, but 3-DES makes the meet in the middle attack more difficult. You can no longer meet exactly in the middle, but you could meet with 1 cipher on one side and 2 ciphers on the other side. That way you have to brute force the 2 ciphers and that way 3-DES presumably give you the security of a 112 bit key. This is also why you normally only use two different keys for 3-DES. The third key would add no extra security.

But 3-DES have inherited one of the weaknesses of DES. The block size is still only 64 bits. That makes you vulnurable to birthday attacks. For this reason I always advice against using the same 3-DES key for more than 512KB of data. With a 128 bit block like AES uses, a key can be safe for use for longer time, I would say 64GB should be secure.

Re:DES3

[kasperd (592156)]

but you can't get collisions with a cipher...?

Encryption is a litle more than just using a cipher. You need some mode of operation. ECB mode where you just split your message into 64 bit blocks and apply the cipher to each is weak. The problem is, that an attacker can easilly see which blocks contains the same cleartext, because they will all result in the same ciphertext. I once saw this illustrated by encrypting some black and white image where each 8x8 pixels where encrypted using DES in ECB mode. In

Re:DES3

[wwest4 (183559)]

no, the confusion comes from DES being 64-bit with a byte's worth of parity. effective length of single DES key is 56 bits.

now, to really mess it up - the effective key length of 3DES is 112 bits, because only 2 keys are actually used, key A and B. Encrypt with A, then B, then A.

Re:DES3

[canajin56 (660655)]

Sorry, you are thinking of DES2. DES2 uses two keys, and works like this Encrypt with A, decrypt with B, Encrypt with A. I'm not sure on the specifics, but using three encryptions makes it possible to exhaustivly search for A and B on their own, while using a decrypt (As far as is known) requires all combonations of A||B to be exhausted.

DES3 does, in fact, use 3 keys, and is encrypt with A, encrypt with B, encrypt with C.

Further clarification

[jhantin (252660)]

Actually, 3DES uses encrypt with A, decrypt with B, encrypt with A. This makes the degenerate case where A equals B backwards-compatible to single-key DES, and is why 3DES is also called DES-EDE.

However, using 3 keys with any cipher only squares the time to key recovery, regardless of whether the first key and the last key are equal. Assuming you know both the plaintext P and ciphertext C for a given message, compute a table of all possible results of encrypting P with keys 1 and 2, and a table of all po

Re:NIST endorsement of DES

[Spunk (83964)]

It was shown that S-Boxes chosen by the NSA made it more secure, not less. DES [wikipedia.org] and Differential Cryptanalysis [wikipedia.org]

arrggghh...

[by Anonymous Coward]

.... I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks.

The horror... the horror...

As a self-appointed representative of ...

[burgburgburg (574866)]

America's LSD Manufacturers, I'd like to point out that at it's worst (as regards quality control), no US produced acid would ever have created colors like this.

I'm not one to point fingers, but if they do have to be pointed, they should be pointed at Mushrooms or toad licking. Not acid.

Re:arrggghh...

[ticklemeozmo (595926)]

I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks

I seriously thought the sarcasm about the crappy color scheme was going to get old after a while, but actually it still seems appropriate. For Vishnu's sake, change the friggen colors!

Now I'm going to have to go back to ...

[burgburgburg (574866)]

social engineering, keystroke capturing and torture to get information, instead of relying on key exhaustion.

Wait, ...ugh..., I didn't write that and more importantly, you didn't read it. It never happened. Nothing to see here. Just move on now.

Re:Now I'm going to have to go back to ...

[SpaceLifeForm (228190)]

Damn man, you sound like the bush administration.

It was bound to happen eventually.

[Jim Starx (752545)]

All realistic encryption scemes have a lifespan.

Which is why...

[baudilus (665036)]

Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

Re:Which is why...

[mattjb0010 (724744)]

Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

You mean a one time pad [wikipedia.org]?

Re:Which is why...

[kasperd (592156)]

Then we can use it forever.
You mean a one time pad?

You cannot use a one time pad forever. The name should be a pretty good hint about that. Unfortunately reusing a one time pad is suggested again and again by people not fully understanding what it is all about. In many cases a one time pad is unrealistic because you have to exchange new keys over a secure channel. And usually you want to use the one time pad because you don't have a secure channel. But actually some secure channels exists that can be used to exchange the key, but cannot be used for the data transfer. One such example is seen in quantum cryptography.

However though a one time pad is unconditionally secure, it only guarantees secrecy. Integrity is an interely different matter. Luckily there also exist unconditionally secure MACs for that, and they are a lot more realistic than a one time pad, because the key is smaller and most of the key can be reused. This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

But quantum cryptography is not the only way to exchange a one time pad. Other unrealistic ways to exchange a one time pad is using either noisy channels or assumptions about memory bounded adversaries. I call them unrealistic because they are both based on somewhat unrealistic assumptions and require extreme amounts of data to be transfered to create a small one time pad. The most realistic way to exchange a one time pad probably still is to do it in advance. In some cases the exchange in advance makes a lot of sense. Think for example wireless equipment. You'd consider a wire to be secure, but it is inconvenient. But you still have to connect a wire occationally to recharge your battery, at the same time a one time pad could be tranfered over a faster and more secure wired link.

Computation power??

[www.sorehands.com (142825)]

It is always expected that any encryption will be crackable given sufficient computing power, and with Moore's law, that will always eventually happen. But of course by that time, a new more secure, algorithm that requires more computing power to encrypt will be available.

It is interesting to note that they recommend using a faster algorithm.

Of course us, of the tin-foil-hat, brigade know that the government has a very secure algorithm (gotten from area 51), but they never tell us about, just so we use an algorithm that we think is secure, but they have their own back-door.

Man, they are cruel

[by Anonymous Coward]

They want me to abandon DES and Internet Explorer? Please, NIST, why do you keep recommending against my favorite applications.

Let's hope we'll never see ICQ and Windows ME on that list.

YES!!!

[Tenebrious1 (530949)]

Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

Re:YES!!!

[dj245 (732906)]

Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

In a related story, a mysterious female named "Alotta Patootie" was detained at a northern border crossing on suspicion of ill intent. Formal charges have not been anounced, but the woman did try to seduce four CBP (Customs and Border Protection) agents and succeeded in kicking a fifth in the tallywhacker.

NIST already said DES isn't sufficient

[chizu (669687)]

I thought NIST had already recommended replacing DES with AES several years ago. It's been fairly obvious for a while now that distributed computing could crack DES encoded data.

It will be AES's time before long anyways, with quantum computing these algorithms become fairly useless.

What about triple DES

[Slick_Snake (693760)]

Its be accepted by many in the industry that DES was too weak. However you can use DES repeatedly with different keys to make up for it and thus you get triple DES. It effectly gives you a key space of 56 * 3 = 168 bit keys which is much better. And you could always run the data through a few more times if you are realy paranoid.

Re:What about triple DES

[baudilus (665036)]

While your argument is valid, I fail to see the usefulness of spending more time to strengthen a weak algorithm rather than using one that is inherently more secure. It's like putting more and more duct tape over the hole rather than just changing the pipe.

Say what you will about DES, but please ...

[burgburgburg (574866)]

don't cast aspersions on the practice of putting on more and more duct tape over a hole. Not only is this a sound, well-respected engineering practice (as is evidenced by my saying it), but America's Duct Tape Manufacturers need your every effort to keep our business on steady financial ground.

Whenever this is any doubt about the structural integrity of any item (from little glass figurine to 18 wheeler transporting corrosive chemicals), slap some duct tape on it. And then a little bit more. You'll be gla

Re:Say what you will about DES, but please ...

[SpaceLifeForm (228190)]

Man, you really are part of the bush administration.

But, hey, get with the program dude, you forgot to mention the plastic.

And don't forget, WD-40 has a role also.

Re:What about triple DES

[Thagg (9904)]

There are significant advantages of triple DES.

1) DES has been around a long time. People have attacked it for years, with every new and old technique of cryptanalysis. DES was created by IBM with help (no, really!) from NSA -- it was NSA that proposed adjustements in the S-Boxes that made DES more resistant to differential cryptanalysis. DES has proven to be secure, except for the obvious key-length problem, in the very best way you can prove an algorithm secure -- by having the best minds on the plane

Re:What about triple DES

[michael_cain (66650)]

DES hardware exists, and is inexpensive and relatively secure. Using current hardware to impliment triple DES is easy.

Indeed. It is one thing for NIST to recommend that everyone using software implementations of DES should change to something else (although it appears that they are actually only recommending it to government users). It is a very different thing to deal with the millions of consumer devices out there with hardware DES which would have to be replaced.

Re:What about triple DES

[man_ls (248470)]

One interesting tidbit (from "Applied Cryptography") was that the NSA adjustments to the S-boxes actually predicted and secured for a vaunerability that was discovered 30 years later.

When the S-box attacks came out in the 90s or so, people thought DES might be vaunerable to it -- but the adjustments the NSA had made decades before to the standard prevented its vaunerability.

That's impressive. Did they know, or was it just lucky.

Re:What about triple DES

[russotto (537200)]

They knew. The IBM team discovered differential cryptography (IIRC called it the "T attack") while developing the cipher. NSA already knew about it even then, though, so Biham and Shamir are at least the third set of inventors/discoverers of that technique.

Re:What about triple DES

[by Anonymous Coward]

Actually, triple DES uses one of the keys twice, so you only get a key space of 112 (56 * 2) bits.

Effective strength of 3DES: about 90 bits

[Paul Crowley (837)]

It was known when 3DES was proposed that the "meet in the middle" attack reduced the effective strength to 112 bits. Lucks's attacks reduce that strength to 90 bits. See

http://th.informatik.uni-mannheim.de/People/Luck s/ papers.html

Re:What about triple DES

[Slick_Snake (693760)]

Being a bit slower may actually be an advantage when the only method of attack is brute force. As for having a key complexity of 112 bits, that is only if you use two keys instead of three. If you are worried about people breaking it you would use three, but even if you used two lets take a look at it.

If you could try one key at every clock cycle, which would be amazing in and of itself, it would take you 54,844,652,936,586,090.5 years of computation on a 3 GHz machine to try every key. If you take half

I nominate this for understatement of the day

[Marxist Hacker 42 (638312)]

Some would argue that DES has been insufficient for some time now.

Yeah, like since the day I first heard about it, back in 1995.

Isufficient for what?

[m.h.2 (617891)]

"Some would argue that DES has been insufficient for some time now."

Insufficient for what? I hate to play semantics, and I'm no cryptographer, but as I understand it, the inadequacies of an encryption algorithm are primarily defined by the implementation and the reason for it [application]. OK, it's a weak cipher, but in certain instances, it may still be useful. Right?

Re:Isufficient for what?

[nkntr (583297)]

I think that this falls under the category of "anything worth encrypting is worth encrypting well" category. If you are doing it for pure educational sake, use whatever you want. But if you are charged with a purpose of keeping some information private, then it is your responsibility to use an encryption method that is sufficient to keep it private.

Re:Isufficient for what?

[cynic10508 (785816)]

Insufficient for what?

What it boils down to is that DES has a fixed key length of 56 bits. Sure, you can 3DES it but you've also tripled the number of computations you have to do for every block of data. So while DES's key size has remained fixed, computing power is expanding at Moore's law. So, inevitably, computing power will overwhelm DES's practicality. It's just a matter of time (read: now). While AES, on the other hand, allows you to expand the key size from 128-bits by 64-bit blocks. So we

Good!

[l0ungeb0y (442022)]

Nice to hear they got some good consulting.

I've been using AES-256 on all my projects that deal with sensitive data since ohhh -- 2001.

Considering that DES has been relegated to hack toy status for some time now and triple-DES is only marginally better since it's just DES encryption done threefold I think this is a very wise but belated move.

And when Hollywood even makes fun of an encryption grade by showing a guy breaking it in 60 seconds while getting a BLOWJOB, you KNOW it's time to stop using it!

Re:Good!

[kakos (610660)]

Also, 3DES is about as good as AES with regards to security, but magnitudes slower. Thousands of cycles compared to AES's 100 cycles.

Disallowed for .se use for a while

[by Anonymous Coward]

When I did my military service in Sweden 96/97 I came across the official introduction book to cryptology (the Swedish military has, as I assume every national military has, a book division making various manuals). It was pretty standard starting out with substitution and permutation and quickly moving past most techniques up to finite field equations. I don't know when the book was written (it didn't say), but probably in the mid to late 80's since the most recent book reference was from 85. The thing that really caught my eye was however a paragraph that essentially said "DES is not certified for secure transmissions in the Swedish military for reasons we will not discuss here". Given that they broke every crypto system transmitted over Sweden during WWII, I would take their advice if they say not to use a cipher.

Critics proven right

[msblack (191749)]

One of the earliest critics of DES (FIPS-46) was Whitfield Diffie, a maverick of his time. The government, industry, and press all hailed the 56-bit DES as a milestone breakthrough. At that time, ITAR regulations limited encryption algorithms to 28 or 40 bits, a serious restriciton for international corporations. IBM was prohibited from using Lucifer with its offshore subsidiaries because the Feds equated it with nuclear weaponry.

Diffie is probably best renowned for his methodology known as knapsack encryption. This was alternative to RSA which was computationally prohibitive in the early 1980s.

I remember my having difficulty in my old college days in obtaining a copy of RSA. My school had to obtain a copy of their paper from MIT through inter-library loan. I had not realized that RSA would gain such widespread adoption because ITAR would prevent international implementation for any US-based company.

Corrections to the above history

[Paul Crowley (837)]

Diffie didn't invent knapsack encryption. Diffie and his colleague, Martin Hellman, invented the first public key cryptosystem, Diffie-Hellman, and founded the modern field of cryptography. We all owe them (and Ralph Merkle, who basically did the same things at the same time) an enormous debt.

There were no ITAR limits on key length. The law simply stated that you needed a license to export products that included cryptography; strictly interpreted that would have included a Secret Decoder Ring. It wasn't until Lotus wanted to export Notes with crypto built in that the NSA got involved in the process of making it possible for products that used crypto to be granted export licenses by demanding features such as CDWF, which made it easy for the NSA to break messages while keeping it hard for everyone else.

Lucifer was vulnerable to a differential cryptanalytic attack that reduced the effective key strength to around 56 bits. However, IBM and the NSA kept their knowledge of DC secret until Biham and Shamir rediscovered it in 89.

RSA was invented later. It was never prohibitively slow, though of course it's got much faster over the years.

If you wanted a description of RSA, why didn't you just buy a copy of Scientific American, where it was first published in Martin Gardener's "Mathematical Games" column?

Re:Critics proven right

[hackstraw (262471)]

Diffie is probably best renowned for his methodology known as knapsack encryption.

I would think that he is known for Diffie-Hellman key exchange [wikipedia.org], especially since Hellman created the knapsack encryption :)

Diffie-Hellman key exchange is done every day when one makes a ssl or ssh connection.

But who wants a totally secure system?

[panurge (573432)]

I'm reminded of Terry Pratchett's Havelock Vetinari, (various Discworld books) who gets his pet scientist to devise him cyphers that are merely fiendishly difficult - because he wants his enemies to think they know what he is thinking.
This is actually a valid point about intelligence. Although it's obvious that there are places where uncrackable encryption should be used if at all possible, there are many others where disinformation can be used to great effect. An example is where a message crackable in finite time is allowed to be intercepted because by the time it is decrypted it is too late to take action, the object being to build up the credibility of an information source prior to shovelling out a great load of disinformation. I believe this technique was used ahead of the D-Day landings as part of the plan to persuade the Germans that the invasion would actually be in the Pas de Calais.

For this reason I would have thought it was unwise for official bodies to make statements about the use of different forms of encryption - unless it's a double bluff and DES will continue to be used for short-life messages.
Tinfoil hat? Stress-relieved oxygen-free copper plated mumetal in my case.

Cracking yesterday's secrets?

[danharan (714822)]

Secrets normally take years, often decades to be out in the public domain. What was daunting before EFF's 1998 achievement is looking more and more trivia for a government that wouldn't blink at the cost of buying a 1,000 node super-computer.

To future-proof secrets, you'd have to encrypt at a level that not only would be ridiculously expensive to crack today, but as long as you need to keep them, well, secret. Imagine some of the files from the time of the UNSC's Iraq debates a year-and-a-half ago getting cracked today or before the next US presidential election.

Re:Elliptic Curve Cryptosystem...

[akula1 (463239)]

Many cryptanalysts don't trust ECC yet because there has not been enough peer review (i.e. attmepts to break it) of the mathematics of the algorithm.

Re:Elliptic Curve Cryptosystem...

[dark_panda (177006)]

Elliptic curve cryptography is a public/private key system like DSA or RSA. It's an asymmetric cipher method where the key used to encrypt is not the necessarily the same key used to decrypt.

DES and AES are symmetric ciphers, where you use the same key for both operations.

The two forms of crypto have different uses, and ECC isn't all that useful as a replacement for DES. That's what AES is for.

As an aside, Diffie-Hellman is a method of key agreement, and is not a cipher in itself, but rather it is used in conjunction with other crypto systems. (IPsec, for instance, uses DH, I believe.)

J

AES is *much* stronger than 3DES

[Paul Crowley (837)]

AES certainly was designed to be secure. You exaggerate the extent of what people have against it so far by an absolutely gargantuan margin.

In addition, you are clearly unaware of Stefan Lucks's attacks on 3DES, which take it down to about 72 bits of security - far from the 112 it promises. You might as well just use DESX, which is about as strong but three times faster.

90 bits, not 72 bits

[Paul Crowley (837)]

I misremembered the efficacy of Lucks's attacks - it's more like 90 bits. See

http://th.informatik.uni-mannheim.de/People/Luck s/ papers.html

Re:Triple DES AES

[evilviper (135110)]

In 128-bit mode it's like a 12-inch wall with an 11-inch long crack in it. That last inch might hold, but I wouldn't bet on it.

Terrible, terrible, HORRIBLE analogy.

Cryptography rounds are not like walls... It's not like a wall, where defeating each one removes strenghth. In cryptography, even if you can break up to 127-bits, that last 1-bit stll means it's just as strong as ever.

A good example (besides AES) is skipjack... NSA's own. There would have been a vulnerability if it used one less round, but since it uses 1 more, it's still perfectly safe, and hasn't been broken yet...

In other words, find a new analogy, and don't tell people that AES is insecure. It's gone through detailed analysis to make sure it's secure... The same process that approved of DES years ago.

If you trust 3-DES, you should trust AES, too.

Personally, I use blowfish whenever possible, but I haven't seen any crypto hardware with blowfish built-in so I doubt it'll get more widespread anytime soon.