Newsgroups: sci.

crypt
From: kaplan@bpavms.bpa.arizona.edu (Steve... friends don't let friends do DOS.)
Subject: Is DES breakable?
Keywords: DES breakability
Message-ID: <23MAR199319384593@bpavms.bpa.arizona.edu>
Date: 24 Mar 93 02:38:00 GMT
Organization: University of Arizona MIS Department
Lines: 201

Greetings sci.crypters

This is a lengthy posting born of my idea that one good turn deserves
another. Carl Ellison (cme@ellisun.sw.stratus.com) was kind enough to send
me the out dated, but still useful FAQ for this news group. So, I figure
that I should add to the positive karma of it by sharing some stuff. Not
new news - just restatement of what some have already said. Hope that it
is worthy of your time. If not - send me mail and complain! In other
groups I get flamed for not being able to find my butt in the dark with
both hands, so - sorry if I've violated and status quo of which I am not
aware!

RayK 8)

----
(Previously submitted for publication in Wynn Schwartau's Security Insider
newsletter: 1157 Grove St. N., Seminole, FL 34642, 813-393-6600 and the
Computer Security Institute's ALERT newsletter: 600 Harrison St., San
Franciscon, Ca. 94107, 415-905-2370)

Is DES breakable? Of course.

by Ray Kaplan
Copyright Ray Kaplan 1993 - All rights attempting to be reserved - At
least, please make the site correct if you use it!

Day two of the second annual RSA Data Security Data Security
Conference in Redwood City, CA (January 15, 1993) was packed
full of great sessions. Right out of the can in the
cryptographer's track was Dr. Martin Hellman presenting a talk
entitled DES Revisited. The Data Encryption Standard (DES) was
first approved in January 1977, so it is now 16 years old. NIST
did approve extending it at least once since then, but Rthe DESS
(as crypto insiders seem to refer to it) is due for a look-see.

Since Dr. Hellman has been involved with DES from its
beginning, I trust his critical academic appraisal - especially
since he and Whit Diffie were embattled with NBS over
questions of key size and the existence of trap doors when DES
was being introduced. In the question of DES breakability, I
like his approach. They designed an attack on DES that is based
on the most intensive cryptanalysis: exhaustive search. The
beauty of this theoretical DES solution machine is that is can be
used for plain text, ciphertext and chosen text attacks on the
algorithm. Solve the hardest problems first and the easy ones
follow quickly, I say.

He presented their 1976 design for an exhaustive DES solution

engine and updated it to 1993. Since the DES algorithm is
roughly equivalent to 6,000 gates, it is about the complexity of
a Z80 microprocessor to implement in silicon. DES uses a 64 bit
key with 8 bits reserved for parity and that means that there
are 2**56 (10**17) possible DES keys for any given DES
encoding. Building the exhaustive search machine in 1976
would have required 1,000,000 special DES search engine ICs
and would have cost $20 million. Today, this would be10,000
special DES search engine ICs since IC's are about 100x denser
than in 1976. Dr, Hellman points out that the $20M cost figure
has been criticized as optimistic and he indicates that his
estimate may have been a bit low. $50M is a safer figure and
doesn't change his basic argument about how you go about
breaking the DES.

In 1976, their solution machine yielded one DES solution per

day at a cost of $10,000 each. Updating this to 1993 costs and
computing speeds, the capital cost of such an exhaustive search
DES solution machine that would yield one DES solution per day
would be between $1 and $10 million dollars. This nets a cost
per DES solution of only $100. Dr. Hellman points out that the
$10M figure is a relatively safe one that includes the design
cost. The $1M figure is optimistic if it includes design cost, but
is safe if it is the replication cost after design. This, should one
want to build more than one machine - quite possible
depending on who one is and how many messages he would
like to read. He also indicated the replication cost might go as
low as $100k per machine. The $100 figure per solution was
an order of magnitude estimate. It could be as high as $1,000
(using the $10M figure) or as low as $10 (using the $100k
figure).

Such a special DES search engine ICs would be about as complex

as a modern 386 microprocessor and cost about as much as a
Z80 to design. The whole machine has 10,000 such search
chips. The reason: the 1976 design (comparable to a Z80) is
replicated 128 times on the chip, but only needs to be designed
once. Using 128 search engines per IC (plus spares) and a
common data bus (considering the very low I/O level), the DES
solution machine has only about 10,000 ICs.

Past the fascinating technical details of his machine were his

summary comments about DES. It has many honors: world's
most widely used, cheapest and public cryptosystem. Despite
major incentives, it has not been publicly broken. For those
who remember him as a combatant 15 years ago, it might be
helpful to mention that he indicated that he has recognized that
in the heat of previous battle, he tended to overlook arguments
that supported NSA/NBS and was trying now, with the benefit
of age and a relative peace, to summarize the pros and cons in
a more unbiased fashion.

