Path: utzoo!attcan!uunet!portal!cup.portal.com!Tim_C_May
From: Tim_C_May@cup.portal.com
Newsgroups: comp.misc
Subject: DES Busting
Message-ID: <15057@cup.portal.com>
Date: 25 Feb 89 04:49:37 GMT
Organization: The Portal System (TM)
Lines: 38

In a recent posting in comp.misc, friedman@porthos.rutgers.edu states:
>>
>>Not that I agree with Dave's intention of restricting the distribution
>>of the Virsus TR.  (I'd love to read a copy)  However, DES is a bad
>>example.  Because the DES algorithm is so well known, it is no longer
>>considered very secure.  Any organization with a fast Cray can crack
>>it in 8-10hrs.  Sure, its  more than you can do with your Apple II, but
>>lots of organizations can do it.

I would like to see some justification for this remark about how easy it
is to bust DES. Diffie and Hellman looked into a "brute force" breaking
of DES such as you describe in 1975 and concluded that a special purpose "DES-buster" computer could be built with tens of thousands of one-key-per-microsecond custom chips. They have slightly modified their estimates, as have others. And it may well be that NSA or others have 
built such a box, but this is unknown.

Saying that a Cray can do it in tens of hours is wrong (roughly 10 to the
17th keys need to be examined...figure it from there). There is an 
incredible financial incentive to break DES: the banking system bases
its transfers on DES. Maybe some superhacker has indeed done it ad just
isn't saying, but there's no evidence that a few dozen hours on a Cray
unlocks the billions of dollars a day of these transfers.

The possibility that DES has built-in weaknesses in the S-boxes, placed
there by the NSA to deliberately weaken DES, is possible but is unsupported
by any solid evidence. Numerous technical papers presented at the Crypto
conferences have reported on searches for such signs of weakness (such as
cycles) and have found none. This doesn't mean it's "strong" of course, only
that nobody has publicly reported a cracking of it.

By the way, the fact that the algorithm is publicly known is part of its
strength and part of its design: the algorithm can be subjected to analysis
that a "secret" algorithm cannot. Some new COMSEC algorithms being pushed
by NIST (formerly NBS) and NSA/NCSC are secret, however.

Understand that I am not claiming DES is the best, or is even particularly
good. Personally I'm more interested in asymmetric (public key) systems, but
their speeds just aren't up to DES-type speeds for raw data transfer.

Timothy C May   Tim_C_May@cup.portal.com