1996-01-21 - Re: DES in real life

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: Michael Froomkin <froomkin@law.miami.edu>
Message Hash: e2d82e5a993ddd8a92fe4e9ee6dfc8620c37229efc88b42d8ee1b76133d769cf
Message ID: <199601210001.TAA03292@jekyll.piermont.com>
Reply To: <Pine.SUN.3.91.960120111743.16171F-100000@viper.law.miami.edu>
UTC Datetime: 1996-01-21 02:03:55 UTC
Raw Date: Sun, 21 Jan 1996 10:03:55 +0800

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Sun, 21 Jan 1996 10:03:55 +0800
To: Michael Froomkin <froomkin@law.miami.edu>
Subject: Re: DES in real life
In-Reply-To: <Pine.SUN.3.91.960120111743.16171F-100000@viper.law.miami.edu>
Message-ID: <199601210001.TAA03292@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Michael Froomkin writes:
> Recognizing that DES is not the best thing out there, but that it is
> better than RC40 and life is a series of cost/benefit tradeoffs and that

Thats RC4, and it isn't neccessarily better than RC4, especially if
the RC4 key length is reasonable. No one really knows the strength of RC4.

> 1) Suppose you are approached by a corporate client who believes that they
> can get export permission for DES (but nothing stronger, i.e. no 3DES). 
> What kind of real-world, non-banking, applications is DES just too weak
> for today?

I'd guess that anyone who consideres their messages to be worth more
than a few hundred bucks a pop has cause to worry, because thats the
upper limit on the cost of cracking DES keys these days.

> 2) How long before DES becomes generally unsuitable for (A) corporate 
> (B) personal use [please keep the threat model on which this question is 
> based in mind -- threats *other than* the US government wiretapping you]?

I'd say it is unsuitable for anything approaching a valued corporate
secret today. Personal use? Well, the threat model there is all
important. Certainly your cousin can't crack DES keys -- yet.

> 3) Do you have a view as to whether DES (A) will and (B) should be 
> recertified next time the issue arises?

DES should not be recertified. I have no opinions on what the
government will do.

Perry





Thread