Is 3DES Broken?
Steven M. Bellovin
smb at cs.columbia.edu
Mon Jan 31 22:38:53 EST 2005
In message <667546297e84915335fd9a1ef2e35217 at mac.com>, Aram Perez writes:
>Hi Folks,
>
>I hate to bother you with what I consider a dumb question, but I'm
>trying to give a person the benefit of my doubts. There's a person on a
>legal forum that I participate in that claims that 3DES has been
>broken/cracked. However, he has not provided any documentation to the
>effect as his "time at present is limited and valuable". He claims that
>"the specifics were already posted on this and several other similar
>forums". Other than Ross Anderson and his students extracting a 3DES
>key from an IBM4758, has 3DES been in fact broken?
>
>Thank you,
>Aram Perez
>
>[Moderator's note: The quick answer is no. The person who claims
> otherwise is seriously misinformed. I'm sure others will chime
> in. --Perry]
I'll be happy to second Perry's comment -- I've seen no evidence
whatsoever to suggest that it's been broken. But there are some
applications where it's a bad choice for cryptographic reasons.
When using CBC mode, one should not encrypt more than 2^32 64-bit
blocks under a given key. That comes to ~275G bits, which means that
on a GigE link running flat out you need to rekey at least every 5
minutes, which is often impractical. Since I've seen Gigabit Ethernet
cards for <US$25, this bears thinking about -- and while 10GigE is
still too expensive for most people, its prices are dropping rapidly.
With 10GigE, you'd have to rekey every 27.5 seconds...
For reference purposes, with AES you'd be safe for 2^64*128 bits.
That's a Big Number of seconds.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list