Network Computingwww.networkcomputing.com

Other Articles by Robert Moskowitz

Addressing the Needs of Corporate Networks, Columnists, October 15, 1998 Preparing for Networking in the Next Millennium, Columnists, November 15, 1998 EDI to E-commerce: Two Generations of Spending, Columnists, December 15, 1998 Are Biometrics Too Good?, Columnists, January 25, 1999 The Need for Host Authentication, Columnists, February 22, 1999

Other Columnists this Issue

Net Results By Dave Molta On The Edge By Art Wimmtann

Company Directory

Browse our directory to get data, starting with a particular company.

Reader Service

Allows you to request additional product information from our advertisers.

Print The Full Article

ClickHere

E-mail this URL

ClickHere

Buy the Book

		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

Most of the crypto debate has centered around key length. For two decades, U.S. policymakers have supported 40-bit keys as more than adequate for business and private use. They have contended that 56-bit keys were for banking and government use. Somewhere along the way, banking and government moved to 156-bit (Triple DES), while business and private users stayed with the 40-bit statement. The U.S. government has never restricted domestic encryption, but by restricting export products it has effectively held back many domestic products--until recently. As part of the EFF description of Deep Crack and its attack on DES, DES40 (the standard name for 40-bit DES) is referred to as the "six-second crypto." This sound bite clearly describes what a system like Deep Crack can do with a DES40-encrypted file.

Am I Paranoid Enough? In many public quarters, the push is on to use Triple DES (3DES, as defined by ANSI X9.52) as the primary cryptographic algorithm. 3DES, as the name implies, performs three DES operations on each block of data. First it encrypts, then it decrypts and finally it encrypts again. 3DES can use two or three distinct DES keys. In its "112-bit mode," the same key is used for the first and third operation, making it possible to use 3DES and stay within the 128-bit Wassenaar agreement (www.wassenaar.org). But if 3DES is so strong, why is NIST (National Institute of Science and Technology) searching for a new AES (Advanced Encryption Standard) (csrc.nist.gov/encryption/aes/aes_home.htm)?

The answer has to do with DES' age. It took the cryptographic community quite some time to fully accept that DES is secure--except against brute-strength attackers such as Deep Crack. Now, the latest public DES challenge saw Deep Crack find the DES key in only 22 hours, and Deep Crack's software and hardware keep getting better and less expensive. DES could soon be as easy and economical to break as DES40.

That's why the rush to 3DES is on, but concerns remain. What if, given Deep Crack's parallel-processing nature, 3DES with two keys is only twice as hard to break as DES (44 hours) and not the square of the effort to break DES (484 hours)? If so, we'll soon be scrambling for another new encryption algorithm. It takes years of analysis of a really good cryptographic algorithm to determine if it works as advertised. Two years ago, in an effort to hedge its bets, NIST called for a new AES to make it possible to select a new standard before 3DES falls from grace.

Choices? Really? 3DES isn't the only alternative. CAST (Carlisle Adams and Stafford Tavares), IDEA (International Data Encryption Algorithm) and RC5 (Rivest Cipher #5) are popular cryptographic algorithms. All three have been under public scrutiny for a number of years and all use a single 128-bit key (not the multiple operations of 3DES). But similar to 3DES, these algorithms use 256-bit cypher blocks, which effectively eliminate all three as possible new AES candidates; the concern is that any weakness that shows up in 3DES will appear in these algorithms as well. In the cryptographers' eyes, 3DES will be broken, given enough time. We know it takes time to field a new cryptographic algorithm, yet there is still no real alternative to 3DES in use today to serve our future needs. Indeed, there is work to be done, but have faith (ahem): NIST's process is public, and the best cryptographic algorithm will be selected for AES.

Meanwhile, CAST has been implemented on a few cryptographic systems as the only royalties-free alternative to 3DES. CAST (RFC 2144) was made available without royalties by its patent holder, Entrust, so there would be a viable alternative to 3DES for any implementer. Although NIST does not consider CAST, IDEA and RC5 viable as new AES possibilities, they do have a critical performance advantage over 3DES. Computationally, the three DES operations performed with 3DES are very expensive. CAST, IDEA and RC5 consistently outperform 3DES when performed in software. So until 3DES hardware is included with every host (or AES is selected), systems will use these three algorithms along with 3DES.

Granted, this all seems like a lot of user confusion for an event that most likely will occur after graybeards like me are semi-retired consultants. But here's a scenario to consider before you decide that 3DES alone will meet all of your needs: Over the next few years you and your fellow employees will encrypt many data files and communication sessions with 3DES. And while you will lose track of many of them, potential attackers will keep an eye on files and sessions they deem valuable. Once 3DES is broken, they will open those files, and you may get stung by it.

Cryptographic Strength The power of symmetric-keyed cryptography is that for each added bit the key space is twice as large, so a brute force attack takes twice as long. Assuming that Deep Crack is as effective at attacking CAST-56 as DES (which is very reasonable considering its architecture), it's easy to extrapolate attack times against different CAST key lengths. CAST can use any key length from 40 bits to 128 bits in steps of eight bits; 64 bits, 80 bits and 128 bits are the most common. Based on Deep Crack's current capability, the system would need 235 days to break a CAST-64 key and 43,000 years to break a CAST-80 key. A CAST-128 key would take 1 trillion times longer to break than CAST-80. So, even with rapid improvements in attack systems, CAST-128 and perhaps CAST-80 will supply excellent long-term data protection.

This still begs the question, isn't 3DES with two keys as strong as CAST-128, or at least close enough? It is true that both algorithms are out of reach of brute-strength attacks for the foreseeable future. But the concern is not in its weakness to brute strength, but in some new weakness appearing. There is real concern that the encryption method used for 3DES might fall to a massively parallel decrypting system. That's why placing secured data into different cryptographic algorithm baskets is the best course of action.

Another consideration is speed of encrypting and decrypting. Today's hosts can perform 3DES as fast as systems did DES five years ago, but CAST, RC5 and IDEA are even faster because DES was designed for specialized hardware, the others for generalized computing platforms. A lot of hardware does 3DES, but even more does DES. This leads us to one more important algorithm, DESX, which has been around almost as long as DES itself, yet has been ignored by implementers. DESX is DES with an extra 56-bit key "XORed" in before the DES operation. DESX is as fast as DES and uses DES hardware, but it is significantly stronger. A brute-strength attack against DESX would be against its 112 bits worth of keys. Some cryptographers suspect there's a way to break DESX with an attack space of less than 112 bits but more than 56 bits. This makes DESX more trusted than DES but less than two-key 3DES.

Essentially, DES is dead. Don't use it for anything that has a time value greater than 20 hours. We must now use the tools at hand and make tactical decisions until AES is finalized. Security is always a matter of risk analysis; our concern is how long it will take a determined attacker to break through. The effort the attacker will use is based on a balance between the value of the data and the cost of the attack. Time is as much a factor in determining the value as any monetary consideration. An automotive CAD drawing may need to be protected for six years (competitive analysis sets the short lifetime), whereas some financial information might need 15 or more years of protection. Yet, certain financial transactions might be worthless to an attacker 10 minutes after execution.

Short-lived information can be adequately protected with RC5, CAST with 64-bit keys or DESX. Data requiring protection for a few years should use DESX or an 80-bit RC5 or CAST key. For those long-term items (or those for which the value is unknown), go for 112 or more bits--3DES, RC5, CAST or IDEA. It's important to mix the algorithms to maintain a diverse front against attack. Key length is a performance issue; if you've got cycles to burn, go ahead. Just remember that what's adequate CPU today may be too little tomorrow as you use more secure communications. It's wise to establish a key-length policy early and review it annually.

The most crucial recommendation is to keep on top of security events--schedule yearly policy reviews and be prepared to review your policy whenever a significant event such as Deep Crack or Wassanaar arises. The NSA teaches that in-depth security is the only way to practice secure business. This time, take a lesson from the experts.

Robert Moskowitz is a senior technical director at ICSA; he is also a member of the Internet Architecture Board.

Send your comments on this column to him at rgm@htt-consult.com.