[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Time value and 56-bit DES [Re: CAST5-128 was: A little socialengineering]
Bob Hettinga says:
> > At 2:03 pm -0400 on 6/21/97, Jim Gillogly wrote:
> > Depends also on the dollar value of the data. Michael Wiener's carefully
> > designed hardware DES-cracker (Crypto '94 rump session, I think) would
> > cost $1M using 1994 technology, and would produce solutions in 3.5 hrs
> > on average.
> Let's see, Moore's law gives us today, three years later than 1994, $250k.
> In three more years, 2000, that's, what? $62.5k? How many keys do think you
> need to crack to, um, amortize, that $62.5k?
> So, why, exactly, do you guys *not* want to default to 3DES?
As Perry Metzger points out, the idea is to get a standard quickly that
the group can agree on. While DES is not adequate for protecting
individual sessions, it's a first step that would be a severe bar to
anyone hoovering up all Internet traffic and trying to make sense out
of it, especially with frequent key changes -- thus its ubiquitious use
would be a plus for general security. A specific target isn't safe,
but the collateral damage is limited.
If people want real security, they can use the recommended stronger
cipher. DES doesn't make the Net go dark to the attacker, but it's a
fairly good shade of gray for a start.