From: “Kawika Daguio” <KDAGUIO@aba.com>
To: rdl@mit.edu
Message Hash: 7a5e3d31dcaddb3eb9a4b32d9e740520174a22d81b233e7244b6db56c89db35f
Message ID: <s5b36475.040@aba.com>
Reply To: N/A
UTC Datetime: 1998-07-20 19:40:58 UTC
Raw Date: Mon, 20 Jul 1998 12:40:58 -0700 (PDT)
From: "Kawika Daguio" <KDAGUIO@aba.com>
Date: Mon, 20 Jul 1998 12:40:58 -0700 (PDT)
To: rdl@mit.edu
Subject: Re: 3DES weak because DES falls to brute-force? (was Re: JohnGilmore...)
Message-ID: <s5b36475.040@aba.com>
MIME-Version: 1.0
Content-Type: text/plain
If you listen to those in the exploitation community you might hear that 3DES provides less comparable security relative to DES than you know or have stated. Either way, however, it is more than sufficiently strong to secure any kind of traffic one might contemplate sending over a network. 3DES should work for a while, but I would prefer something more elegant and efficient.
We have pushed 3DES forward as an interim standard, and are moving 3DES out into the world and the AES (128 and 256) forward to provide us another long-term solution. We told NIST that we hoped the AES could serve as a 20-30 year solution and are pushing algorithm agnostic standards to avoid similar obstacles to a transition in the far off future.
One of the reasons we so aggressively pursued the negotiations over export control with the Administration and have pushed the AES, and our PKI is the collateral damage from the export control legislative debate. When the AES is finalized it will be followed closely by an ANSI X9 standard. Once these standards and infrastructure are established, the concerns about brute force attacks should be largely behind us.
kawika
daguio
my views only
>>> Ryan Lackey <rdl@MIT.EDU> 07/20/98 02:16PM >>>
Sigh. One should not do math before coffee.
Let's try this again:
If you assume 2^56 requires $50k and 3 days, and are willing to take
2^8 times longer and spend 2^16 times more, and want to break a 2^112 bit
key, and assume technology doubles in performance for this particular
operation per year, then the calculation is easy to do.
112 - 56 - 16 - 8 = 32
If you wait 32 years, and have *incredible* performance gains in excess of
what we have now (but which I think could be possible for worst-case crypto
breaking chips, since they have relatively little in the way of communication,
and have small units), and have a budget of 16 times what the DES cracker
had (about $3b, which is totally reasonable), and are willing to wait about
2 years, you can brute force 3DES in the year 2030.
There is still very little that is relevant in 32 years, and there is still
a far better chance that some analytic attack will be discovered, a fundamental
breakthrough in computation will happen, etc. before that time.
112 bits is below the "physical impossibility" point as far as key size goes
(I like the calculation based on free energy in the universe in Applied
Crypto).
Chapter 7 in Applied Crypto is probably a far better analysis than mine,
especially as it includes the caveat emptor section.
Perhaps it is correct, "It's time to bring on those 128, 192, and 256-bit
keys",
at least for some systems, although I'd definitely prefer multiple ciphers
separately keyed with long keys than n-DES for such long-term use.
Calculating future key lengths really *is* a losing game.
--
Ryan Lackey
rdl@mit.edu
http://sof.mit.edu/rdl/
Return to July 1998
Return to ““Kawika Daguio” <KDAGUIO@aba.com>”
1998-07-20 (Mon, 20 Jul 1998 12:40:58 -0700 (PDT)) - Re: 3DES weak because DES falls to brute-force? (was Re: JohnGilmore…) - “Kawika Daguio” <KDAGUIO@aba.com>