|FROM ||From: "Inker, Evan"
|SUBJECT ||Subject: [hangout] NIST says Data Encryption Standard now 'inadequate'
|From owner-hangout-destenys-at-mrbrklyn.com Thu Jul 29 17:34:10 2004
Received: from www2.mrbrklyn.com (localhost [127.0.0.1])
by mrbrklyn.com (8.12.11/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id i6TLYAIv028867
for ; Thu, 29 Jul 2004 17:34:10 -0400
Received: (from mdom-at-localhost)
by www2.mrbrklyn.com (8.12.11/8.12.3/Submit) id i6TLYAoE028866
for hangout-destenys; Thu, 29 Jul 2004 17:34:10 -0400
X-Authentication-Warning: www2.mrbrklyn.com: mdom set sender to owner-hangouts-at-www2.mrbrklyn.com using -f
Received: from mail57.messagelabs.com (mail57.messagelabs.com [126.96.36.199])
by mrbrklyn.com (8.12.11/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id i6TLY91F028861
for ; Thu, 29 Jul 2004 17:34:10 -0400
X-StarScan-Version: 5.2.10; banners=-,-,-
Received: (qmail 14105 invoked from network); 29 Jul 2004 21:34:21 -0000
Received: from unknown (HELO w2gw-ldn01.gam.com) (188.8.131.52)
by server-12.tower-57.messagelabs.com with SMTP; 29 Jul 2004 21:34:21 -0000
Received: from ntas-ldn15.gam.com (unverified) by w2gw-ldn01.gam.com
(Content Technologies SMTPRS 4.3.12) with ESMTP id
for ; Thu,
29 Jul 2004 22:34:18 +0100
Received: by ntas-ldn15.gam.com with Internet Mail Service (5.5.2653.19) id
; Thu, 29 Jul 2004 22:34:18 +0100
From: "Inker, Evan"
Subject: [hangout] NIST says Data Encryption Standard now 'inadequate'
Date: Thu, 29 Jul 2004 22:34:18 +0100
X-Mailer: Internet Mail Service (5.5.2653.19)
Reply-To: "Inker, Evan"
List: New Yorker GNU Linux Scene
Admin: To unsubscribe send unsubscribe name-at-domian.com in the body to hangout-request-at-www2.mrbrklyn.com
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on www2.mrbrklyn.com
X-Spam-Status: No, hits=-4.9 required=4.0 tests=BAYES_00 autolearn=ham
NIST says Data Encryption Standard now 'inadequate'
It says the encryption algorithm should lose its certification for use in
News Story by Paul Roberts
JULY 29, 2004 (DIG NEWS SERVICE) - The National Institute of Standards and
Technology (NIST) is proposing that the Data Encryption Standard (DES), a
popular encryption algorithm, lose its certification for use in software
products sold to the government.
The advent of massively parallel computing has rendered DES inadequate to
protect federal government information, NIST said. The institute, part of
the U.S. Department of Commerce, is proposing that the government withdraw
Federal Information Processing Standard (FOPS) certification for DES, a move
that could have ripple effects throughout the technology sector and force a
wide range of legacy systems into early retirement, according to one
DES was the first government-approved standard for encrypting sensitive
information and grew out of research by IBM and the secretive National
Security Agency, according to Paul Kocher, president of Cryptography
Research Inc. in San Francisco. The algorithm, sometimes referred to as
single DES, uses a 56-bit key to encrypt blocks of data, and can produce up
to 72 trillion unique keys.
While that number of unique combinations was formidable in the 1970s and
'80s given the power of computers at that time, experts were aware that the
growth of computing power would render the algorithm breakable and that DES
had at most a 15-year life span, according to NIST.
By the 1990s, computers had become powerful enough that breaking the DES
algorithm was achievable, even for groups with limited resources. In a 1998
experiment funded by the Electronic Frontier Foundation, Kocher and his
colleagues designed a machine for about $250,000 that could break one DES
key a week, he said.
With computers doubling in speed every 18 months, a similar system designed
with 2004 technology could presumably break a key in 1/64th of that time
using so-called brute-force methods, which essentially try every possible
key combination until the correct combination is guessed, Kocher said.
The development of parallel computing, which harnesses the power of many
small computers to work on a single task, also spelled the end for FIPS,
Kocher said. "I actually expected this to happen a year ago. ... It's gotten
to the point where any government curious enough to break DES traffic
Even malicious hackers in control of an army of virus-infected "zombie"
computers could make short work of the single DES algorithm, he said.
NIST is proposing that federal agencies use DES only as a component of the
Triple Data Encryption Algorithm, also known as Triple DES. However, NIST
encouraged agencies to implement the stronger and faster Advanced Encryption
Standard algorithm instead.
Either Triple DES or AES are "many trillions of times" stronger than DES and
could take decades or centuries to break, even with the current rate of
advancement in computer processing speed, Kocher said.
Still, the switch to higher encryption algorithms may be difficult for older
software products, many of which were designed to work exclusively with
single DES and may not integrate well with products using the newer
algorithms, he said. The NIST Web site lists more than 450 software and
hardware products dating to 1995, and while many of the newer products
approved for use in the government support DES, AES and Triple DES, older
products frequently do not.
While the loss of FIPS certification has not yet been approved, software
vendors with legacy products will likely be scrambling to update their
products to work with the stronger encryption.
That could be good news for the security community, which was worried about
loosely protected data, and for the companies, which may be able to charge
the government for software upgrades to their products, Kocher said.
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc