RE: First place.

Justin Dolske (dolske@cis.ohio-state.edu)
Wed, 16 Apr 1997 13:00:57 -0400 (EDT)


[hackers@freebsg.org removed per request]

On Wed, 16 Apr 1997, Justin Wolf wrote:

> There's nothing inherently wrong with DES, just the key size
> which is currently being allowed for export.

True, the DES algorithm is not directly comprimised. But your statement is
rather weak -- the inherent key size of DES is 56 bits. You can play
"tricks" (like 3DES) to get effectivly larger key sizes, but that's no
longer DES.

This is being a bit loose about how one defines algorithms and key size,
however. Encrypting something with multiple passes of the 40bit RC5
variant should also be quite secure, so you could similarly argue there's
nothing wrong with 40 bit RC5... Or any other algorithm that can only be
attacked via brute force.

> As far as symmetric
> algorithms go, it's pretty good. And if you want to make it more
> difficult to crack use non-standard techniques within the algorithm

Well, that works great if you're writing your own software to encrypt your
own data -- but that rather defeats the whole point of publishable
standards, doesn't it? I don't even want to think about the consequences
of people blindly choosing new modififications to DES, withough regard to
the soundness of the new variant.

> Remember, chose an encryption technique that will protect the data as
> long as the data needs to be protected.

And we're showing that DES is unsuitable for public use, on data that
needs to be kept secret for anything more than a very short period of
time.

Don't forget the percentages game, which makes a big mess out of
predicting how big a key you need:

We've already shown that we have about a 1% chance of finding the key
within two weeks. Although low, these odds may be completely unacceptable
if your secret is important enough. It's not too hard to come up with
examples of data that needs to be kept very secure for short periods of
time, and is of no value afterwards.

Justin Dolske <URL:http://www.cis.ohio-state.edu/~dolske/>
(dolske@cis.ohio-state.edu)
Graduate Fellow / Research Associate at The Ohio State University, CIS Dept.