Mr. Harris: First off, I'll thank you to quote me in my entirety if you plan to do that, otherwise don't quote me at all. You simply left off the pertinent parts of my initial argument, then in the second paragraph you said just what I said, that the key length was too short. I admit I don't understand the difference between "Inadequate key size is the only known practical problem with DES", and the fact that I stated that the key length "being short" is relative to the amount of time it takes to use a brute force attack. Your own justification of 3DES articulates that it is strong predicated on what you feel the processing power will be in 3 years! Perhaps your arguments about a 12GHz machines being fast enough are true, but what if those 12GHz machines are worth $50 a pop by then, and someone uses 500 of them at one time in a Linux cluster? The impact of a high capacity machine does not mean that any person encouraged to break a key family via brute force, will do so with a single machine! Very Respectfully, Stuart Blake Tener, IT3, USNR-R, N3GWG Beverly Hills, California VTU 1904G (Volunteer Training Unit) stuart@xxxxxxxxxxx west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043 east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859 Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's free!) JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL. Friday, October 05, 2001 11:30 PM -----Original Message----- From: owner-linux-crypto@xxxxxxxxxxxx [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Sandy Harris Sent: Friday, October 05, 2001 5:59 PM To: linux-crypto@xxxxxxxxxxxx Subject: Re: des-cbc "IT3 Stuart B. Tener, USNR-R" wrote: > Crypto list members: > > The very honest to g-d truth is not that DES is weak due to a short key length, Nonsense. Inadequate key size is the only known practical problem with DES. Differential and linear cryptanalysis both break it faster than brute force in theory, but neither is a practical attack. The DES keylength was arguably too short when it was designed. Diffie and Hellman published a paper in 1977 showing that a keysearch machine that would break DES in about 9 hours could be built for $20 million. > or even broken (which is a lie, it has never been cracked). Sure it has: http://www.eff.org/descracker.html http://www.distributed.net/pressroom/DESII-1-PR.html The EFF machine was essentially the same design as Diffie and Hellman's, cost $200-odd thousand, and broke DES in 57 hours. > Its key > length would not be considered short if we were all running 1MHz Z80s again. > Key length is a determining factor only when the technology of effectuating > a brute force attack in a short period of time has become a low cost choice. > > Everyone now is saying 3DES is strong, but will we consider it strong in 3 > years? Even if the algorithm is never found to have been cracked? Of course > we will, by then we will all have 12GHz processors, and 3DES will seem the > same joke that DES is now. You don't appear to understand the math. For one explanation, see: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/glossary.html#brute Going from 1 MHz to 12 GHz is a factor of 12,000. 14 extra key bits make a cipher 2^14, about 16,000, times harder to brute force. At least against brute force keysearch, 3DES is strong enough. A meet-in-the-middle attack breaks 3DES in 2^112 encryptions, but that is almost certainly large enough to be safe. Also, the attack requires some absurd amount of memory. Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
