henry (03/01/83)
A very interesting article in the 28 Jan issue of Science described increasing doubts about the security of the infamous Data Encryption Standard. The new doubts are not the long-standing ones about the inadequate key length, but are due to the discovery of an increasing number of "weak" keys. A "weak" key is one that simplifies the encryption/decryption algorithm to the point where it is much more easily broken. The hard part is determining whether the key you have chosen is, in fact, weak. Nobody has a good way of testing for weak keys, since more classes of weak keys are surfacing by the month and the weakness isn't necessarily easy to check for. It's been known all along that there are a few blatantly weak keys, which simplify the encryption so drastically that they have been obvious from the beginning. The problem is that increasing numbers of keys with more subtle weaknesses are surfacing. Most of these keys do not simplify the encryption enough to provide obvious ways of breaking it, but they all produce some simplification, enough to rouse suspicions of security weakness. There are some 25 categories of weak keys already known, and the numbers of keys in most of the categories are unknown. Robert Polis of the Geneva Management Group: "Every few months there seems to be another category or two added to the list. The list keeps getting bigger." There is also some unhappiness about the very existence of such keys. Robert Morris of Bell Labs: "You would normally expect that good systems won't have weak keys." Some people see the weak-key problem as one symptom of deeper weaknesses in DES. Another complaint is that DES is the *only* encryption standard in the US. This is partly due to government interference with public non-government research in the area. Any number of private companies have better systems for their own use, but there is nothing generally available. As a result, there is no well-known or reliable alternative if DES proves unsatisfactory. Finally, there is lingering suspicion that NSA (the US government's codebreakers) can already break DES. "...NSA cannot think the DES is particularly hard to break since it only certifies it for 'confidential' information... 'That's practically the stuff you read in newspapers.'". Science, Vol. 219, page 369, 28 Jan 1983. Henry Spencer U of Toronto