Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!julius.cs.uiuc.edu!apple!bbn.com!cosell From: cosell@bbn.com (Bernie Cosell) Newsgroups: comp.org.eff.talk Subject: Re: Encrypting your data to keep it private Message-ID: <61966@bbn.BBN.COM> Date: 9 Jan 91 13:27:36 GMT References: <6748@crash.cts.com> <61912@bbn.BBN.COM> Sender: news@bbn.com Lines: 30 lear@turbo.bio.net (Eliot) writes: }Although the people in sci.crypt probably have a better handle on it }than he did, Bamford claims that the NSA convinced IBM to shorten the }key from 128 bits to 56. Apparently in exchanged the NSA helped IBM }strengthen the S-box structures before DES was released as a standard. }Also, this was brought up in Senate Intelligence Committee hearings in }1977. Well, what happened 'back then' is still classified, far as I know, and so you'll only be able to really get speculation, even from the sci.crypt folk. On the other hand, there was a recently discovered technique for cracking DES that requires work on the order of 2^52, and does *NOT* attack the key. Thus, this technique is _independent_ of the key length. Thus, the 128 bit key was *always* an illusion; you could have made the key 500 bits long and still not strengthened the system. What to make of this? Well, I happen to be willing to give NSA the benefit of the doubt: I think that they *knew* this technique for attacking DES and so *knew* that the key-length was an illusion. And so without [publicly] justifying it, they reduced the key length to be the _correct_ length [that is, instead of making it unnecessarily long, they made it be of a length so that attacking the key was basically the same amount of work as attacking other weaknesses in the system] --- and then strengthed the S boxes so that, overall, the entire system was a well tuned, balanced, order-of-2^50-strong system. /Bernie\