DES is Not Secure

DES, the Data Encryption Standard, can no longer be considered secure. While no major flaws in its innards are known, it is fundamentally inadequate because its 56-bit key is too short. It is vulnerable to
brute-force search of the whole key space, either by large collections of general-purpose machines or even more quickly by specialized hardware. Of course this also applies to any other cipher with only a 56-bit key. The only reason anyone could have for using a 56 or 64-bit key is to comply with various export laws intended to ensure the use of breakable ciphers.

Non-government cryptologists have been saying DES's 56-bit key was too short for some time -- some of them were saying it in the 70's when DES became a standard -- but the US government has consistently ridiculed such suggestions.

A group of well-known cryptographers looked at key lengths in a 1996 paper. They suggested a minimum of 75 bits to consider an existing cipher secure and a minimum of 90 bits for new ciphers. More recent papers, covering both symmetric and public key systems are at cryptosavvy.com and rsa.com. For all algorithms, the minimum keylengths recommended in such papers are significantly longer than the maximums allowed by various export laws.

In a recent ruling, a German court described DES as "out-of-date and not safe enough" and held a bank liable for using it.

Dedicated hardware breaks DES in a few days

The question of DES security has now been settled once and for all. In early 1998, the Electronic Frontier Foundation built a DES-cracking machine. It can find a DES key in an average of a few days' search. It cost just over $200,000 to design and build it. A copy based on the finished design would of course cost less. The details of all this, including complete code listings and complete plans for the machine, have been published in Cracking DES, by the Electronic Frontier Foundation.

A large corporation could build one of these out of petty cash. The cost is low enough for a senior manager to hide it in a departmental budget and avoid having to announce or justify the project. Any government agency, from a major municipal police force up, could afford one too. Or any large criminal organisation, any reasonably large political group, labour union or religious group, . . .

One might wonder if a private security or detective agency would have one for rent. They wouldn't need many clients to pay off that investment.

"Moore's Law" is that machines get faster (or cheaper, for the same speed) by roughly a factor of two every 18 months. At that rate, the EFF machine would cost well under $100,000 as I write in mid-2000. By the end of the decade, building one might be an undergraduate lab project.

Spooks may break DES faster yet

As for the security and intelligence agencies of various nations, some of them may have had DES crackers for years. Possibly very fast ones! Cipher-cracking is one of the few known applications which is easy to speed up by just adding more processors and memory. Within very broad limits, you can make it as fast as you like if you have the budget. The EFF's $200,000 machine breaks DES in a few days. An aviation website gives the cost of a B1 bomber as $200,000,000. Spending that much, an intelligence agency could expect to break DES in an average time of six and a half minutes.

That estimate assumes they use the EFF's 1998 technology and just spend more money. They may have an attack that is superior to brute force, they quite have better chip technology (Moore's law, a bigger budget, and whatever secret advances they may have made) and of course they may have spent the price of an aircraft carrier, not just one aircraft.

In short, we have no idea how quickly these organisations can break DES. Unless they're grossly incompetent, they can certainly do it more quickly than the users of the cipher would like, but beyond that we can't say. Pick any time unit between days and milliseconds. None of these is entirely unbelievable. More to the point, none of them is of any comfort if you don't want such organisations reading your communications.

Note that this may be a concern even if nothing you do is a threat to anyone's national security. An intelligence agency might well consider it to be in their national interest for certain companies to do well. If you're competing against such companies in a world market and that agency can read your secrets, you have a serious problem. For one example, see this news story. The US are the villains in that piece, but there is no reason to imagine they are the only, or even the worst, villains in this area.

One might wonder about technolgy the former Soviet Union and its allies developed for cracking DES during the Cold War. They must have tried; the cipher was an American standard and widely used. How well did they succeed? Is their technology now for sale or rent?

Networks break DES in a few weeks

Before the definitive EFF effort, DES had been cracked several times by people using many machines. See this press release for example.

A major corporation, university, or government department could break DES by using spare cycles on their existing collection of computers, by dedicating a group of otherwise surplus machines to the problem, or by combining the two approaches. It might take them weeks or months, rather than the days required for the EFF machine, but they could do it.

What about someone working alone, without the resources of a large organisation? For them, cracking DES will not be easy, but it may be possible. A few thousand dollars buys a lot of surplus workstations, especially since Year 2000 concerns driven more old machines into the surplus market. A pile of such machines will certainly heat your garage nicely and might break DES in a few months or years. Or enroll at a university and use their machines. Or use an employer's machines. Or crack security somewhere and steal the resources to crack a DES key. Or write a virus that steals small amounts of resources on many machines. Or . . .

None of these approaches are really easy or break DES really quickly, but an attacker only needs to find one that is feasible and breaks DES quickly enough to be dangerous. How much would you care to bet that this will be impossible if the attacker is determined and/or clever? How valuable is your data? Are you authorised to risk it on a dubious bet?

We disable DES

In short, it is now absolutely clear that DES is not secure against That is why Linux FreeS/WAN disables all transforms which use plain DES for encryption.

DES is in the source code, because we need DES to implement our default encryption transform, Triple DES. We urge you not to use single DES. We do not provide any easy way to enable it in FreeS/WAN, and our policy is to provide no assistance to anyone wanting to do so.

40-bits is laughably weak

The same is true, in spades, of ciphers -- DES or others -- crippled by 40-bit keys, as many ciphers were required to be until recently under various export laws. A brute force search of such a cipher's keyspace is 216 times faster than a similar search against DES. The EFF's machine can do a brute-force search of a 40-bit key space in seconds. One contest to crack a 40-bit cipher was won by a student using a few hundred idle machines at his university. It took only three and half hours.

We do not, and will not, implement any 40-bit cipher.

Alternatives to DES

A number of non-DES encryption algorithms have been proposed. We will implement some of them eventually, of course choosing ciphers with at least 128-bit key length.

AES in IPSEC

The winning candidate from the
AES project to develop a replacement for DES will almost certainly become widely used for IPSEC, but analysis takes time and no winner is expected before the summer of 2000.

Meanwhile, there is a variant of DES which is far better than plain DES. Triple DES, usually abbreviated 3DES, applies DES three times, with three different keys. This is believed to be much stronger than single DES, and it quite definitely turns brute-force key search into a ridiculous impossibility. 3DES is what our code now uses by default. 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at quite respectable speeds. Some speed measurements for our code are available.


Click below to go to: