On Aug 3, 1:22pm, Kent Borg wrote:
Given: 1) Some people worry about the strength of DES. (Correct?)
As a cipher which is completely secure against all levels of attack, yes. DES would still be suitable for tactical encryption where the lifetime of the information is less than a few minutes (and is useless past that time), or in situations where your adversary known, unique and is not well funded. Outside these categories, I would say that most, not "some", people who are familiar with the issues worry about the strength of DES.
2) DES is within striking distance of a brute-force attack, this is far-and-away its most serious weakness. (Correct?)
Always has been, which was a point (Diffie?) made right at the beginning. The problem is that it has now reached the point where the resources needed to construct a brute-force search engine are commercially available. Given the current development of FPGA's and so forth, I would predict that within three to five years you will be able to do a brute-force search using commercially available off-the-shelf FPGA arrays.
3) 3-DES is nowhere near soon being vulnerable to a brute-force attack. (Correct?)
That is the supposition. DES is not a group (proven), and so it is assumed that 3DES gives a keyspace to search which is not practical even in the distant future.
It follows then that: 3-DES is a trivial fix of DES' ills. (Correct?)
Perhaps.
Now, I repeat my puzzle. If there really was a Great Government Gnashing of teeth over how to replace DES, what was the problem?
Options: 1. 3DES is not as secure as we think. I do not believe that NIST has said anything about this one way or the other, and their silence is rather interesting. 2. 3DES IS as secure as we think (or nearly so), and they know it, and they are keeping us in the dark because they do not want to give any of us strong non-escrowed encryption. The FUD principle. 3. 3DES is stronger than DES, but not as strong as we all think. The NSA is not willing to specify a cipher whose key entropy is not a substantial portion of it's keysize. Let's assume (2). What makes me wonder is that the NSA was obviously aware of the possibilities of superencryption back in the 1970's, and I would have expected them specify the production of a cipher which WAS a group to defeat this. Options: a. It is not possible to produce a secure cipher which is a group (anyone got any comments on this thought? I must admit that it is not something I have given a lot of thought to, and I certainly have no mathematical backing for this supposition.) b. The NSA didn't know how to produce a cipher which was a groups. Let's not have any "the NSA can do anything" arguments, please. I am positive that they have quite amazing skills in cipher design, but they're not all powerful. Because of this, they're sitting tight and hoping that we won't notice. c. The NSA didn't care (unlikely). d. The NSA did care, expected to specify it when DES became unviable (which is a really neat solution, if you consider the installed base and the fact that it is mostly a software update in the drivers even for the hardware implementations). Then the political climate changed in the USA, civilian crypto started to make the management nervous, and they shelved the idea. I go for (d). Anyone else? Ian.