Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

NIST Proposes Abandoning DES 205

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.
This discussion has been archived. No new comments can be posted.

NIST Proposes Abandoning DES

Comments Filter:
  • by SIGALRM ( 784769 ) * on Thursday July 29, 2004 @01:38PM (#9833771) Journal
    NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES)
    Actually, NIST withdrew their endorsement of DES in 1997. DES as a standard was adopted in 1972. Back in '74 when the NSA was looking at Lucifer for NIST, they actually approved it despite a reduction in its original key length of 128 bits to 56 bits, weakening it significantly. The NSA was accused of planting a "back-door" in Lucifer that would allow agents to decrypt without the key, but of course such a thing was never found.

    In '76 Lucifer was adopted and renamed "DES". Of course as computers became faster and more powerful, it was recognized that a 56-bit key was simply not large enough for high security applications. As a result of these and other serious flaws, NIST abandoned their official endorsement of DES in 1997 and began work on a replacement, to be called the Advanced Encryption Standard (AES). And so the story continues...
    • by kippy ( 416183 )
      I thought that DES3 [tropsoft.com] solved the key length problem by bumping it up to 192 bits. Of course it runs 3 times as slow.

      Not that I'm saying we should cling to DES for the next hundred years. I'm all about AES.
      • Re:DES3 (Score:5, Informative)

        by kasperd ( 592156 ) on Thursday July 29, 2004 @03:00PM (#9835049) Homepage Journal
        First of all it should be explained why they came up with 3-DES instead of just 2-DES. The reason is, that 2-DES would be vulnurable to a meet in the middle attack. If you knew just one plaintext/ciphertext pair you could efficiently compute a small set of possible keys. It would require a lot of disk space, but in the end you would be down to approximately 2^48 keys, and it would require only 2^57 cipher block operations. Another plaintext/ciphertext pair can easilly be tested against the remaining 2^48 keys to find the right one.

        In other words 2-DES is not significantly more secure than DES, but 3-DES makes the meet in the middle attack more difficult. You can no longer meet exactly in the middle, but you could meet with 1 cipher on one side and 2 ciphers on the other side. That way you have to brute force the 2 ciphers and that way 3-DES presumably give you the security of a 112 bit key. This is also why you normally only use two different keys for 3-DES. The third key would add no extra security.

        But 3-DES have inherited one of the weaknesses of DES. The block size is still only 64 bits. That makes you vulnurable to birthday attacks. For this reason I always advice against using the same 3-DES key for more than 512KB of data. With a 128 bit block like AES uses, a key can be safe for use for longer time, I would say 64GB should be secure.
    • Lucifer was vulnerable to a DC attack that reduced the effective strength to around 56 bits.

      Coppersmith maintains that the NSA had no hand in designing DES, and all the secret design features turned out to be there to make it stronger (eg against DC, which the IBM team kept secret).
  • arrggghh... (Score:5, Funny)

    by Anonymous Coward on Thursday July 29, 2004 @01:40PM (#9833795)

    .... I was going to write a long, well thought out reply to this story but the IT colour scheme is causing acid flashbacks.

    The horror... the horror...
  • by burgburgburg ( 574866 ) <splisken06.email@com> on Thursday July 29, 2004 @01:42PM (#9833834)
    social engineering, keystroke capturing and torture to get information, instead of relying on key exhaustion.

    Wait, ...ugh..., I didn't write that and more importantly, you didn't read it. It never happened. Nothing to see here. Just move on now.

  • by Jim Starx ( 752545 ) <JStarx@gmai l . com> on Thursday July 29, 2004 @01:42PM (#9833837)
    All realistic encryption scemes have a lifespan.
    • by baudilus ( 665036 ) on Thursday July 29, 2004 @01:47PM (#9833918)
      Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.
      • by mattjb0010 ( 724744 ) on Thursday July 29, 2004 @02:00PM (#9834133) Homepage
        Which is why we have to invent an unrealistic encryption scheme. Then we can use it forever.

        You mean a one time pad [wikipedia.org]?
        • Re:Which is why... (Score:5, Informative)

          by kasperd ( 592156 ) on Thursday July 29, 2004 @02:43PM (#9834812) Homepage Journal
          Then we can use it forever.
          You mean a one time pad?


          You cannot use a one time pad forever. The name should be a pretty good hint about that. Unfortunately reusing a one time pad is suggested again and again by people not fully understanding what it is all about. In many cases a one time pad is unrealistic because you have to exchange new keys over a secure channel. And usually you want to use the one time pad because you don't have a secure channel. But actually some secure channels exists that can be used to exchange the key, but cannot be used for the data transfer. One such example is seen in quantum cryptography.

          However though a one time pad is unconditionally secure, it only guarantees secrecy. Integrity is an interely different matter. Luckily there also exist unconditionally secure MACs for that, and they are a lot more realistic than a one time pad, because the key is smaller and most of the key can be reused. This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

          But quantum cryptography is not the only way to exchange a one time pad. Other unrealistic ways to exchange a one time pad is using either noisy channels or assumptions about memory bounded adversaries. I call them unrealistic because they are both based on somewhat unrealistic assumptions and require extreme amounts of data to be transfered to create a small one time pad. The most realistic way to exchange a one time pad probably still is to do it in advance. In some cases the exchange in advance makes a lot of sense. Think for example wireless equipment. You'd consider a wire to be secure, but it is inconvenient. But you still have to connect a wire occationally to recharge your battery, at the same time a one time pad could be tranfered over a faster and more secure wired link.
          • You cannot use a one time pad forever.

            That's not what I said, I said you can use the one time pad encryption scheme forever. Please read all the words next time.

            This is very important because without integrity over a clasical channel, even quantum cryptography would have been vulnurable to a man in the midle attack.

            Quantum crypto key exchange is invulnerable to a man in the middle attack because in QM making a measurement disturbs the state of the system that is then detectable by the true receiver, i
            • a measurement disturbs the state of the system that is then detectable by the true receiver

              That is exactly where the integrity is required. Without the integrity between the two communicating parties, quantum cryptography is obviously vulnurable. A man in the middle could simply perform two completely independent instances of the quantum protocol to exchange the key. Neither party would realize, that they were talking with an adversary rather than the intended peer. In the end they would have two differe
            • I don't think that's entirely true though. You have to be able to observe the state to recieve information and you have to be able to transmit the state to send information. Someone can observe the state in the middle and then quickly retransmit a copy. The original signal is corrupted just as QM predicts but the copy is in it's place.

              I have an incredibly hard time believing any claims of encryption being unbreakable solely

              • You have to be able to observe the state to recieve information and you have to be able to transmit the state to send information. Someone can observe the state in the middle and then quickly retransmit a copy. The original signal is corrupted just as QM predicts but the copy is in it's place.

                What you've just described is precisely what quantum cryptography makes impossible. You assume you can "restransmit a copy." However, it is impossible to clone a quantum state without destroying it.

                Hence, as soon

            • Quantum crypto key exchange is invulnerable to a man in the middle attack because in QM making a measurement disturbs the state of the system that is then detectable by the true receiver, it is not due to anything classical.
              But there is still the "axe in the middle attack": if you can't listen to them, disturb them.
  • by www.sorehands.com ( 142825 ) on Thursday July 29, 2004 @01:46PM (#9833909) Homepage
    It is always expected that any encryption will be crackable given sufficient computing power, and with Moore's law, that will always eventually happen. But of course by that time, a new more secure, algorithm that requires more computing power to encrypt will be available.

    It is interesting to note that they recommend using a faster algorithm.

    Of course us, of the tin-foil-hat, brigade know that the government has a very secure algorithm (gotten from area 51), but they never tell us about, just so we use an algorithm that we think is secure, but they have their own back-door.

    • It is interesting to note that they recommend using a faster algorithm.

      I'm disappointed they didn't recommend my favourite, triple-ROT13.

      Virtually unbreakable...

    • It is always expected that any encryption will be crackable given sufficient computing power

      Not one time pads [wikipedia.org], although they are unpractical, and quantum cryptography [wikipedia.org] which is (currently) expensive, and also distance limited since repeaters can't be used.
      • Unpractical? Anyway, quantum cryptography IS one time pads with a transmission method that ensures the key is delivered without being intercepted. Once the key is received, the encrypted data can be sent via any unsecured medium.

    • It is always expected that any encryption will be crackable given sufficient computing power, and with Moore's law, that will always eventually happen.

      Moore's "law" will stop eventually.
      It might take 200 years, but eventually you hit speed of light limits, Heisenberg limits on distance, and quantum limits on energy usage.
      (Of course, non-fundamental limits are likely to put a stop to Moore's law first.)

      56 bits isn't enough to prevent brute forcing, but 512 bits certainly is.
      At 256 bits, it's easier

    • Actually, as key sizes get larger, the required effort to crack by brute force gets pretty silly.

      According to Bruce Schneier's "Applied Cryptography" , I paraphrase:
      With an ideal computer using the entire energy output of the sun for 32 years, you could cause a 192 bit counter to cycle through all it's possible values.

      And, an actual quote:

      "These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force a

  • by Anonymous Coward on Thursday July 29, 2004 @01:47PM (#9833916)
    They want me to abandon DES and Internet Explorer? Please, NIST, why do you keep recommending against my favorite applications.

    Let's hope we'll never see ICQ and Windows ME on that list.
  • YES!!! (Score:5, Funny)

    by Tenebrious1 ( 530949 ) on Thursday July 29, 2004 @01:47PM (#9833920) Homepage
    Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

    • Re:YES!!! (Score:3, Funny)

      by dj245 ( 732906 )
      Oh yeah! Now foreign powers will have to go back to sending sexy spies to seduce the secrets out of us instead of just breaking the codes!

      In a related story, a mysterious female named "Alotta Patootie" was detained at a northern border crossing on suspicion of ill intent. Formal charges have not been anounced, but the woman did try to seduce four CBP (Customs and Border Protection) agents and succeeded in kicking a fifth in the tallywhacker.

  • I thought NIST had already recommended replacing DES with AES several years ago. It's been fairly obvious for a while now that distributed computing could crack DES encoded data.

    It will be AES's time before long anyways, with quantum computing these algorithms become fairly useless.
  • by Slick_Snake ( 693760 ) on Thursday July 29, 2004 @01:48PM (#9833944) Journal
    Its be accepted by many in the industry that DES was too weak. However you can use DES repeatedly with different keys to make up for it and thus you get triple DES. It effectly gives you a key space of 56 * 3 = 168 bit keys which is much better. And you could always run the data through a few more times if you are realy paranoid.
    • While your argument is valid, I fail to see the usefulness of spending more time to strengthen a weak algorithm rather than using one that is inherently more secure. It's like putting more and more duct tape over the hole rather than just changing the pipe.
      • by cw0 ( 27154 )
        The algorithm itself was never weak. It was actually the key length that made it weak. That's why only brute force can be used to break it.
      • don't cast aspersions on the practice of putting on more and more duct tape over a hole. Not only is this a sound, well-respected engineering practice (as is evidenced by my saying it), but America's Duct Tape Manufacturers need your every effort to keep our business on steady financial ground.

        Whenever this is any doubt about the structural integrity of any item (from little glass figurine to 18 wheeler transporting corrosive chemicals), slap some duct tape on it. And then a little bit more. You'll be gla

        • Man, you really are part of the bush administration.

          But, hey, get with the program dude, you forgot to mention the plastic.

          And don't forget, WD-40 has a role also.

        • America's Duct Tape Manufacturers need your every effort to keep our business on steady financial ground

          If America's Duct Tape Manufacturers falter, the impact to the American economy
          could be catastrophic! And no patriotic American wants that. So be patriotic! Buy more patriotic American duct tape, and shore up the patriotic American economy, so all of our American children can grow up safe, strong, and patriotically American in good old patriotic American America!
      • by Thagg ( 9904 )
        There are significant advantages of triple DES.

        1) DES has been around a long time. People have attacked it for years, with every new and old technique of cryptanalysis. DES was created by IBM with help (no, really!) from NSA -- it was NSA that proposed adjustements in the S-Boxes that made DES more resistant to differential cryptanalysis. DES has proven to be secure, except for the obvious key-length problem, in the very best way you can prove an algorithm secure -- by having the best minds on the plane
        • DES hardware exists, and is inexpensive and relatively secure. Using current hardware to impliment triple DES is easy.

          Indeed. It is one thing for NIST to recommend that everyone using software implementations of DES should change to something else (although it appears that they are actually only recommending it to government users). It is a very different thing to deal with the millions of consumer devices out there with hardware DES which would have to be replaced.

        • One interesting tidbit (from "Applied Cryptography") was that the NSA adjustments to the S-boxes actually predicted and secured for a vaunerability that was discovered 30 years later.

          When the S-box attacks came out in the 90s or so, people thought DES might be vaunerable to it -- but the adjustments the NSA had made decades before to the standard prevented its vaunerability.

          That's impressive. Did they know, or was it just lucky.
    • by Anonymous Coward
      Actually, triple DES uses one of the keys twice, so you only get a key space of 112 (56 * 2) bits.
    • Triple DES actually has a key complexity of around 112 bits, but more importantly is signifigantly slower then AES due to the need for three sequential passes with three (or more often two) seperate keys.

      As a result AES has more key complexity and runs faster, which is why it makes sense to drop DES/3DES.

      • Being a bit slower may actually be an advantage when the only method of attack is brute force. As for having a key complexity of 112 bits, that is only if you use two keys instead of three. If you are worried about people breaking it you would use three, but even if you used two lets take a look at it.

        If you could try one key at every clock cycle, which would be amazing in and of itself, it would take you 54,844,652,936,586,090.5 years of computation on a 3 GHz machine to try every key. If you take half

    • It was known when 3DES was proposed that the "meet in the middle" attack reduced the effective strength to 112 bits. Lucks's attacks reduce that strength to 90 bits. See

      http://th.informatik.uni-mannheim.de/People/Luck s/ papers.html
      • Even with a reduced strength of 90 bit brute force still requires 13,075,984,224.46 years with 3 billion keys a second. How secure do you need it to be? Even the best super computer would have to be really really lucky to break it in its operational lifetime. To put it in clearer terms if you gave everyone in the world a mondern computer and had them ALL work on breaking it together it would on average take 1000 years.
        • Your sums are correct, and indeed an 80 bit difficulty is usually considered sufficient to be beyond the reach of any attacker. However, it makes it far from clear that we can have more confidence in 3DES than in AES.

          In addition, you have to consider "key collision attacks". Under some circumstances your attacker can arrange for the same text to be encrypted many times with many different keys. They can then attempt a brute force attack where they can efficiently test each guess against any of the keys
        • if you gave everyone in the world a mondern computer and had them ALL work on breaking it together it would on average take 1000 years.

          That means that if you gave everyone in the world a million modern computers, it would take a little under 9 hours.

          The problem is, "modern computers" can be replaced with "dedicated processors" and "everyone in the world" can be replaced with "each slot in the cracking array", so:

          If you gave each slot in the 7 billion slot cracking array a million dedicated processors,

    • FROM THE ARTICLE WHICH MANY OF YOU DIDN'T BOTHER TO READ:

      Triple Data Encryption Algorithm or ''TDEA.'' TDEA encrypts each block three times with the DES algorithm, using either two or three different 56-bit keys. This approach yields effective key lengths of 112 or 168 bits. TDEA is considered a very strong algorithm. The original 56-bit DES algorithm can be modified to be interoperable with TDEA.

      Are you more of an expert than those at NIST?

  • Some would argue that DES has been insufficient for some time now.

    Yeah, like since the day I first heard about it, back in 1995.
  • Microsoft's .NET has AES built in and I'm pretty sure AES is what Trillian uses for encryption, so I say go for it!
  • by m.h.2 ( 617891 ) on Thursday July 29, 2004 @02:02PM (#9834151) Journal
    "Some would argue that DES has been insufficient for some time now."

    Insufficient for what? I hate to play semantics, and I'm no cryptographer, but as I understand it, the inadequacies of an encryption algorithm are primarily defined by the implementation and the reason for it [application]. OK, it's a weak cipher, but in certain instances, it may still be useful. Right?
    • I think that this falls under the category of "anything worth encrypting is worth encrypting well" category. If you are doing it for pure educational sake, use whatever you want. But if you are charged with a purpose of keeping some information private, then it is your responsibility to use an encryption method that is sufficient to keep it private.
    • When using a fantastically good algorithm is free, why use a worse one? AES is not only vastly more secure than DES, it's also much simpler and somewhat faster.
    • Insufficient for what?

      What it boils down to is that DES has a fixed key length of 56 bits. Sure, you can 3DES it but you've also tripled the number of computations you have to do for every block of data. So while DES's key size has remained fixed, computing power is expanding at Moore's law. So, inevitably, computing power will overwhelm DES's practicality. It's just a matter of time (read: now). While AES, on the other hand, allows you to expand the key size from 128-bits by 64-bit blocks. So we

  • Good! (Score:4, Funny)

    by l0ungeb0y ( 442022 ) on Thursday July 29, 2004 @02:15PM (#9834362) Homepage Journal
    Nice to hear they got some good consulting.

    I've been using AES-256 on all my projects that deal with sensitive data since ohhh -- 2001.

    Considering that DES has been relegated to hack toy status for some time now and triple-DES is only marginally better since it's just DES encryption done threefold I think this is a very wise but belated move.

    And when Hollywood even makes fun of an encryption grade by showing a guy breaking it in 60 seconds while getting a BLOWJOB, you KNOW it's time to stop using it!

    • Technically, it isn't AES if you are using a 256 bit key. AES specifically defines a 128 bit key. If you use anything higher than that, you're using Rijndael.
      • I always use Rijndael, since RijnDael is AES [nist.gov]! And yes I use a 256bit key as my standard.

        And as long as I've ever used AES I've been under the distinct impression that the AES (rijndael) algorithm uses three cipher key strengths: 128, 192, or 256-bit encryption key.

        So feed me some links that show me I'm wrong here people.
      • You are incorrect. AES specifies three key lengths (128, 192, 256). You are thinking of the blocksize. The blocksize for AES is 128 bits (and only 128 bits). The Rijndael algorithm can be easily adapted to allow other block sizes.
    • Re:Good! (Score:3, Informative)

      by kakos ( 610660 )
      Also, 3DES is about as good as AES with regards to security, but magnitudes slower. Thousands of cycles compared to AES's 100 cycles.
  • Triple DES AES (Score:2, Informative)

    by Anonymous Coward
    Although DES's key length is short, it's a remarkably strong cipher. There are some methods to crack DES where you can do a ~little~ better than trying all the combinations, but not much better.

    Triple DES extends the key length to something acceptable and there isn't any serious cryptanalytic attack on it -- after decades of people hammering at it. Today we even know that the NSA did a good job choosing the S-boxes (although we could do a little better today.)

    AES wasn't really designed to be secure,
    • AES certainly was designed to be secure. You exaggerate the extent of what people have against it so far by an absolutely gargantuan margin.

      In addition, you are clearly unaware of Stefan Lucks's attacks on 3DES, which take it down to about 72 bits of security - far from the 112 it promises. You might as well just use DESX, which is about as strong but three times faster.
    • Re:Triple DES AES (Score:5, Informative)

      by evilviper ( 135110 ) on Thursday July 29, 2004 @05:20PM (#9837024) Journal
      In 128-bit mode it's like a 12-inch wall with an 11-inch long crack in it. That last inch might hold, but I wouldn't bet on it.

      Terrible, terrible, HORRIBLE analogy.

      Cryptography rounds are not like walls... It's not like a wall, where defeating each one removes strenghth. In cryptography, even if you can break up to 127-bits, that last 1-bit stll means it's just as strong as ever.

      A good example (besides AES) is skipjack... NSA's own. There would have been a vulnerability if it used one less round, but since it uses 1 more, it's still perfectly safe, and hasn't been broken yet...

      In other words, find a new analogy, and don't tell people that AES is insecure. It's gone through detailed analysis to make sure it's secure... The same process that approved of DES years ago.

      If you trust 3-DES, you should trust AES, too.

      Personally, I use blowfish whenever possible, but I haven't seen any crypto hardware with blowfish built-in so I doubt it'll get more widespread anytime soon.
  • by Anonymous Coward on Thursday July 29, 2004 @02:28PM (#9834569)
    When I did my military service in Sweden 96/97 I came across the official introduction book to cryptology (the Swedish military has, as I assume every national military has, a book division making various manuals). It was pretty standard starting out with substitution and permutation and quickly moving past most techniques up to finite field equations. I don't know when the book was written (it didn't say), but probably in the mid to late 80's since the most recent book reference was from 85. The thing that really caught my eye was however a paragraph that essentially said "DES is not certified for secure transmissions in the Swedish military for reasons we will not discuss here". Given that they broke every crypto system transmitted over Sweden during WWII, I would take their advice if they say not to use a cipher.
  • Critics proven right (Score:4, Informative)

    by msblack ( 191749 ) on Thursday July 29, 2004 @02:37PM (#9834708)
    One of the earliest critics of DES (FIPS-46) was Whitfield Diffie, a maverick of his time. The government, industry, and press all hailed the 56-bit DES as a milestone breakthrough. At that time, ITAR regulations limited encryption algorithms to 28 or 40 bits, a serious restriciton for international corporations. IBM was prohibited from using Lucifer with its offshore subsidiaries because the Feds equated it with nuclear weaponry.

    Diffie is probably best renowned for his methodology known as knapsack encryption. This was alternative to RSA which was computationally prohibitive in the early 1980s.

    I remember my having difficulty in my old college days in obtaining a copy of RSA. My school had to obtain a copy of their paper from MIT through inter-library loan. I had not realized that RSA would gain such widespread adoption because ITAR would prevent international implementation for any US-based company.
    • Slight correction (Score:2, Informative)

      by rkit ( 538398 )
      The knapsack algorithm was devised by Ralph Merkle and Martin Hellman. Knapsacks would still be computationally prohibitive if they had not been broken.
      Also, Whitfield Diffie is certainly best renowned for the Diffie-Hellman algorithm for key exchange.
    • by Paul Crowley ( 837 ) on Thursday July 29, 2004 @03:05PM (#9835130) Homepage Journal
      Diffie didn't invent knapsack encryption. Diffie and his colleague, Martin Hellman, invented the first public key cryptosystem, Diffie-Hellman, and founded the modern field of cryptography. We all owe them (and Ralph Merkle, who basically did the same things at the same time) an enormous debt.

      There were no ITAR limits on key length. The law simply stated that you needed a license to export products that included cryptography; strictly interpreted that would have included a Secret Decoder Ring. It wasn't until Lotus wanted to export Notes with crypto built in that the NSA got involved in the process of making it possible for products that used crypto to be granted export licenses by demanding features such as CDWF, which made it easy for the NSA to break messages while keeping it hard for everyone else.

      Lucifer was vulnerable to a differential cryptanalytic attack that reduced the effective key strength to around 56 bits. However, IBM and the NSA kept their knowledge of DC secret until Biham and Shamir rediscovered it in 89.

      RSA was invented later. It was never prohibitively slow, though of course it's got much faster over the years.

      If you wanted a description of RSA, why didn't you just buy a copy of Scientific American, where it was first published in Martin Gardener's "Mathematical Games" column?
    • Diffie is probably best renowned for his methodology known as knapsack encryption.

      I would think that he is known for Diffie-Hellman key exchange [wikipedia.org], especially since Hellman created the knapsack encryption :)

      Diffie-Hellman key exchange is done every day when one makes a ssl or ssh connection.
  • by panurge ( 573432 ) on Thursday July 29, 2004 @02:41PM (#9834782)
    I'm reminded of Terry Pratchett's Havelock Vetinari, (various Discworld books) who gets his pet scientist to devise him cyphers that are merely fiendishly difficult - because he wants his enemies to think they know what he is thinking.
    This is actually a valid point about intelligence. Although it's obvious that there are places where uncrackable encryption should be used if at all possible, there are many others where disinformation can be used to great effect. An example is where a message crackable in finite time is allowed to be intercepted because by the time it is decrypted it is too late to take action, the object being to build up the credibility of an information source prior to shovelling out a great load of disinformation. I believe this technique was used ahead of the D-Day landings as part of the plan to persuade the Germans that the invasion would actually be in the Pas de Calais.

    For this reason I would have thought it was unwise for official bodies to make statements about the use of different forms of encryption - unless it's a double bluff and DES will continue to be used for short-life messages.
    Tinfoil hat? Stress-relieved oxygen-free copper plated mumetal in my case.

  • by danharan ( 714822 ) on Thursday July 29, 2004 @02:42PM (#9834794) Journal
    Secrets normally take years, often decades to be out in the public domain. What was daunting before EFF's 1998 achievement is looking more and more trivia for a government that wouldn't blink at the cost of buying a 1,000 node super-computer.

    To future-proof secrets, you'd have to encrypt at a level that not only would be ridiculously expensive to crack today, but as long as you need to keep them, well, secret. Imagine some of the files from the time of the UNSC's Iraq debates a year-and-a-half ago getting cracked today or before the next US presidential election.
  • Anyone know any cyphers that are immune to Shor's algorthim? I don't think AES is...
    • Well, given that AES isn't an asymmetric cipher, and hence doesn't use products of primes, I don't see what Shor's algorithm (a prime factorization algorithm) as to do with anything.
  • Anyone know what the patent encumbrance status of AES is? Will it be usable by open source software?
  • It's a strong estrogen and a causative factor in several forms of cancer, in infertility and reproductive abnormalities in those exposed in utero and even in their progeny.

    Diethylstilbestrol is, like most hormones, a hazard to those who handle it, and there's precious few excuses for using it anymore; its use as an anti-abortive was based on faulty evidence.
  • In addition to suggesting algorithms, NIST also VALIDATES code and devices to make sure they do exactly what they should when it comes to cryptography. (No back doors, no shortcuts, etc.)

    More information about the Cryptographic Module Validation Program (the current standard for encryption is FIPS 140-2) can be found here: http://csrc.nist.gov/cryptval/140-2.htm [nist.gov]

    Also, here's a group which has both Windows and Linux versions of a FIPS 140-2 AES implementation, if you want to know what it looks like in ac

What this country needs is a good five cent ANYTHING!

Working...