Politics 80X: Politics of the Internet


Does Available Encryption Make Transactions Safe?

The Data Encryption Standard (DES), based on research at IBM's Thomas J. Watson Research Laboratory in the 1970s, was promulgated in 1977. DES uses a 56-bit key. In 1997 DES was publicly broken by a group of users, to show DES could be overpowered.

Educom Review September/October 1998, p. 8, citing The New York Times 17 July 1998, describes the successful cracking:

Using a homemade supercomputer, a team of about a dozen researchers spent less than $250,000 to crack the government's data encryption standard code (D.E.S.) in record time to win a $10,000 prize in a contest sponsored by RSA Data Security Inc., a Silicon Valley company. The effort was led by John Gilmore and Paul Kocher and financed by Electronic Frontier Foundation, a San Francisco-based civil liberties and privacy organization. To unscramble a D.E.S.-encoded message, the team's computer (called 'Deep Crack" in an allusion to IBM's famous chess-playing 'Deep Blue') tried 17,902,860,669,197,312 keys, or about 25% of all possible combinations. Deep Crack's success is being cited as proof that the government's encryption policies are inadequate. Cryptography consultant Bruce Schneier says, 'The real news here is how long the Government has been denying that these machines were possible.'

As Schneir suggests, there had long been concern that messages encrypted using DES could be decrypted by applying computers to break the key. As a result, the US National Institue for Standards and Technology is working on an encryption method called the Advanced Encryption Standard (AES). Based on keys of 128, 192 and 256 bits, AES would presumably requires so much computing power for so long to achieve a successful breach of encryption that it would be impossible as a practical matter to do so.

While AES is being perfected, an interim method has been proposed, called Triple DES. This provides for encrypting a message three times with three different keys of 56 bits each. But the concern of banks and financial institutions which might rely on such a standard remains real. In March 1998 researchers Eli Biham and Lars Knudsen, working in Israel and Norway, showed that in one of several modes there was at least a theoretical possibility of AES encryption being broken. [The New York Times, 31 March 1998.] Adjustments will be made.

The process of choosing AES involves a succession of consultations. NIST explains that "Near the end of Round 1, NIST will be holding a Second AES Candidate Conference to discuss results of the public evaluation and analysis of the Round 1 AES candidate algorithms. It will be held March 22-23, 1999, in Rome, Italy, at the Hotel Quirinale. Immediately after this conference, the Sixth Fast Software Encryption Workshop will be held at the same location." [NIST on Second AES Candidate Conference].