So how far in the future is it reasonable to look in terms of the
lifetime of your algorithm and the security of an intercepted message?
For many messages, a year of security is more than enough but DES may
not provide that now and certainly won't in ten years. I believe that
in some national security applications it is assumed that intercepted
messages may be stored for later analysis up to 40 years. Given how
long software can remain in use, having a DES^2 with ~128 bit key,
blocksize, and IV seems like a good thing to include now.
Donald
From: Charles Kaufman dss
<"kaufman(_at_)zk3(_dot_)dec(_dot_)com"@minsrv.enet.dec.com>
Sender: pem-dev-relay(_at_)TIS(_dot_)COM
I find it EXTREMELY hard to believe that single DES isn't good
enough for any purpose other than protecting national security. If
you are a terrorist, conspirator, or hard-core criminal, you would
be better off using something that wouldn't draw so much attention
to you in any case.
It depends on how long you expect your encrypted messages to lie
around. I would argue that DES as it stands today is not suitable
for data that needs to be protected over 2 or 3 years even against
modest adversaries. (Letting those DEC alphas run at night can be
pretty effective!)
Perhaps so, but not for cracking DES. Under the most optimistic of
assumptions, one can expect an average search time of over 1000 years
with an alpha (2000-4000 years is more realistic). Putting together
a network of a thousand of them to do it in a year is not unthinkable
(there would be one happy salesman!), but would be difficult to do so
covertly and in any case would not be a "modest adversary".
Software based attacks on DES may be a realistic threat if you look
10-20 years out, but for now it's a hardware hackers game.
--charlie (kaufman(_at_)zk3(_dot_)dec(_dot_)com)