This file is part of the documentation for the Linux FreeS/WAN project.
See the documentation index or project home page for more information.

DES is Not Secure

DES, the Data Encryption Standard, can no longer be considered secure. While no major flaws in its innards are known, it is fundamentally inadequate because its 56-bit key is too short. It is vulnerable to brute-force search of the whole key space, either by large collections of general-purpose machines or even more quickly by specialized hardware. Of course this also applies to any other cipher with only a 56-bit key. The only reason anyone could have for using a 56 or 64-bit key is to comply with various export laws intended to ensure the use of breakable ciphers.

Non-government cryptologists have been saying DES's 56-bit key was too short for some time -- some of them were saying it in the 70's when DES became a standard -- but the US government has consistently ridiculed such suggestions.

A group of well-known cryptographers looked at key lengths in a 1996 paper. They suggested a minimum of 75 bits to consider an existing cipher secure and a minimum of 90 bits for new ciphers. More recent papers, covering both symmetric and public key systems are at cryptosavvy.com.

Any additonal transforms we eventually add to Linux FreeS/WAN will use at least a 128-bit key length.

In a recent ruling, a German court described DES as "out-of-date and not safe enough" and held a bank liable for using it.

Dedicated hardware breaks DES in a few days

The question of DES security has now been settled once and for all. In early 1998, the Electronic Frontier Foundation built a DES-cracking machine. It can find a DES key in an average of a few days' search. It cost just over $200,000 to design and build it. A copy based on the finished design would of course cost less. The details of all this, including complete code listings and complete plans for the machine, have been published in Cracking DES, by the Electronic Frontier Foundation.

A large corporation could build one of these out of petty cash. The cost is low enough for a senior manager to hide it in a departmental budget and avoid having to announce or justify the project. Any government agency, from a major municipal police force up, could afford one too. Or any large criminal organisation, any reasonably large political group, labour union or religious group, . . .

One might wonder if a private security or detective agency would have one for rent. They wouldn't need many clients to pay off that investment.

Spooks may break DES faster yet

As for the security and intelligence agencies of various nations, some of them may have had DES crackers for years. Possibly very fast ones! Cipher-cracking is one of the few known applications which is easy to speed up by just adding more processors and memory. Within very broad limits, you can make it as fast as you like if you have the budget. The EFF's $200,000 machine breaks DES in a few days. An aviation website gives the cost of a B1 bomber as $200,000,000. Spending that much, an intelligence agency could expect to break DES in an average time of six and a half minutes.

That estimate assumes they use the EFF's technology and just spend more money. They may of course have better technology, and they may have spent the price of an aircraft carrier, not just one aircraft. In short, we have no idea just how quickly these organisations can break DES. Unless they're grossly incompetent or using old technology, they can certainly do it at least as fast as the EFF, but beyond that we can't say. Pick any time unit between days and milliseconds. None of these is entirely unbelievable. More to the point, none of them is of any comfort if you don't want such organisations reading your communications.

Note that this may be a concern even if nothing you do is a threat to anyone's national security. An intelligence agency might well consider it to be in their national interest for certain companies to do well. If you're competing against such companies in a world market and that agency can read your secrets, you have a serious problem.

One might wonder about technolgy the former Soviet Union and its allies developed for cracking DES during the Cold War. They must have tried; the cipher was an American standard and widely used. How well did they succeed? Is their technology now for sale or rent?

Networks break DES in a few weeks

Before the definitive EFF effort, DES had been cracked several times by people using many machines. See this press release for example.

A major corporation, university, or government department could break DES by using spare cycles on their existing collection of computers, by dedicating a group of otherwise surplus machines to the problem, or by combining the two approaches. It might take them weeks or months, rather than the days required for the EFF machine, but they could do it.

What about someone working alone, without the resources of a large organisation? For them, cracking DES will not be easy, but it may be possible. A few thousand dollars buys a lot of surplus workstations, and will buy even more as Year 2000 concerns drive more old machines into the surplus market. A pile of such machines will certainly heat your garage nicely and might break DES in a few months or years. Or enroll at a university and use their machines. Or use an employer's machines. Or crack security somewhere and steal the resources to crack a DES key. Or write a virus that steals small amounts of resources on many machines. Or . . .

None of these approaches are really easy or break DES really quickly, but an attacker only needs to find one that is feasible and breaks DES quickly enough to be dangerous. How much would you care to bet that this will be impossible if the attacker is determined and/or clever? How valuable is your data? Are you authorised to risk it on a dubious bet?

Moore's Law implies that breaks will get faster

Machines get faster by roughly a factor of two every 18 months, or a factor of 10 every five years. At that rate, in 10 years the EFF machine to break DES in a few days might cost 100 times less: $2000. A $200,000 machine might break DES in under an hour. The same applies to attacks by networks of computers or by lone rogue programmers. In 10 years a few dozen machines will likely break DES as quickly as a network of thousands does now. In 10 years a large network will break it in days or hours.

We disable DES

In short, it is now absolutely clear that DES is not secure against

any well-funded opponent
any opponent (even a penniless one) with access (even stolen access) to enough general purpose computers

That is why Linux FreeS/WAN disables all transforms which use plain DES for encryption.

DES is in the source code, because we need DES to implement our default encryption transform, Triple DES. We urge you not to use single DES. We do not provide any easy way to enable it in FreeS/WAN, and our policy is to provide no assistance to anyone wanting to do so.

40-bits is laughably weak

The same is true, in spades, of ciphers -- DES or others -- crippled by 40-bit keys, as many ciphers were required to be until recently under various export laws. A brute force search of such a cipher's keyspace is 2¹⁶ times faster than a similar search against DES. The EFF's machine can do a brute-force search of a 40-bit key space in seconds. One contest to crack a 40-bit cipher was won by a student using a few hundred idle machines at his university. It took only three and half hours.

We do not, and will not, implement any 40-bit cipher.

Alternatives to DES

A number of non-DES encryption algorithms have been proposed. We will implement some of them eventually, of course choosing ciphers with at least 128-bit key length.

AES in IPSEC

The winning candidate from the AES project to develop a replacement for DES will almost certainly become widely used for IPSEC, but analysis takes time and no winner is expected before the summer of 2000 AD.

Meanwhile, there are two variants of DES which appear to be much better than plain DES.

One is Triple DES, usually abbreviated 3DES, which applies DES three times, with three different keys. This is tentatively believed to be much stronger than single DES, and it quite definitely turns brute-force key search into a ridiculous impossibility. 3DES is what much of our code now uses by default. 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at quite respectable speeds.

The other DES variant is DESX, which adds trivial XOR encryption before and after a single DES. This is no stronger than plain DES in general, but it appears to blow brute-force search out of the water just as effectively as 3DES, and it is not significantly slower than plain DES. We have not implemented DESX yet (as of Jan 1999) but may do so eventually. This would be a good project for a volunteer.

Click below to go to: