* Reply to msg originally in Cypherpunks <INET> marc@Athena.MIT.EDU (Marc Horowitz) writes:
BK> I also believe that nobody's security is perfect, and that if BK> something as big as DES was broken, even at the NSA, we would have BK> heard about it. If the world banking industry trusts DES for their BK> trillions of dollars a day, I'm willing to trust it for my little, BK> insignificant messages.
I'm surprised that you haven't had 53 replies to this already, but in that you haven't I suppose I ought not let this go by unchallenged. In a _MicroTimes_ article by Jim Warren of the EFF, the unreliability of DES was discussed at length. In a nutshell, Marty Hellman of Stanford broke the "unbreakable" 54-bit DES _prior to its adoption as a standard_. He promoted the idea of a 64-bit DES instead, but was _opposed by the NSA_ for reasons we can all speculate upon at length. This opposition is the basis of the rumors (?) of DES being backdoored by the NSA. The upshot was that DES was adopted _after_ being demonstrably compromised.
Slow down. Firstly, DES encrypts a 64-bit block with a 56-bit key. Are you talking about key lengths? It was originally proposed to use a 128-bit key space, alla IBM's LUCIFER. But they opted on the smaller key, which fuels this NSA conspiracy theory. The other major thing, are the S-boxes, which no one has been able to deduce the reasoning behind the choice of the values, and that's the source of the "backdoor" theory. Saying that Hellman "broke" anything is a bit strong. I remember reading a published paper, I believe by Hellman and one other, describing that they were able to WEAKEN DES (with a smaller key space for their experiment), using a statistical approach, and that this could possibly be applied to the DES standard.
The postscript to this is that Hellman's proposed "unbreakable" 64-bit DES variant was later cracked as well. The post-postscript is an apocryphal story I personally got from an Israeli communications tech and minor spook. He claimed that DES was broken by the cryptanalytic arm of Israeli intelligence _in two hours_. It is relatively certain that a DES-encrypted cyphertext can be easily decrypted by well-equipped agencies. Whether decryption is now trivially accomplished by private parties is another question.
JN
Now this is just hearsay with no basis in fact, only rumor. It remains that DES's only real "weakness", is that a major corporation, sparing no expense, can have many massively-parallel machines at their disposal, and do an exhaustive search of the key space. Which is just to state the obvious, that as computing speed increases, the amount of time to do an exhaustive search decreases. This has nothing to do with crypto- graphic weaknesses in DES, as you're suggesting. If you're not just some NSA-paranoid wacko, reference some papers to back up your claims. Otherwise, you're just another NSA-conspiracy theorist, and part of the noise. We're all capable of suspecting underhandedness on the part of the NSA, but when you start misrepresenting your opinions as fact, you're being nonconstructive. It would be of interest to all cypherpunks to be kept abreast of the academic research being done in this area, and someone may wish to post a list of recommended papers to read on developments in cryptographic weaknesses.