How long to trust 3DES
in [Cryptography]
|
From: Alan on 12 Sep 2006 12:05 Numerous applications continue to use 3DES (For discussion purposes, think of three key triple DES, CBC, protecting files in the 5-10Gb range) to protect valuable information. In some cases information is being encrypted today that must remain secure for 10, 15, maybe 20 years or more. So it must be asked: Will 3DES - encrypted content be secure against anticipated threats over that time frame? It is easy to say just replace 3DES with one of the standard AES configurations, but a business must be made based on costs and risk analysis. To do that risk analysis, we have to know how soon the attacker's capability will overtake 3DES (in other words, when will the cost of the attack be justified by the value of the asset to the attacker?) I understand the value of the asset over time. I need to know the capability of an attacker over time. I'm looking for a reasonable approach to assess the changing risk over time so we can make a logical business decision about replacing the algorithm. Any comments or advice would be welcome.
From: Paul Rubin on 12 Sep 2006 12:14 "Alan" <a__l__a__n(a)hotmail.com> writes: > I'm looking for a reasonable approach to assess the changing risk over > time so we can make a logical business decision about replacing the > algorithm. Any comments or advice would be welcome. It will stay certified (in some modes) through the year 2030. See: http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf
From: Alan on 12 Sep 2006 13:43 Paul Rubin wrote: > It will stay certified (in some modes) through the year 2030. That document specifies that 3DES is approved through 2030 for sensitive but unclassified information only. Is there some metric I can use to determine whether or not "sensitive but unclassified" is equivalent (in terms of value / threat) to assets in my application? I would guess that NIST did some kind of quantitative analysis of strength to back up that standard... Thanks!
From: Peter Fairbrother on 12 Sep 2006 17:04 Alan wrote: > Numerous applications continue to use 3DES (For discussion purposes, > think of three key triple DES, CBC, protecting files in the 5-10Gb > range) to protect valuable information. In some cases information is > being encrypted today that must remain secure for 10, 15, maybe 20 > years or more. So it must be asked: Will 3DES - encrypted content be > secure against anticipated threats over that time frame? > > It is easy to say just replace 3DES with one of the standard AES > configurations, but a business must be made based on costs and risk > analysis. To do that risk analysis, we have to know how soon the > attacker's capability will overtake 3DES (in other words, when will the > cost of the attack be justified by the value of the asset to the > attacker?) I understand the value of the asset over time. I need to > know the capability of an attacker over time. > > I'm looking for a reasonable approach to assess the changing risk over > time so we can make a logical business decision about replacing the > algorithm. Any comments or advice would be welcome. > I would suggest that it is likely to remain secure for that length of time - and I mean secure in the sense that no-one at all can break it. There are well-known problems with the short block size and the high work factor, but over the next 20 years I would not be concerned about the basic security of the algorithm (barring the building of a quantum computer). One point though - in 20 years, will the data have to remain secure for yet another 20 years? In that case I would say no. Today's data is probably secure for 20 years, but the data encrypted with 3DES in 10 years time may well not be. (or perhaps even in 5 years it ight not be safe for the following 20 years, depending on a) what happens in the next five years and b) the security level you require - I only use one security level, unless I have to do otherwise, that being that no-one at all can decrypt it within the time :-) (there can be valid reasons sometimes why it might be approriate to use a lower security level, but I am not usually convinced by them - typically I think the people involved are just cheapskates trying to save money. Not that saving money is inherently a bad thing, but opening yourself to an ill-considered risk may well be - and most often the "no-one can break it" standard is cheap enough.) But is it time to change? Looking into my crystal ball I'd first ask: change to what? AES? There isn't much of anything else to change to. And the security difference between 3DES and AES probably isn't so big that, barring block size and work factor problems and how they interact with the financial and security requirements, it would be worth the cost of the change. ymmv, as they say. -- Peter Fairbrother
From: Johnny Bravo on 12 Sep 2006 22:51
On 12 Sep 2006 10:43:31 -0700, "Alan" <a__l__a__n(a)hotmail.com> wrote: >Paul Rubin wrote: >> It will stay certified (in some modes) through the year 2030. > >That document specifies that 3DES is approved through 2030 for >sensitive but unclassified information only. Is there some metric I >can use to determine whether or not "sensitive but unclassified" is >equivalent (in terms of value / threat) to assets in my application? In rough terms, Sensitive but Unclassified will cost you nothing but possible embarrasment should it be disclosed. So while your poetry could fall under this category none of your personal information would; that's even including your date of birth and home address; which for online purposes should be at least confidential due to the potential for indentity theft. For more than you probably ever wanted to know about US classification levels, see http://en.wikisource.org/wiki/Executive_Order_13292 |