Recent Events for foo.be MainPageDiary (Blog) Previous Next

2006-12-25 Still Using DES Data Encryption Standard

Are You Still Using DES (Data Encryption Standard) ?

Some days ago, the RFC 4772 (Security Implications of Using the Data Encryption Standard) was published by the IETF. It covers the security implication of using DES and why you must avoid its use in the modern information society. The RFC is very complete and covering all the security aspect of DES including the "new" method to a make an exhaustive search using a botnet1. The RFC is a nice reading and introduction to the issues around DES and (some) block ciphers. I still know a lot of companies, individual relying on DES for legacy Virtual Private Network, file system encryption or alike. They are often keeping its use only for backward compatibility with existing or deprecated software/hardware. I really like the conclusion of the RFC :

   With respect to the third reason (ignorance), this note attempts to
   address this, and we should continue to make every effort to get the
   word out.  DES is no longer secure for most uses, and it requires
   significant security expertise to evaluate those small number of
   cases in which it might be acceptable.  Technologies exist that put
   DES-cracking capability within reach of a modestly financed or
   modestly skilled motivated attacker.  There are stronger, cheaper,
   faster encryption algorithms available.  It is time to move on.

So guys, it's really time to move on… if not your attacker will buy a copacobana system (the new customizable EFF-like hardware code breaker) or use its botnet infrastructure to discover your small symmetric key.


Footnotes:

1. Using all the vulnerable information systems and resources to build a network of compromised system that will be used for the sole purpose of the attacker. It costs (until now) less to build a software worm to infect a bunch of system than building a dedicated hardware to crack a symmetric cryptosystem.