[Cryptography] 3DES security?

[Phillip Hallam-Baker]

On Wed, Aug 26, 2015 at 11:30 PM, Richard Outerbridge <outer at interlog.com>
wrote:

> > On 2015-08-26 (238), at 20:07:57, Henry Baker <hbaker1 at pipeline.com>
> wrote:
> >
> > What’s the current best estimate for the (in)security of 3DES, in bits ?
>
> Out of 112? Maybe 104?
>
> I’m guessing only Shamir knows for ”sure” these daze, for some value of
> sure.
> __outer
>

It is probably OK for any practical use where you are still allowed to use
it. Yes there are ways to tradeoff performance for memory and maybe shave
the key space a little with a vast number of known ciphertext/plaintext
pairs. But unless you are doing something really, really secret, the chance
anyone is going to go after your crypto is very small.

Carders didn't find a way to reverse engineer PINs by cracking the DES
crypto, they did it by driving bulldozers into an ATM and reverse
engineering the hardware.


So it is probably OK to use in the same way that SHA-1 is still OK to use.
If you have a legacy system that would cost a lot of money to upgrade, you
can probably spend the $$$$ on other improvements. But the main risk you
will face in doing that is that everyone else in the industry considers it
obsolete and that imposes costs on you as well.

Being secure isn't enough these days, you have to show you are secure. And
SHA-1 or 3DES is going to require an extra review every single time the
system is audited. If it takes a day each time at $3,000 a day, that starts
to mount up.

At some point it is going to be difficult to find the library support. You
don't make a system more secure by adding new stronger ciphers, you make it
more secure by taking out the duff ones. DES should be gone already, I
would want to take 3DES out along with SHA-1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150827/134606c1/attachment.html>