France is giving up, Deep Crack strikes again and the Feds seem to partially get it. Encryption is in the news again, and the implication is that many organisations should review their data security policies.
France has long been quite antagonistic toward encryption, with most domestic uses of encryption technology outlawed. The only permitted mechanisms include mandatory key escrow, in which the government gets to keep a copy of the encryption key.
So it came as quite a shock when the government of France two weeks ago proposed to eliminate all controls on the use of encryption within the country. The announcement specifically pointed out that good, strong cryptography is essential to protecting the confidentiality of communication and for privacy. The announcement said it is futile for the government to try to keep encryption technology away from criminals because it is just too widely available.
Meanwhile, the Electronic Frontier Foundation's Deep Crack special-purpose crypto key breaker put in an impressive showing. Working with 100,000 PCs on the Internet, it took the key breaker less than 23 hours to find the secret key that encrypted a test message using the US standard encryption algorithm, Data Encryption Standard (DES).
The US Department of Commerce just recommended abandoning DES and is proposing Triple-DES instead. In its draft proposal (http://csrc.nist.gov/ fips/dfips46-3.pdf), the Commerce Department admits that it "can no longer support the use of single DES for many applications".
The department also states that "Single DES will be permitted for legacy systems only".
This comes a few weeks after the US government relaxed, but did not eliminate, controls on the export of cryptographic technology from the US (http://www.bxa.doc.gov/Encryption/ 1231ERC.htm).
The underlying message in these stories is that good crypto is important to good data and network security. The US government claims to be quite worried about the security of the Internet.
The US Department of Justice has just created a program to fight attacks on data networks in response to a call by the President's Commission on Critical Infrastructure Protection (http://www.pccip.gov/). But this same government recently persuaded 32 other countries to extend the Wassenaar Arrangement, adding new restrictions on the export of cryptographic technology to many parts of the world. The US government has not yet determined what the French government has, namely that restrictions only ensure that the bad guys have good access to the good guys' information.
The lesson of all of the above is that anyone using DES or any other encryption that employs keys shorter than 128 bits should start planning to migrate to something stronger, such as Triple DES. And if the data is very valuable, the plan should be fast-tracked.
Disclaimer: Fast-track and Harvard do not belong in the same sentence, so the above must be my observations.
Scott Bradner is a consultant with Harvard University's University Information Systems. You can reach him at sob@harvard.edu.