His concerns: 1) the 56 bit key size allows exhaustive searches

by dedicated opponents at a capital cost of between $1 and $10
million, 2) Biham and Shamir's differential cryptanalysis can
break an 8 round DES implementation and 3) DES's design
principals are secret (despite the fact that the algorithm itself
is public) and may allow trap doors. His conclusions: there is
probably no trap door in DES, but the 56 bit key size and
decades of experience in production cryptanalysis probably
give the NSA and its foreign counterparts a crude trap door.
According to Dr. Hellman, this needs a bit of explanation since
these two ideas two sound counter to one another. He
indicated that, while he was very concerned about a possible
trap door in the 70's, direct denial of NSA pressure on S-box
design from relevant IBM personnel caused him to doubt their
presence for some time. However, he says he could be wrong,
hence the "may allow" in his statement about possible trap
doors. The key appears to be that it is all speculation since the
design principals of DES (not the algorithm itself) are carefully
guarded.

In summary: DES protected data is probably secure against all

commercial attacks today, but is almost surely vulnerable to
attack by a major power. DES will continue to dominate the
market for a decade. He recommends immediate triple
encryption (the use of a 48 round algorithm - Rstandard DESS
uses a 16 round algorithm.) to defeat differential cryptanalysis.
Continued federal support of DES is critical to vendors and
users.

In the end, he admonished NIST/NSA to stop dragging their

feet on a public key exchange standard but suggests that
perhaps a de facto standard is better (in which case it doesn't
matter if NIST/NSA do anything since RSA and Diffie-Hellman
are filling this de facto role). Adding some humor, he softened
the harsh "dragging their feet" in his talk by noting that NIST's
Dennis Branstad credited his ruckuses for two promotions and
indicated that Branstad had asked him to help him with a third.

As is usually the case, the hallway conversations were best.

We speculated on cheap DES solution machine technology. The
fact is that for about $5,000 you can buy a gate array
programmer and at a cost of about $250 per part, you could
build your own DES solution machine without the cost and
complexity of a custom silicon implementation. Scary, huh?
Yes. But, the higher higher cost per part translates into a
higher cost per solution so you'd have to check the speed,
density, etc. and see what the associated cost would be.

I asked Hellman how in the hell a layman could possibly keep

up with this crypto technology and come to trust it. His answer
was revealing: read and study it - get politically involved and,
it will yield to your efforts. He suggests that you contact your
congressional rep and let them know you are unhappy at DoD
(NSA) messing around with your personal privacy (e.g. medical
records are protected by DES) when Commerce is supposed to
be setting standards with regard to commercial and individual
needs, rather than NSA's needs. He said that a reasonably
trained EE or CS type can understand the technical details and
you have a responsibility to help keep the technology on track
and to help answer some of the hard questions surrounding its
use. Go find a trusted member of the community to talk with
about these important issues.

We also had a spirited discussion of Dr. Hellman's involvement

with the Russian Institute for Problems of Information
Transmission (IPPI after the Russian name Institut Problem
Peredachi Informatsii) in his efforts to help some old friends of
his and help the budding democratic movement in the former
Soviet Union. I agree with him that we need to help them. I
was comforted to find that this world-class crypotgrapher is
quite a humanitarian. I agree that we do have a responsibility
to help - lest we see our technology (such as cryptography)
protect and nurture backward and barbaric customs. Consider
that white supremacist groups such as the KKK and the Aryan
Nation are a similar threat to our humanity right here in our
own back yard. Heady stuff. The IPPI is interested in hard
currency (e.g.: dollar vs. ruble) contracts for work. They are
reported to be quite a bit less expensive that other
alternatives. If you are interested in hiring them, you can
contact Deputy Director Dr. Josef Ovseyevitch at IPPI via Email
at ovseev@ippi.msk.su. They are interested in error
correcting/detecting codes, data compression, crypto, signal
processing, computer and communications networks,
computational linguistics and machine translation, and
experimental data processing.

My thanks to Dr. Hellman for help in writing up this account of

his talk and to Jim Bidzos from RSA for inviting Dr. Hellman to
speak at the RSA Data Security Conference.

Ray Kaplan is a principle in the Tucson, Arizona-based

independent consulting firm Kaplan, Kovara and Associates.
They specialize in systems and network management, and
security with an emphasis on Open VMS, UNIX, DECnet and
TCP/IP. They are currently producing a series of audio
teleconferences on contemporary security-related topics. For a
catalog of their offerings, contact them at P.O. Box 42650 -
Tucson, AZ 85733 - FAX (602) 791-3325 - (602) 885-2807.
They'll be conducting live audio teleconferences on encryption
and authentication which will include a live interviews and
Q/A sessions with Dr. Hellman and other experts on April 7 and
8, 1992.