NIST says Data Encryption Standard now 'inadequate'

IDG News Service - The National Institute of Standards and Technology (NIST) is proposing that the Data Encryption Standard (DES), a popular encryption algorithm, lose its certification for use in software products sold to the government.
The advent of massively parallel computing has rendered DES inadequate to protect federal government information, NIST said. The institute, part of the U.S. Department of Commerce, is proposing that the government withdraw Federal Information Processing Standard (FIPS) certification for DES, a move that could have ripple effects throughout the technology sector and force a wide range of legacy systems into early retirement, according to one cryptography expert.
DES was the first government-approved standard for encrypting sensitive information and grew out of research by IBM and the secretive National Security Agency, according to Paul Kocher, president of Cryptography Research Inc. in San Francisco. The algorithm, sometimes referred to as single DES, uses a 56-bit key to encrypt blocks of data, and can produce up to 72 trillion unique keys.
While that number of unique combinations was formidable in the 1970s and '80s given the power of computers at that time, experts were aware that the growth of computing power would render the algorithm breakable and that DES had at most a 15-year life span, according to NIST.
By the 1990s, computers had become powerful enough that breaking the DES algorithm was achievable, even for groups with limited resources. In a 1998 experiment funded by the Electronic Frontier Foundation, Kocher and his colleagues designed a machine for about $250,000 that could break one DES key a week, he said.
With computers doubling in speed every 18 months, a similar system designed with 2004 technology could presumably break a key in 1/64th of that time using so-called brute-force methods, which essentially try every possible key combination until the correct combination is guessed, Kocher said.

The development of parallel computing, which harnesses the power of many small computers to work on a single task, also spelled the end for FIPS, Kocher said. "I actually expected this to happen a year ago. ... It's gotten to the point where any government curious enough to break DES traffic could."
Even malicious hackers in control of an army of virus-infected "zombie" computers could make short work of the single DES algorithm, he said.
NIST is proposing that federal agencies use DES only as a component of the Triple Data Encryption Algorithm, also known as Triple DES. However, NIST encouraged agencies to implement the stronger and faster Advanced Encryption Standard algorithm instead.
Either Triple DES or

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.