>>In order to use anything stronger than DES in the government, agencies >>have to publish a waiver in the Federal Register. The US Attorneys, who >>are trying to criminalize strong encryption (for everyone except themselves), >>were forced to publish that they're moving up to a 3DES VPN. I wonder if >>they're using our code? :-) >I'm sure that text is being misinterpreted. DES is the Data Encryption >*Standard*. If you want to use something other than the *standard* (eg triple >DES, which isn't standardised yet, or at least wasn't the last time I >checked), you need to obtain a waiver. That's all it's saying. You need >similar waivers to use other non-FIPS algorithms. >Peter. The point was that their argument is flawed. If they find that they have need of stronger encryption than DES, how can they claim that DES is good enough for bank transactions, or transfers of design plans with potential earnings of billions of dollars (or pounds, or francs, ...), or anything else of value. I work in the health insurance industry. We are will be REQUIRED to apply encryption that is at least as strong 3DES for symmetric key algorithms for any transfers of information that are identifiable in any way with an individual. Asymmetric algorithms require 1024 bits. Anything less than that is deemed insecure. This is a result of the Health Insurance Portability and Accountability Act (HIPAA) that was passed a couple of years ago. I'm seeing these things all over the place. It seems that the only people in our (US) government who don't understand that DES is dead is the Justice Department. Personally, I was against the FreeS/WAN project dropping support for DES. I almost configured a VPN for DES, but we got a faster machine at the last moment, and we opted for 3DES. Thanks, guys. Keep up the good work. Eventually, you'll educate enough people that changes will be inevitable. They already have.
