Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!mimsy!eneevax!umd5!brl-adm!brl-smoke!gwyn From: gwyn@brl-smoke.ARPA (Doug Gwyn ) Newsgroups: sci.crypt Subject: Re: DES info wanted Message-ID: <5841@brl-smoke.ARPA> Date: Thu, 7-May-87 02:15:16 EDT Article-I.D.: brl-smok.5841 Posted: Thu May 7 02:15:16 1987 Date-Received: Sat, 9-May-87 02:05:37 EDT References: <2071@hoptoad.uucp> <599@umnd-cs.D.UMN.EDU> <18742@ucbvax.BERKELEY.EDU> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Distribution: world Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 51 Keywords: DES In article <18742@ucbvax.BERKELEY.EDU> rotondo@ernie.Berkeley.EDU.UUCP (Scott Rotondo) writes: >The main thing that NSA knows is the way in which the S-box numbers were >derived. There has been speculation without proof that there is a trap >door here to allow the NSA to crack it. There has also been speculation >that the NSA cannot crack DES, and that is why they are pushing for a new >standard where they control the keys and the algorithm. Although I haven't studied DES very hard and don't have any inside (i.e. classified) information about DES, from a previous life as a part-time cryppy I don't see how DES could be considered unbreakable, in the absence of sufficiently frequent key changes. This follows from very general information-theoretical considerations. Because of the complexity of the encryption algorithm, the unicity distance is probably rather large, but it wouldn't be infinite. On the other hand, it is probable that it would take knowledge that only NSA and similar organizations tend to have to routinely break DES using economically feasible expenditure of resources. Since I have to be careful not to discuss anything about this subject for which I can't point to publicly-available descriptions, suffice it to say that the articles I've seen on cryptography in the open literature don't hold a candle to the ones I used to read in the NSA Technical Journal. I would bet that NSA can break DES any time they so choose, if they have a large enough contiguous sample of the cipher stream; "trap doors" shouldn't be necessary. The newer proposal for general government encryption amounts to a reversion to the military way of doing business; they have always classified both the keys and encryption system details (algorithms). Even though it's taken for granted in the cryppy business that the "opposition" sooner or later determines the details of the encryption system, it still makes sense to try to delay their doing so. The keys of course must be protected. (So-called "public key" systems attempt to make the latter unnecessary, but I wouldn't place reliance on the opposition's lack of sufficient cleverness or dumb luck to protect anything of very great value.) Consider this: If NSA can really design a truly secure system for government use, then they sure as hell wouldn't want everyone whose traffic they read to learn how to do the same. It is perfectly natural that no details of how critical aspects of a secure cryptosystem are determined are made public. (Personally I would love for there to be a universally-used secure system, since I value privacy. But virtually no government operates on such abstract considerations; rather they attempt to attain short-range advantage over other governments as expeditiously as possible. I wish ours were different, and think it once was.) In summary, I don't think there is a conspiracy on NSA's part, and I estimate NSA's capabilities to be higher than other people seem to think. (I suspect NSA is happy to be underestimated.)