RSA Data Security Inc. is taking another whack at DES, the federal Data Encryption Standard that banks commonly use to secure funds-transfer messages.
For the fourth time in three years, the San Mateo, Calif., company is sponsoring a cryptography contest, offering a bounty of up to $10,000 for breaking the DES code.
RSA, a leader in data encryption technology, has amply made the point that DES is vulnerable to cracking. The encryption key is 56 computer bits long and can be unscrambled using available brute-force computing power.
RSA and others of like mind are trying to prove it is high time to go to longer keys-an uphill fight against a government that for many years did not approve exports of systems above 40 bits for fear of putting unbreakable codes in the possession of foreign enemies or terrorists.
Though exponentially safer 128-bit systems have become widely permissible in banking and financial applications, 56-bit DES remains well entrenched and RSA "sees value in at least one more" of its data encryption challenges, said RSA Laboratories chief scientist Burt Kaliski.
Cryptography expert Patrick Richard, chief technology officer of Xcert International of Walnut Creek, Calif., said 56-bit DES is "definitely a cause for concern" and should be avoided in high-value business-to-business transactions on the Internet.
It is less of a concern for lower-value transmissions, on which the potential profit might not be worth hackers' while, Mr. Richard said.
In RSA's DES Challenge I, in 1997, it took Rocke Verser of Loveland, Colo., 96 days to recover the secret key that RSA had applied to a test message.
Two 1998 winners used a prodigious amount of ever-more-economical computing power to ratchet down the time to 41 days and then to just 56 hours. The last was a highly publicized effort in July sponsored by the Electronic Frontier Foundation.
Every expectation is that the record will be broken within a day or two after DES Challenge III is posted on the rsa.com Web site at 9:00 a.m. Pacific time on Jan. 18, at the start of the annual RSA Data Security Conference in San Jose, Calif.
If the feat is accomplished within 24 hours, the prize will be $10,000. If it takes more than 24 but less than 48 hours, it will be $5,000. If 48 to 56 hours, it will be $1,000, and there would be no reward if the 56-hour record is not broken.
Mr. Kaliski and RSA, a subsidiary of Security Dynamics Technologies Inc. of Bedford, Mass., have more than fun and games on their minds. Aside from wanting to sell products, they are engaged in serious political and technological debates.
Strong-encryption advocates continue to express dissatisfaction with official policy. In a Dec. 22 statement critical of a pronouncement under the Wassenaar Arrangement, a multilateral military trade accord, the Internet Architecture Board and Internet Engineering Steering Group deemed 64-bit ciphers highly vulnerable. Those two bodies, associated with the Internet Engineering Task Force, three years ago endorsed 90 bits as the minimum for secure Internet communications and commerce.
Revised encryption regulations that the Clinton administration made formal last week, focusing on 56-bit DES and underscoring the free-export policy for stronger encryption in financial and other sensitive fields, was hailed as a step in the right direction by leading computer vendors in the Computer Systems Policy Project. "The administration has recognized the reality of the growing availability of strong encryption in the international marketplace," said Lewis E. Platt, chairman of the coalition and of Hewlett-Packard Co.
The Business Software Alliance called the policy "an important step" but not liberal enough. Americans for Computer Privacy, a coalition of companies, trade associations, and consumer advocacy groups, also called it a "crucial first step" but criticized it for being more restrictive than the Wassenaar Arrangement.
"Ultimately, an appropriate encryption export policy should recognize the futility of trying to control mass-market products that are inherently uncontrollable," said Business Software Alliance president Robert Holleyman.
Mr. Kaliski said a 56-bit key affords "marginal protection against a committed adversary. The recurring successful cracks of DES emphasize that the time has come to move to new, stronger security algorithms, especially in financial services applications."
The Federal Reserve System last year announced a decision to move to triple-DES, a modification of the current standard that, in effect, doubles the key length. But three encryption operations must be conducted, putting that much more burden on computers and slowing the transaction times.
In a paper on the RSA Web site, "Life After DES," Mr. Kaliski discusses DESX, a "lightweight triple-DES" that RSA founder Ronald Rivest developed in the 1980s. The effective key length is 120 bits "with essentially no impact on encryption and decryption time," though triple-DES is in some ways stronger.
Both types of enhanced DES, Mr. Kaliski writes, "are appropriate interim steps while waiting for AES," the Advanced Encryption Standard that the National Institute of Standards and Technology bills as the "crypto algorithm for the 21st century."
AES, designed to rectify DES' shortcomings, may be two years away. Fifteen "candidate algorithms," including one from RSA called RC6, have been submitted to the NIST. They are to be the subject of an international conference in Rome in March and are open for public comments until April 15.
Mr. Kaliski said some financial institutions "may be holding off on triple-DES" in anticipation of AES, but he recommends that they not delay.
"There is some analogy to the year-2000 problem," he said in an interview. "Current systems are working fine, but it is expensive to move.
"In principle, triple-DES is a good move," Mr. Kaliski added, because it affords the reliability and availability of a standard technology while improving banks' ability to deal with AES. "They ought to begin engineering now to accommodate some advanced algorithms," he said.
