Non-government cryptologists have been saying DES's 56-bit key was too short for some time -- some of them were saying it in the 70's when DES became a standard -- but the US government has consistently ridiculed such suggestions.
A group of well-known cryptographers looked at key lengths in a 1996 paper. They suggested a minimum of 75 bits to consider an existing cipher secure and a minimum of 90 bits for new ciphers. More recent papers, covering both symmetric and public key systems are at cryptosavvy.com and rsa.com. For all algorithms, the minimum keylengths recommended in such papers are significantly longer than the maximums allowed by various export laws.
In a
recent ruling,
a German court described DES as "out-of-date and not safe enough" and held a
bank liable for using it.
Dedicated hardware breaks DES in a few days
The question of DES security has now been settled once and for all. In
early 1998, the Electronic Frontier Foundation
built a
DES-cracking machine.
It can find a DES key in an average of a few days' search. It cost just
over $200,000 to design and build it. A copy based on the finished design
would of course cost less.
The details of all this, including complete code listings and complete
plans for the machine, have been published in
Cracking DES,
by the Electronic Frontier Foundation.
A large corporation could build one of these out of petty cash. The cost is low enough for a senior manager to hide it in a departmental budget and avoid having to announce or justify the project. Any government agency, from a major municipal police force up, could afford one too. Or any large criminal organisation, any reasonably large political group, labour union or religious group, . . .
One might wonder if a private security or detective agency would have one for rent. They wouldn't need many clients to pay off that investment.
"Moore's Law" is that machines get faster (or cheaper, for the same speed) by roughly a factor of two every 18 months. At that rate, the EFF machine would cost well under $100,000 as I write in mid-2000. By the end of the decade, building one might be an undergraduate lab project.
That estimate assumes they use the EFF's 1998 technology and just spend more money. They may have an attack that is superior to brute force, they quite have better chip technology (Moore's law, a bigger budget, and whatever secret advances they may have made) and of course they may have spent the price of an aircraft carrier, not just one aircraft.
In short, we have no idea how quickly these organisations can break DES. Unless they're grossly incompetent, they can certainly do it more quickly than the users of the cipher would like, but beyond that we can't say. Pick any time unit between days and milliseconds. None of these is entirely unbelievable. More to the point, none of them is of any comfort if you don't want such organisations reading your communications.
Note that this may be a concern even if nothing you do is a threat to anyone's national security. An intelligence agency might well consider it to be in their national interest for certain companies to do well. If you're competing against such companies in a world market and that agency can read your secrets, you have a serious problem. For one example, see this news story. The US are the villains in that piece, but there is no reason to imagine they are the only, or even the worst, villains in this area.
One might wonder about technolgy the former Soviet Union and its allies
developed for cracking DES during the Cold War. They must have tried;
the cipher was an American standard and widely used. How well did they
succeed? Is their technology now for sale or rent?
Networks break DES in a few weeks
Before the definitive EFF effort, DES had been cracked several times
by people using many machines. See this
press release for example.
A major corporation, university, or government department could break DES by using spare cycles on their existing collection of computers, by dedicating a group of otherwise surplus machines to the problem, or by combining the two approaches. It might take them weeks or months, rather than the days required for the EFF machine, but they could do it.
What about someone working alone, without the resources of a large organisation? For them, cracking DES will not be easy, but it may be possible. A few thousand dollars buys a lot of surplus workstations, especially since Year 2000 concerns driven more old machines into the surplus market. A pile of such machines will certainly heat your garage nicely and might break DES in a few months or years. Or enroll at a university and use their machines. Or use an employer's machines. Or crack security somewhere and steal the resources to crack a DES key. Or write a virus that steals small amounts of resources on many machines. Or . . .
None of these approaches are really easy or break DES really quickly, but an attacker only needs to find one that is feasible and breaks DES quickly enough to be dangerous. How much would you care to bet that this will be impossible if the attacker is determined and/or clever? How valuable is your data? Are you authorised to risk it on a dubious bet?
DES is in the source code, because we need DES to implement our
default encryption transform, Triple DES.
We urge you not to use single DES. We do not
provide any easy way to enable it in FreeS/WAN, and our policy
is to provide no assistance to anyone wanting to do so.
40-bits is laughably weak
The same is true, in spades, of ciphers -- DES or others -- crippled
by 40-bit keys, as many ciphers were required to be until recently
under various export laws.
A brute force search of such a cipher's keyspace is 216
times faster than a similar search against DES. The EFF's machine
can do a brute-force search of a 40-bit key space in seconds.
One contest to crack a 40-bit cipher was won by a student
using a few hundred idle machines at his university. It
took only three and half hours.
We do not, and will not, implement any 40-bit cipher.
Alternatives to DES
A number of non-DES encryption algorithms have been proposed. We will
implement some of them eventually, of course choosing ciphers with at
least 128-bit key length.
AES in IPSEC
The winning candidate from the AES
project to develop a replacement
for DES will almost certainly become widely used for IPSEC, but analysis
takes time and no winner is expected before the summer of 2000.
Meanwhile, there is a variant of DES which is far better than plain DES. Triple DES, usually abbreviated 3DES, applies DES three times, with three different keys. This is believed to be much stronger than single DES, and it quite definitely turns brute-force key search into a ridiculous impossibility. 3DES is what our code now uses by default. 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at quite respectable speeds. Some speed measurements for our code are available.