Paul Kierstead wrote:
>
> > Frankly, I can't understand why the IPsec protocol still
> > allows DES. It
> > should require strong encryption. Having DES in a product
> > these days makes
> > about as much sense as mandating the usage of ROT13.
>
> OK, so I want to prevent some regular, every-day hackers from picking up my
> traffic. Or I just want reasonable protection for my passwords in Telnet or
> FTP. You are saying that some guy in his basement can break DES?
Yes!
My document explaining why Linux FreeS/WAN does not implement DES, and
why we think no-one should use it
http://www.freeswan.org/freeswan_trees/freeswan-1.3/doc/DES.html
has a section about that.
" What about someone working alone, without the resources of a large
" organisation? For them, cracking DES will not be easy, but it may be
" possible. A few thousand dollars buys a lot of surplus workstations,
" and will buy even more as Year 2000 concerns drive more old machines
" into the surplus market. A pile of such machines will certainly heat
" your garage nicely and might break DES in a few months or years. Or
" enroll at a university and use their machines. Or use an employer's
" machines. Or crack security somewhere and steal the resources to crack
" a DES key. Or write a virus that steals small amounts of
" resources on many machines. Or . . .
" None of these approaches are really easy or break DES really quickly,
" but an attacker only needs to find one that is feasible and breaks DES
" quickly enough to be dangerous. How much would you care to bet that
" this will be impossible if the attacker is determined and/or clever?
" How valuable is your data? Are you authorised to risk it on a dubious
" bet?
> For that matter, lets say I am protecting data from somewhat more
> sophisticated attackers. DES still requires significant resources to crack
> and I may have some level of assurance that it isn't worth their while. Or
> maybe I just want to waste their resources.
>
> OK, DES isn't great, but it is still sufficient for some (maybe even many)
> purposes. If your threat model isn't severe and you need the bandwidth more,
> then DES is fine.
No. The notion that there is a trade-off here is a myth promulgated by
people interested in encouraging the use of weak ciphers. Ciphers with
adequate keylength need no more computation than those without.
Use CAST-128 or Blowfish or IDEA, or your favorite AES candidate.
Those ciphers are all significantly faster than DES, and none have the
obvious, known weakness of inadequate key size.
> If you really need to protect your data, particularly from
> government agencies, use something better. I'm inclined to use 3-DES since
> the performance hit doesn't make much diff to my DSL-lite line and the other
> end has more then sufficient horsepower to handle many 3-DES connections;
> others may be in a more difficult position w.r.t. bandwidth vrs. security.
>
> I am not excusing MS; their flaw was misleading the user. Their real mistake
> is that the item should have been labeled '3-DES or DES (export friendly)'.
>
> Paul Kierstead
> TimeStep Corporation
> mailto:[EMAIL PROTECTED] http:\\www.timestep.com
