Massively parallel computing has rendered DES breakable, standards institute claims
The
National Institute of Standards and Technology (NIST) is proposing that
the Data Encryption Standard (DES), a popular encryption algorithm,
lose its certification for use in software products sold to the
government.
The advent of massively parallel computing has
rendered DES inadequate to protect federal government information, NIST
said. The institute, part of the U.S. Department of Commerce, is
proposing that the government withdraw Federal Information Processing
Standard (FIPS) certification for DES, a move that could have ripple
effects throughout the technology sector and force a wide range of
legacy systems into early retirement, according to one cryptography
expert.
DES was the first government-approved standard for encrypting sensitive information and grew out of research by IBM Corp. and the secretive U.S. National Security Agency (NSA),
according to Paul Kocher, president of Cryptography Research Inc. The
algorithm, sometimes referred to as “single DES” uses a 56-bit key to
encrypt blocks of data, and can produce up to 72,000,000,000,000,000
unique keys.
While that number of unique combinations was
formidable in the 1970s and '80s, given the power of computers at that
time, experts were aware that the growth of computing power would, in
time, render the algorithm breakable, and that DES had at most a
15-year life span, according to NIST.
By the 1990s, computers
had become powerful enough that breaking the DES algorithm was
achievable, even for groups with limited resources. In an 1998
experiment funded by the nonprofit civil liberties group the Electronic Frontier Foundation, Kocher and his colleagues designed a machine for about $250,000 that could break one DES key a week, he said.
With
computers doubling in speed every 18 months, a similar system designed
with 2004 technology could presumably break a key in 1/64th of that
time using so-called “brute force” methods, which essentially try every
possible key combination until the correct combination is guessed,
Kocher said.
The development of parallel computing, which
harnesses the power of many small computers to work on a single task,
also spelled the end for FIPS, Kocher said.
“I actually
expected this to happen a year ago. … It's gotten to the point where
any government curious enough to break DES traffic could,” he said.
Even
malicious hackers in control of an army of virus-infected “zombie”
computers could make short work of the single DES algorithm, he said. [Privacy Digest]