Federal Reserve Banks to Use Triple DES Security

The Federal Reserve System has settled on the Triple DES technique to ensure security of funds transfers and other sensitive messages.

Triple DES is an enhancement of the federal data encryption standard, or DES. Amid concerns that the digital keys that lock and unlock basic DES codes have become too easy to crack, the Fed has sided with those who believe that repeating DES procedures three times provides more than adequate security.

Before making the move, the Federal Reserve banks conducted an extensive analysis of encryption alternatives for the $1.5 trillion of daily payment volume and related electronic information that flow over their communications network.

Around the time of the Fed's announcement last month, flaws in Triple DES were reportedly identified by Eli Biham, a cryptographer at Technion, a research institute in Israel, and Lars Knudsen at the University of Bergen in Norway.

In a paper due to be presented in May, Mr. Biham and Mr. Knudsen conclude that under certain-albeit improbable-circumstances Triple DES can be reduced in strength so that it is no more robust than the DES algorithm that financial institutions now use.

Triple DES remains the best option, said Kawika Daguio, technology policy consultant at the American Bankers Association.

"We have known for a long time that we need a new interim cryptography standard, and we've known about some issues with the various implementations of Triple DES," said Mr. Daguio.

A longer-term solution, the Advanced Encryption Standard, or AES, is about two years away, said the ABA data security expert. "Given that AES isn't done, Triple DES is the only choice for the Federal Reserve banks or anyone else. It's a good choice, and we're pinning our long-term hopes on AES."

The government move to AES will be a positive influence on the private sector and could have a 20- to 30-year life, comparable to that of DES, Mr. Daguio said.

"DES still works and is perfectly adequate for most applications," he added. "Triple DES is a good solution for high-security requirements, and AES may be overkill."

With its 256-bit key lengths, AES would be many times more difficult to crack than DES at 56 bits.

"We have advised government agencies that if they need more security than single DES, they should consider Triple DES," said Miles Smid, manager of the security and technology group of the National Institute of Standards and Technology in Maryland. "However, we are looking to develop AES by 2000 and that will be the superior algorithm."

The Fed, he said, is aware of this and is designing its system to be upgraded as the need arises.

"My opinion, after following research, is that Triple DES does provide adequate security for the Fed's applications. It has substantial improvements over single DES," said Mr. Smid.

The rollout of Triple DES within the Federal Reserve will begin later this year. Each Federal Reserve bank will provide details to its member institutions.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER