Eric Young (eay@cryptsoft.com)
Tue, 21 Jul 1998 15:29:25 +1000 (EST)
On Mon, 20 Jul 1998, C Matthew Curtin wrote:
> Bob> So, once again, I repeat: as of last week, DES *is* snakeoil, no
> Bob> matter its venerable pedigree. (See my .sig, below, to see what I
> Bob> think about venerable ideas.)
>
> "Snake Oil" typically refers to a worthless product.
>
> DES is not snake oil. It has withstood more than 20 years of
> cryptanalysis, with no significant discoveries of design flaws. We've
> all learned some stuff from studying DES.
Modes like DESX are effectivly 80-90 bits of security, with the same
speed as single DES.
The current arguments are like calling RC4 crap because it can operate with a
40 bit key.
RC4 is missued in quite a few comercial application by people by using it to
encrypt data with a user supplied key, which is pure lunacy for a stream
cipher, and I would consider most of these systems probably safer with 56 bit
DES, rather than a missused 128 bit stream cipher.
This should be an issue of key size, not that a particular cipher is crap.
If some-one has worked out how to break DES with 2^15 known plaintext attacks,
then I would be throwing out everything based on DES.
I see the EFFs machine as being very interesting for the ease of building
custom hardware for brute force attacks.
If I enter my 8 digit password, (assuming I just use a password from 74
of the 128 ascii values), that is approximatly 2^49 possible
values.....
For the unix password case, assuming 74*8 (crypt(2) is ~ 25 DES), this
comes out as about 2^55 DES encryptions....
For the 128 bit ciphers, I'd target the 'user input key' component.
Using slow hashes etc to convert from 'user input' to 'cipher key' definitly
helps, but how many deployed systems are there that just plug the ascii in to
the ciphers set_key function?
> The problem with DES isn't that it's "snake oil", it's that its key length,
> at 56 bits, is too small for protecting nontrivial data. The basic design
> of DES is still useful, and as you observed, variations like triple-DES deal
> with the small-key problem relatively well.
And contary to the claim that tripple DES is only 112 bits of security, that
particular attack requires 2^64*8 (or is that 2^56*8) bytes of storage. A
slightly non-trivial amount. In the world of realistic attacks, such memory
requirements will not be implemented for a long long time.
> Please stop saying that DES is snake oil, and posting "DES is DED"
> messages to CodherPlunks (and cryptography). DES is not snake oil, and
> you're only preaching to the choir here... Such messages accomplish
> nothing.
As 'Technical' people, 'we' have known the key length was too short quite
quite a long time now. The EFF machine is just a very very good way of
driving the point home for the 'non-technical' people, who were always saying
it would cost too much etc etc.
> Tell the papers. Tell the magazines. Tell the financial industry. Nearly
> everyone _but_ the readers of CodherPlunks needs to be told that small-key
> cryptosystems are inadequate for security, regardless of the quality of its
> design.
I totally agree. That is the message of the EFFs machine, not that DES is
a hopless algorithm. In some ways it is sort of nice that single DES may be
finally phased out of service due to susectibility to the attack that was
obvious from the first day it was published. How many other 'broken' ciphers
have this destinction?
eric
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:43 ADT