Network Working Group W A Simpson [DayDreamer]
Internet Draft S Bradner [Harvard University]
expires in six months August 1998
DES Applicability Statement for Historic Status
draft-simpson-des-as-00.txt
Status of this Memo
This document is an Internet-Draft. Internet Drafts are working doc-
uments of the Internet Engineering Task Force (IETF), its Areas, and
its Working Groups. Note that other groups may also distribute work-
ing documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months, and may be updated, replaced, or obsoleted by other documents
at any time. It is not appropriate to use Internet Drafts as refer-
ence material, or to cite them other than as a ``working draft'' or
``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the internet-drafts Shadow
Directories on:
ftp.is.co.za (Africa)
nic.nordu.net (Northern Europe)
ftp.nis.garr.it (Southern Europe)
ftp.ietf.org (Eastern USA)
ftp.isi.edu (Western USA)
munnari.oz.au (Pacific Rim)
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) William Allen Simpson and Scott Bradner (1998). All
Rights Reserved.
Abstract
"The ESP DES-CBC Transform" [RFC-1829] and "The PPP DES Encryption
Protocol" [RFC-1969] have been re-classified to Historic status, and
implementation is Not Recommended. This Applicability Statement pro-
vides the supporting motivation for that classification. The primary
reason is that DES alone provides insufficient strength for the pro-
tection of moderate value information for any length of time.
Simpson, Bradner expires in six months [Page i]
DRAFT DES AS August 1998
1. Introduction
The US Data Encryption Standard (DES) algorithm [FIPS-46] has had a
long history of analysis since its adoption in 1977. At the time of
RFC-1829 publication in 1995, briefly citing the current analysis and
describing known limitations, it was suggested that DES was not a
good algorithm for the protection of moderate value information.
However, the level of confidentiality provided by the use of DES in
the Internet environment was considered greater than sending the
datagrams as cleartext.
Recently, RSA Data Security has issued a series of challenges to
demonstrate the current effectiveness of various algorithms and key
lengths. Each challenge has a shorter time for completion.
The first DES challenge of January, 1997, was solved in 140 days on
June 17, 1997, after searching only 25% of the key space. On aver-
age, half of the key space can be expected to be searched. Much of
the time was spent organizing competing volunteer efforts. The hid-
den message was "Strong cryptography makes the world a safer place."
The second DES challenge of January 13, 1998, was solved in 40 days
on February 23, 1998, after searching over 88% of the key space using
tens of thousands of Internet hosts in their spare time. The hidden
message was "Many hands make light work."
The third DES challenge of July 13, 1998, was solved on July 16,
1998, after only 2.5 days! The winner was a single purpose built
machine sponsored by Electronic Frontier Foundation (EFF) [EFF98].
The hidden message was "It's time for those 128-, 192-, and 256-bit
keys."
This demonstrated that the cost of deploying and maintaining Internet
firewalls and Virtual Private Networks can easily exceed the cost of
recovering DES protected confidential data. For protection against
governmental or industrial espionage, the use of DES in the Internet
environment no longer has any cost benefit over sending the datagrams
as cleartext.
Simpson, Bradner expires in six months [Page 1]
DRAFT DES AS August 1998
2. Problems
DES has a number of problems that restrict its usability in the
global Internet.
2.1. Key Length
Even at the time of DES publication, the analytic community ques-
tioned the DES 56-bit key length as insufficient for long-term use
[DH77]. In 1987, the US National Security Administration raised
objections to re-certifying DES as a US Federal Information Process-
ing Standard [SB88]. Never-the-less, after much discussion, DES was
re-certified [FIPS46-1], and again in 1993.
The DES certification expires in 1998, and the US has begun a public
process for evaluating replacements with longer key lengths. This
successor requires 128-, 192-, and 256-bit key lengths.
Numerous studies have predicted the work factor of various key
lengths, and the trade-offs between cost, memory, and time. See
[Schneier95, Chapter 7], which recommends a minimum of 112-bit keys,
and shows that 128-bit keys would be immune to parallel computation
by conventional computer equipment and recovery of 256-bit keys might
be limited by the energy available in the solar system.
The most recent analysis for symmetric keys [BDRSSTW96] empirically
estimated that a minimum of 75-bit keys would be required in the
short-term, and strongly recommends a minimum of 90-bit keys for
future long-term standards.
2.2. Recovery Time
Shortly after DES publication, the analytic community predicted a
purpose-built DES cracking machine could be built for 10 to 20 mil-
lion US Dollars that would recover a key within 1 to 2 days [DH77,
Hellman79, Diffie81]. More recently, [Weiner94] sketched the design
of a DES cracking machine for 1 million US Dollars that would recover
a key in an average of 3.5 hours. These costs were within the reach
of most governments and large organizations. Anecdotal evidence sug-
gests that some governments may have built such a machine.
The progression of the RSA challenges anticipated that the dis-
tributed software network could finish the third challenge in 10
days. A recent paper [BDRSSTW96] estimated that a relatively inex-
pensive "off-the-shelf technology" 300 thousand US Dollar DES crack-
ing machine would recover a key in an average of 19 days.
Simpson, Bradner expires in six months [Page 2]
DRAFT DES AS August 1998
Instead, the cost of the non-recurrent engineering and first proto-
type for the EFF DES cracking machine was under 250 thousand US Dol-
lars [EFF98], and it completed the challenge in 2.5 days. This is
well within the reach of even small organizations, and has shown that
the curve of cost versus time has advanced more rapidly than pre-
dicted.
It has been suggested that DES might still be useful for short-lived
data. This assumption is unwarranted. Attackers with relatively
small budgets will soon have the capability to recover 56-bit keys in
hours or minutes. Well-financed attackers have or will soon have the
capability to recover any DES key within seconds.
2.3. Value
The specifications for the EFF DES cracking machine have been pub-
lished [EFF98]. Additional machines can be built for the same or
lower cost. Assuming that a DES cracking machine has a useful ser-
vice lifetime of 3 or more years, the amortized cost of recovering
any single key is less than 1,200 US Dollars. This is significantly
less than the value of common consumer transactions.
Morever, the cost of deploying and maintaining Internet firewalls and
Virtual Private Networks utilizing long-term manually configured DES
keys is considerably greater than 1,200 US Dollars per key.
Furthermore, confidential communications and archival data of any
significant value that was protected by DES have become a ripe target
for key recovery. It is frequently impractical to convert the
archival data to a more robust algorithm. There can be no assurance
that all DES copies have been destroyed, and that none have been
intercepted or compromised.
There is no comparative advantage, and significant economic disadvan-
tage, in continuing to use the single-DES algorithm. A number of
other algorithms are likely to provide significantly higher protec-
tion for valuable information, at a cost very close to that of DES.
Simpson, Bradner expires in six months [Page 3]
DRAFT DES AS August 1998
3. Conclusions and Recommendations
Currently deployed equipment using DES should be eliminated, or
upgraded to a more robust algorithm and key length.
Existing data depending upon DES for confidentiality should be con-
sidered potentially compromised.
Key lengths less than 80 bits are not acceptable for use in future
standards and not recommended for use in the Internet for protecting
short-lived Internet data. Communication protocols with less
strength will not be advanced on the Internet Standards Track.
Key lengths less than 128 bits are not recommended for protecting
long-lived Internet data. Message and storage protocols with less
strength should not be advanced on the Internet Standards Track.
Security Considerations
Security issues are the topic of this entire document.
Users need to understand that the quality of the security provided
depends completely on the strength of the algorithm, the correctness
of that algorithm's implementation, the security of the Security
Association management mechanism and its implementation, the strength
of the key [CN94], and upon the correctness of the implementations in
all of the participating nodes.
Acknowledgements
John Gilmore provided useful critiques of earlier versions of this
document.
Simpson, Bradner expires in six months [Page 4]
DRAFT DES AS August 1998
References
[] Blaze, M., Diffie, W., Rivest, R., Schneier, B., Shimo-
mura, T., Thompson, E., and Weiner, M., "Minimal Key
Lengths for Symmetric Ciphers to Provide Adequate Commer-
cial Security",
ftp://ftp.research.att.com/dist/mab/keylength, January
1996.
[CN94] Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak
Data: Foiling the Two Nemeses", Cryptologia, Vol. 18 No.
23 pp. 253-280, July 1994.
[DH77] Diffie, W., and Hellman, M.E., "Exhaustive Cryptanalysis
of the NBS Data Encryption Standard", Computer, v 10 n 6,
June 1977.
[Diffie81] Diffie, W., "Cryptographic Technology: Fifteen Year Fore-
cast", BNR Inc., January 1981.
[EFF98] Electronic Frontier Foundation, Gilmore, J., Editor,
"Cracking DES: Secrets of Encryption Research, Wiretap
Politics, and Chip Design", O'Reilly and Associates, July
1998.
[FIPS-46] US National Bureau of Standards, "Data Encryption Stan-
dard", Federal Information Processing Standard (FIPS)
Publication 46, January 1977.
[FIPS-46-1] US National Bureau of Standards, "Data Encryption Stan-
dard", Federal Information Processing Standard (FIPS)
Publication 46-1, January 1988.
[Hellman79] Hellman, M.E., "DES Will Be Totally Insecure within Ten
Years", IEEE Spectrum, v 16 n 7, July 1979.
[SB88] Smid, M.E., and Branstad, D.K., "The Data Encryption
Standard: Past and Future", Proceedings of the IEEE, v 76
n 5, May 1988.
[Schneier95]
Schneier, B., "Applied Cryptography Second Edition", John
Wiley & Sons, New York, NY, 1995. ISBN 0-471-12845-7.
[Weiner94] Wiener, M.J., "Efficient DES Key Search", School of Com-
puter Science, Carleton University, Ottawa, Canada,
TR-244, May 1994. Presented at the Rump Session of
Crypto '93.
Simpson, Bradner expires in six months [Page 5]
DRAFT DES AS August 1998
Contacts
Comments about this document should be discussed on the ietf@ietf.org
mailing list.
Questions about this document can also be directed to:
William Allen Simpson
DayDreamer
Computer Systems Consulting Services
1384 Fontaine
Madison Heights, Michigan 48071
wsimpson@UMich.edu
wsimpson@GreenDragon.com (preferred)
Scott Bradner
Harvard University
1350 Mass Ave, Room 876
Cambridge, Massachusetts 02138
sob@harvard.edu
Full Copyright Statement
Copyright (C) William Allen Simpson and Scott Bradner (1998). All
Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this doc-
ument itself may not be modified in any way, except as required to
translate it into languages other than English.
This document and the information contained herein is provided on an
"AS IS" basis and the author(s) DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING (BUT NOT LIMITED TO) ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Simpson, Bradner expires in six months [Page 6]