This article is from the PGP FAQ, by Jeff Licquia jalicqui@prairienet.org with numerous contributions by others.

A data encryption standard developed by IBM under the auspices of the

United States Government. It was criticized because the research that

went into the development of the standard remained classified.

Concerns were raised that there might be hidden trap doors in the

logic that would allow the government to break anyone's code if they

wanted to listen in. DES uses a 56 bit key to perform a series of

nonlinear transformation on a 64 bit data block. Even when it was

first introduced a number of years ago, it was criticized for not

having a long enough key. 56 bits just didn't put it far enough out of

reach of a brute force attack. Today, with the increasing speed of

hardware and its falling cost, it would be feasible to build a machine

that could crack a 56 bit key in under a day's time. It is not known

if such a machine has really been built, but the fact that it is

feasible tends to weaken the security of DES substantially.

I would like to thank Paul Leyland <pcl@ox.ac.uk> for the following

information relating to the cost of building such a DES cracking

machine:

"Efficient DES Key Search"

At Crypto 93, Michael Wiener gave a paper with the above title. He

showed how a DES key search engine could be built for $1 million which

can do exhaustive search in 7 hours. Expected time to find a key from

a matching pair of 64-bit plaintext and 64-bit ciphertext is 3.5 hours.

So far as I can tell, the machine is scalable, which implies that a

$100M machine could find keys every couple of minutes or so.

The machine is fairly reliable: an error analysis implies that the mean

time between failure is about 270 keys.

The final sentence in the abstract is telling: In the light of this

work, it would be prudent in many applications to use DES in triple-

encryption mode.

I only have portions of a virtually illegible FAX copy, so please don't

ask me for much more detail. A complete copy of the paper is being

snailed to me.

Paul C. Leyland <pcl@ox.ac.uk>

Laszlo Baranyi <laszlo@instrlab.kth.se> says that the full paper is available

in PostScript from:

ftp://ftp.eff.org/pub/crypto/des_key_search.ps

ftp://cpsr.org/cpsr/crypto/des/des_key_search.ps

(cpsr.org also makes it available via their Gopher service)

Continue to: