[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01                                                         
Network Working Group                           W A Simpson [DayDreamer]
Internet Draft                            S Bradner [Harvard University]
expires in six months                                        August 1998

            DES Applicability Statement for Historic Status

Status of this Memo

   This document is an Internet-Draft.  Internet Drafts are working doc-
   uments of the Internet Engineering Task Force (IETF), its Areas, and
   its Working Groups.  Note that other groups may also distribute work-
   ing documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six
   months, and may be updated, replaced, or obsoleted by other documents
   at any time.  It is not appropriate to use Internet Drafts as refer-
   ence material, or to cite them other than as a ``working draft'' or
   ``work in progress.''

   To learn the current status of any Internet-Draft, please check the
   ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow
   Directories on:

      ftp.is.co.za (Africa)
      nic.nordu.net (Northern Europe)
      ftp.nis.garr.it (Southern Europe)
      ftp.ietf.org (Eastern USA)
      ftp.isi.edu (Western USA)
      munnari.oz.au (Pacific Rim)

   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) William Allen Simpson and Scott Bradner (1998).  All
   Rights Reserved.


   "The ESP DES-CBC Transform" [RFC-1829] and "The PPP DES Encryption
   Protocol" [RFC-1969] have been re-classified to Historic status, and
   implementation is Not Recommended.  This Applicability Statement pro-
   vides the supporting motivation for that classification.  The primary
   reason is that DES alone provides insufficient strength for the pro-
   tection of moderate value information for any length of time.

Simpson, Bradner          expires in six months                 [Page i]

DRAFT                            DES AS                      August 1998

1.  Introduction

   The US Data Encryption Standard (DES) algorithm [FIPS-46] has had a
   long history of analysis since its adoption in 1977.  At the time of
   RFC-1829 publication in 1995, briefly citing the current analysis and
   describing known limitations, it was suggested that DES was not a
   good algorithm for the protection of moderate value information.
   However, the level of confidentiality provided by the use of DES in
   the Internet environment was considered greater than sending the
   datagrams as cleartext.

   Recently, RSA Data Security has issued a series of challenges to
   demonstrate the current effectiveness of various algorithms and key
   lengths.  Each challenge has a shorter time for completion.

   The first DES challenge of January, 1997, was solved in 140 days on
   June 17, 1997, after searching only 25% of the key space.  On aver-
   age, half of the key space can be expected to be searched.  Much of
   the time was spent organizing competing volunteer efforts.  The hid-
   den message was "Strong cryptography makes the world a safer place."

   The second DES challenge of January 13, 1998, was solved in 40 days
   on February 23, 1998, after searching over 88% of the key space using
   tens of thousands of Internet hosts in their spare time.  The hidden
   message was "Many hands make light work."

   The third DES challenge of July 13, 1998, was solved on July 16,
   1998, after only 2.5 days!  The winner was a single purpose built
   machine sponsored by Electronic Frontier Foundation (EFF) [EFF98].
   The hidden message was "It's time for those 128-, 192-, and 256-bit

   This demonstrated that the cost of deploying and maintaining Internet
   firewalls and Virtual Private Networks can easily exceed the cost of
   recovering DES protected confidential data.  For protection against
   governmental or industrial espionage, the use of DES in the Internet
   environment no longer has any cost benefit over sending the datagrams
   as cleartext.

Simpson, Bradner          expires in six months                 [Page 1]

DRAFT                            DES AS                      August 1998

2.  Problems

   DES has a number of problems that restrict its usability in the
   global Internet.

2.1.  Key Length

   Even at the time of DES publication, the analytic community ques-
   tioned the DES 56-bit key length as insufficient for long-term use
   [DH77].  In 1987, the US National Security Administration raised
   objections to re-certifying DES as a US Federal Information Process-
   ing Standard [SB88].  Never-the-less, after much discussion, DES was
   re-certified [FIPS46-1], and again in 1993.

   The DES certification expires in 1998, and the US has begun a public
   process for evaluating replacements with longer key lengths.  This
   successor requires 128-, 192-, and 256-bit key lengths.

   Numerous studies have predicted the work factor of various key
   lengths, and the trade-offs between cost, memory, and time.  See
   [Schneier95, Chapter 7], which recommends a minimum of 112-bit keys,
   and shows that 128-bit keys would be immune to parallel computation
   by conventional computer equipment and recovery of 256-bit keys might
   be limited by the energy available in the solar system.

   The most recent analysis for symmetric keys [BDRSSTW96] empirically
   estimated that a minimum of 75-bit keys would be required in the
   short-term, and strongly recommends a minimum of 90-bit keys for
   future long-term standards.

2.2.  Recovery Time

   Shortly after DES publication, the analytic community predicted a
   purpose-built DES cracking machine could be built for 10 to 20 mil-
   lion US Dollars that would recover a key within 1 to 2 days [DH77,
   Hellman79, Diffie81].  More recently, [Weiner94] sketched the design
   of a DES cracking machine for 1 million US Dollars that would recover
   a key in an average of 3.5 hours.  These costs were within the reach
   of most governments and large organizations.  Anecdotal evidence sug-
   gests that some governments may have built such a machine.

   The progression of the RSA challenges anticipated that the dis-
   tributed software network could finish the third challenge in 10
   days.  A recent paper [BDRSSTW96] estimated that a relatively inex-
   pensive "off-the-shelf technology" 300 thousand US Dollar DES crack-
   ing machine would recover a key in an average of 19 days.

Simpson, Bradner          expires in six months                 [Page 2]

DRAFT                            DES AS                      August 1998

   Instead, the cost of the non-recurrent engineering and first proto-
   type for the EFF DES cracking machine was under 250 thousand US Dol-
   lars [EFF98], and it completed the challenge in 2.5 days.  This is
   well within the reach of even small organizations, and has shown that
   the curve of cost versus time has advanced more rapidly than pre-

   It has been suggested that DES might still be useful for short-lived
   data.  This assumption is unwarranted.  Attackers with relatively
   small budgets will soon have the capability to recover 56-bit keys in
   hours or minutes.  Well-financed attackers have or will soon have the
   capability to recover any DES key within seconds.

2.3.  Value

   The specifications for the EFF DES cracking machine have been pub-
   lished [EFF98].  Additional machines can be built for the same or
   lower cost.  Assuming that a DES cracking machine has a useful ser-
   vice lifetime of 3 or more years, the amortized cost of recovering
   any single key is less than 1,200 US Dollars.  This is significantly
   less than the value of common consumer transactions.

   Morever, the cost of deploying and maintaining Internet firewalls and
   Virtual Private Networks utilizing long-term manually configured DES
   keys is considerably greater than 1,200 US Dollars per key.

   Furthermore, confidential communications and archival data of any
   significant value that was protected by DES have become a ripe target
   for key recovery.  It is frequently impractical to convert the
   archival data to a more robust algorithm.  There can be no assurance
   that all DES copies have been destroyed, and that none have been
   intercepted or compromised.

   There is no comparative advantage, and significant economic disadvan-
   tage, in continuing to use the single-DES algorithm.  A number of
   other algorithms are likely to provide significantly higher protec-
   tion for valuable information, at a cost very close to that of DES.

Simpson, Bradner          expires in six months                 [Page 3]

DRAFT                            DES AS                      August 1998

3.  Conclusions and Recommendations

   Currently deployed equipment using DES should be eliminated, or
   upgraded to a more robust algorithm and key length.

   Existing data depending upon DES for confidentiality should be con-
   sidered potentially compromised.

   Key lengths less than 80 bits are not acceptable for use in future
   standards and not recommended for use in the Internet for protecting
   short-lived Internet data.  Communication protocols with less
   strength will not be advanced on the Internet Standards Track.

   Key lengths less than 128 bits are not recommended for protecting
   long-lived Internet data.  Message and storage protocols with less
   strength should not be advanced on the Internet Standards Track.

Security Considerations

   Security issues are the topic of this entire document.

   Users need to understand that the quality of the security provided
   depends completely on the strength of the algorithm, the correctness
   of that algorithm's implementation, the security of the Security
   Association management mechanism and its implementation, the strength
   of the key [CN94], and upon the correctness of the implementations in
   all of the participating nodes.


   John Gilmore provided useful critiques of earlier versions of this

Simpson, Bradner          expires in six months                 [Page 4]

DRAFT                            DES AS                      August 1998


   [BDRSSTW96] Blaze, M., Diffie, W., Rivest, R., Schneier, B., Shimo-
               mura, T., Thompson, E., and Weiner, M., "Minimal Key
               Lengths for Symmetric Ciphers to Provide Adequate Commer-
               cial Security",
               ftp://ftp.research.att.com/dist/mab/keylength, January

   [CN94]      Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak
               Data: Foiling the Two Nemeses", Cryptologia, Vol. 18 No.
               23 pp. 253-280, July 1994.

   [DH77]      Diffie, W., and Hellman, M.E., "Exhaustive Cryptanalysis
               of the NBS Data Encryption Standard", Computer, v 10 n 6,
               June 1977.

   [Diffie81]  Diffie, W., "Cryptographic Technology: Fifteen Year Fore-
               cast", BNR Inc., January 1981.

   [EFF98]     Electronic Frontier Foundation, Gilmore, J., Editor,
               "Cracking DES: Secrets of Encryption Research, Wiretap
               Politics, and Chip Design", O'Reilly and Associates, July

   [FIPS-46]   US National Bureau of Standards, "Data Encryption Stan-
               dard", Federal Information Processing Standard (FIPS)
               Publication 46, January 1977.

   [FIPS-46-1] US National Bureau of Standards, "Data Encryption Stan-
               dard", Federal Information Processing Standard (FIPS)
               Publication 46-1, January 1988.

   [Hellman79] Hellman, M.E., "DES Will Be Totally Insecure within Ten
               Years", IEEE Spectrum, v 16 n 7, July 1979.

   [SB88]      Smid, M.E., and Branstad, D.K., "The Data Encryption
               Standard: Past and Future", Proceedings of the IEEE, v 76
               n 5, May 1988.

               Schneier, B., "Applied Cryptography Second Edition", John
               Wiley & Sons, New York, NY, 1995.  ISBN 0-471-12845-7.

   [Weiner94]  Wiener, M.J., "Efficient DES Key Search", School of Com-
               puter Science, Carleton University, Ottawa, Canada,
               TR-244, May 1994.  Presented at the Rump Session of
               Crypto '93.

Simpson, Bradner          expires in six months                 [Page 5]

DRAFT                            DES AS                      August 1998


   Comments about this document should be discussed on the ietf@ietf.org
   mailing list.

   Questions about this document can also be directed to:

      William Allen Simpson
      Computer Systems Consulting Services
      1384 Fontaine
      Madison Heights, Michigan  48071

          wsimpson@GreenDragon.com (preferred)

      Scott Bradner
      Harvard University
      1350 Mass Ave, Room 876
      Cambridge, Massachusetts  02138


Full Copyright Statement

   Copyright (C) William Allen Simpson and Scott Bradner (1998).  All
   Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this doc-
   ument itself may not be modified in any way, except as required to
   translate it into languages other than English.

   This document and the information contained herein is provided on an
   "AS IS" basis and the author(s) DISCLAIM ALL WARRANTIES, EXPRESS OR

Simpson, Bradner          expires in six months                 [Page 6]