Truth and Hype

Terrence L. Domjan (
Tue, 17 Jun 1997 13:09:49 -0400


Today's posts from Seth Schoen:

>In other words, how much longer does a crypt(3) take
>than a single encryption the DESCHALL client is doing
>now? My (Linux) man pages indicate that crypt(3) is a
>56-bit DES hash, which would suggest to me that if
>56-bit DES is broken, Unix password security is
>broken, too, and it's time for Unix in general to
>move to a much longer or slower hash.

and Duane Williams:

>The plain fact is that we do not need to carry out a project like DESCHALL
>in order to know that a DES message can be broken by means of an

>Finding the key to decrypt a single DES encrypted message obviously does
>not mean that you have the key to every DES encrypted message. You have
>do the months of work all over again for each message you want to decrypt.

>The DESCHALL effort is giving us some real-world numbers to use in our
>estimates of how fast a DES key can be found with various hardware. The
>DESCHALL effort has motivated some people to greatly improve algorithms
>finding a DES key and they may even have some publishable results. The
>DESCHALL effort is showing that thousands of volunteers can be persuaded
>cooperate in a large-scale internet-wide computing effort.
>The DESCHALL effort may be useful in sending a
>message to the public and to politicians about the level of security of
>DES. But, we don't have to do something like DESCHALL to know that DES is
>vulnerable to exhaustive search with existing hardware.

and a statement from the DESCHALL site:

>Today, experts recommend using encryption with keys at least
>80 bits long -- DESCHALL hopes to serve as a wake-up call to the
>government and general public.

make me want to ask this question:
What is the real purpose of DESCHALL?

- Cracking one message doesn't give the key to other messages.
- DESCHALL is useful to show that Internet-wide cooperation
is possible.
- The government already understands the weaknesses of DES
and this effort isn't going to show them anything that the NSA
already hasn't.

Not so obvious or possibly wrong:
- DESCHALL is NOT showing that Internet-wide cooperation
is possible for criminal activity. For example, messages such
as electronic wire transfers are secure because the criminals
need to decrypt, modify, encrypt the new message
and send it only microseconds after they catch it if they want
to re-route the money.
- DES IS 56-bit. There is no DES with more or less bits.
- Triple-DES is much more secure and just as easy to do (since
the government mandates the use of hardware for DES) so DES
is not on its last legs and there really is no need to worry about
weak encryption.
- The NSA ALLOWS public-key cyptography to exist because they
know it's flawed. They know that the best way to keep things
private is to have as many secrets as possible. That's what the
government does best. Otherwise, why are the military's
(and probably the NSA's) best codes so secret? Why don't
they just share all their knowledge with everybody? That's
because we would probably be amazed at what they know
and public-key systems as well as DES would go down the tubes.
After all, they helped IBM with DES.

Therefore, it seems to me that DESCHALL's only value is the
promotion of the idea of distributed, cooperative computing.

The result of reading this particular DES message will only serve
to inflame the sensationalist media. The headlines will be about
how a bunch of people with mostly inexpensive computers "broke
the code" used by banks to safeguard financial data. People
who have less knowledge about cryptography than we do
(which is probably very little for most of us) will be worried and
might pressure the government which might lead to consequences
other than a wake-up call or the intended one which is to promote
secure, global, large-key public-key cryptography.

Don't bite my head off if you disagree with my opinions or if
I made some factual errors.

Terrence L. Domjan