"IT3 Stuart B. Tener, USNR-R" wrote: > Crypto list members: > > The very honest to g-d truth is not that DES is weak due to a short key length, Nonsense. Inadequate key size is the only known practical problem with DES. Differential and linear cryptanalysis both break it faster than brute force in theory, but neither is a practical attack. The DES keylength was arguably too short when it was designed. Diffie and Hellman published a paper in 1977 showing that a keysearch machine that would break DES in about 9 hours could be built for $20 million. > or even broken (which is a lie, it has never been cracked). Sure it has: http://www.eff.org/descracker.html http://www.distributed.net/pressroom/DESII-1-PR.html The EFF machine was essentially the same design as Diffie and Hellman's, cost $200-odd thousand, and broke DES in 57 hours. > Its key > length would not be considered short if we were all running 1MHz Z80s again. > Key length is a determining factor only when the technology of effectuating > a brute force attack in a short period of time has become a low cost choice. > > Everyone now is saying 3DES is strong, but will we consider it strong in 3 > years? Even if the algorithm is never found to have been cracked? Of course > we will, by then we will all have 12GHz processors, and 3DES will seem the > same joke that DES is now. You don't appear to understand the math. For one explanation, see: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/glossary.html#brute Going from 1 MHz to 12 GHz is a factor of 12,000. 14 extra key bits make a cipher 2^14, about 16,000, times harder to brute force. At least against brute force keysearch, 3DES is strong enough. A meet-in-the-middle attack breaks 3DES in 2^112 encryptions, but that is almost certainly large enough to be safe. Also, the attack requires some absurd amount of memory. Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/