Tales of the Crypto U.S. government works to replace Data Encryption Standard By Jim Kerstetter, PC Week Online 01.12.98 10:00 am ET The days of DES, which for the past 20 years has been the foundation for government and commercial cryptography around the world, are numbered. The U.S. government has embarked on an expansive project to replace the Data Encryption Standard. By the end of this year, a panel of cryptographers, headed by the National Institute of Standards and Technology, is expected to pick a new cryptographic algorithm to replace DES as the government's standard. The changeover to the new algorithm, to be called the Advanced Encryption Standard, won't happen overnight. In fact, the selection process could end up taking years. But whatever AES ultimately becomes, one thing is clear: The new standard will force major change for both the IT and developer communities. Anyone selling the government software that uses encryption for security will have to support the AES algorithm, which could become the standard for decades to come. Corporations conducting secure transactions with the government over the Internet will also have to rely on software that supports AES. And, in several years, AES could replace DES for private-key encryption in most commercial security algorithms. "Right now, I'm using PGP [Pretty Good Privacy] for some things. But the bulk of what we use here is with DES," said Paul O'Donnell, security manager at an Illinois manufacturer. "Should I be paying attention to what they [NIST] are doing? I suppose so." It's a change many say is overdue. DES was developed by IBM and the government in the 1970s. It was intended to last five to 10 years, said Dennis Branstad, an early DES developer for NIST's forerunner, the Institute of Computer Sciences and Technology. "It was a good algorithm. It turned out to be better than we thought," said Branstad, now director of cryptographic technologies at Trusted Information Systems Inc., in Glenwood, Md. "But it took longer to be accepted than we thought it would. There was no demand for it." DES is a symmetric, or private, key algorithm in which both the sender and receiver of a message must have a copy of the private key. It also can be used to encrypt data on a hard disk. It is found in an array of security protocols in the corporate world, ranging from secure E-mail software to virtual private network technology. DES' 56-bit private keys were unhackable until last year, when a nationwide network of computer users broke a DES key in 140 days--hardly an easy effort, but a harbinger of things to come as processing speed increases. Some experts now argue that it could take less than a week to break DES, with less than $100,000 worth of hardware. According to John Callas, chief technology officer of the Total Network Security Division of Network Associates Inc., a good hacker, with about $50,000 worth of specialty hardware, could crack a DES key in an hour. "Anybody who can afford a BMW can afford a DES cracker," said Callas, whose hypothesis will be tested in DES Challenge II this week at the RSA Data Security Conference, in San Francisco. Since most experts agree it's time to replace DES, the question becomes, Just what will AES be? Last summer, NIST released a 30-page document outlining its recommendations for a DES replacement and asking for submissions. There are three minimum technical criteria: The algorithm must be symmetric, or private, key. Public algorithms, such as elliptic curve (see related story) and Diffie-Hellman, though useful for authentication and the initial handshake between users, are considered too slow. The algorithm must be a "block cipher." Within the realm of symmetric keys there are two basic types of ciphers, block and stream. A block cipher, like DES, encrypts specific chunks of data. A stream cipher, like RSA Data Security Inc.'s RC4 algorithm, encrypts a steady flow of information. RC4 is the base encryption engine for Secure Sockets Layer, the security technology used in browsers. Some cryptographers are pushing NIST to consider stream ciphers because of their growing popularity. The algorithm has to be capable of supporting key lengths ranging from 128 bits to 256 bits and variable blocks of data. AES must also be efficient. Triple DES, a later version of the government's algorithm also developed by IBM, is far more secure than DES, running the 56-bit encryption three times. But that strength is also its weakness, because the repetition cycle slows it down considerably. Finally, the AES algorithm has to be made public and royalty-free. That could prove to be a sticking point for RSA, of Redwood City, Calif., which has traditionally held on to the royalties of its cryptographic creations. A conference at which cryptographers will present their algorithms is scheduled for this summer. And although NIST officials hope their analysis will be completed in 1998, many think it may take years to review the submittals, which are due by April 15. Major security vendors are noncommittal on proposing an algorithm. IBM, which created DES, with help from the National Security Agency, is hedging on whether it will participate. Triple DES is considered a likely entry, but its inefficiency could make it a difficult sell. Another IBM algorithm, DES/SK, could be in the running. RSA, if it decides to enter, could submit either its RC4 algorithm (the stream cipher) or RC5, which is a block cipher. Other likely competitors include Cast, a royalty-free algorithm controlled by Entrust Technologies Inc., or the unpatented Blowfish algorithm, created by Bruce Schneier. "It will be a standard for 20 to 30 years, in legacy systems for at least another 10, securing data that might need to be secured for at least another 20," Schneier wrote in a letter to NIST. "This means we are trying to estimate security in the year 2060. I can't estimate security 10 years from now, let alone 60. The only wise option is to be very conservative." A Data Encryption Standard primer What is DES? It was designed by IBM and endorsed by the U.S. government in 1977. What kind of encryption key does DES use? A symmetric, or private, key in which both the sender and the receiver know the key. It can also be used to encrypt data on a hard disk. What key length does DES use? 56 bits. Is DES safe? For most purposes, yes. But DES was hacked for the first time last year, and cryptographers worry that improved processing speeds will spell its demise.