Prev: Question about RSA encrypt/decrypt
Next: Salsa20 hashing
From: Joseph Ashwood on 13 Sep 2006 01:45
"Alan" <a__l__a__n(a)hotmail.com> wrote in message
news:1158077122.931229.191410(a)h48g2000cwc.googlegroups.com...
> Numerous applications continue to use 3DES (For discussion purposes,
> think of three key triple DES, CBC, protecting files in the 5-10Gb
> range) to protect valuable information. In some cases information is
> being encrypted today that must remain secure for 10, 15, maybe 20
> years or more. So it must be asked: Will 3DES - encrypted content be
> secure against anticipated threats over that time frame?

My general rule is that I assume 5-bits (this varies depending on situation)
of advancement and erosion every year when looking to the future, and every
six months I readjust the numbers to fit what actually happened. Based on
this I give 3DES about 9 more years (your number will vary widely from
replace it 5 years ago, to it'll last 15 years or more) until a break can
reasonably have been performed, it works for a reasonable bad-case business
situation to schedule retirement.

So you can understand what kind of real situation this results in, fairly
recently SHA-1 was broken, all my clients already had schedules that called
for it's replacement within 18 months; the break was such that no client
data was put at unexpected risk, resulted in no unexpected expenditures, no
expected training sessions, no unexpected consulting costs, minimal
unexpected sysadmin time, all new software received proper testing, and the
only deviations from schedule were because users either upgraded early or
had to refused to upgrade without a sysadmin babysitting them, everything
simply moved normally. It will be the rare situation where the prediction is
wrong in a bad direction.
Joe


From: Francois Grieu on 13 Sep 2006 03:54
In article <1158077122.931229.191410(a)h48g2000cwc.googlegroups.com>,
"Alan" <a__l__a__n(a)hotmail.com> wrote:

> Think of three key triple DES, CBC, protecting files in the
> 5-10Gb range (..) encrypted today that must remain secure for
> 10, 15, maybe 20 years or more (.. will it..) be secure against
> anticipated threats over that time frame?

The threat of full decryption, equivalent to key recovery,
seems remote, but I would not say null given the timeframe.

A much more sizable threat is partial decryption, especially if
the same key is reused over multiple files and some portion of
the files is known to the attacker, because 3DES only has
a 64-bit block size.

Assuming X bits of data encrypted using the same key,
CBC with random IV, among which Y bits (mostly contiguous)
are known to the attacker, she can decipher about
(X-Y)*Y / 2^64 bits (assuming X<2^68 bits) with little
more effort/cost than holding the ciphertext and plaintext
on moderate speed hard disks.

If we are talking 10 GByte per day for 20 years, and half of
it is known plaintext, we are talking of 578 MByte of data
that the adversary can decipher.

If that was files made of records of a few hundred bytes,
with only a few secret bytes at one portion of each record,
the attack starts to recover secret data in a short timeframe.


Conclusion: be worried when the same 3DES key enciphers more
than few gigabytes of data.


Fran?ois Grieu
[reposted with 578 MByte instead of 578 GByte]
From: Alan on 13 Sep 2006 10:44
Joseph Ashwood wrote:
> My general rule is that I assume 5-bits (this varies depending on situation)
> of advancement and erosion every year when looking to the future, and every
> six months I readjust the numbers to fit what actually happened.

That's an interesting approach. But five bits per year seems very
conservative (Moore's law would suggest one bit every 18 months,
ignoring improvements in methodology). At five bits per year, I would
be projecting 50 bits improvement in attacks over 10 years, which would
render the attack on 3DES more or less equivalent to attacking a 62 bit
key today, or perhaps even a 40 bit key if massive memory is available
enabling memory tradeoffs such as Stefan Lucks described. That would
force replacement of 3DES within the next few years ( less than five
years). While that would be the safe route, I'm not sure I can justify
it based on risk analysis. The probability of 50 bits improvement in
10 years seems pretty low to me.

Peter Fairbrother wrote:
> Today's data is probably secure for 20 years, but the data encrypted with 3DES
> in 10 years time may well not be.

That's exactly the problem I'm trying to solve. I know I will need to
replace it at some time. I need an empirical way to identify when.

Maybe another way to look at this would be to have a projection of what
is expected to be an achievable attack (bits / work factor) year by
year, for different attacker budgets. I wonder if someone has already
done this.

BTW I very much appreciate all the comments and suggestions.

From: Alan on 13 Sep 2006 11:03
Francois Grieu wrote:
> The threat of full decryption, equivalent to key recovery,
> seems remote, but I would not say null given the timeframe.
>
> A much more sizable threat is partial decryption, especially if
> the same key is reused over multiple files and some portion of
> the files is known to the attacker, because 3DES only has
> a 64-bit block size.

In my application (digital video) discovery of a block or two of
plaintext is not a major concern. Discovery of the key or of a
significant viewable segment of the plaintext must be prevented. Our
application uses a separate (3-key) 3DES key + IV for each file, and
are using CBC mode.

From: Guy Fawkes on 13 Sep 2006 11:24

"Alan" <a__l__a__n(a)hotmail.com> schreef in bericht
news:1158159808.607226.3920(a)h48g2000cwc.googlegroups.com...
> Francois Grieu wrote:
>> The threat of full decryption, equivalent to key recovery,
>> seems remote, but I would not say null given the timeframe.
>>
>> A much more sizable threat is partial decryption, especially if
>> the same key is reused over multiple files and some portion of
>> the files is known to the attacker, because 3DES only has
>> a 64-bit block size.
>
> In my application (digital video) discovery of a block or two of
> plaintext is not a major concern. Discovery of the key or of a
> significant viewable segment of the plaintext must be prevented. Our
> application uses a separate (3-key) 3DES key + IV for each file, and
> are using CBC mode.
>

But why are people still using 3DES these days? Isn't AES *much* faster and
*infinitely* more secure?



--
Posted via a free Usenet account from http://www.teranews.com

First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Question about RSA encrypt/decrypt
Next: Salsa20 hashing