Banking on the Net: Banks Stand Behind DES Despite Breaking of Code

A Silicon Valley executive said the recent cracking of a message protected by the Data Encryption Standard was "one of the most significant milestones in the history of cryptanalysis."

Banking experts, however, responded with a Reaganesque "There you go again."

The attack on the DES-encoded message was a response to a $10,000 challenge issued by RSA Data Security Inc., a leading provider of encryption software.

Coordinated by computer consultant Rocke Verser, the code-breaking effort began more than four months ago and eventually drew on 14,000 Internet-linked computers that tested over one-quarter of the 72 quadrillion possible 56-bit DES keys. When the right key was discovered, the following message was revealed: "Strong cryptography makes the world a safer place."

The event got considerable media play, with some articles hinting that the banking industry-which relies on DES encryption for everything from multimillion-dollar wire transfers to $10 automated teller machine withdrawals-is suddenly at risk.

"If you're a large multinational corporation with a billion-dollar secret, or if you operate the Fed Wire, I think you should think twice about whether DES is sufficient to secure that transaction," Mr. Verser was quoted as saying.

Bankers concede that DES will eventually need to be replaced, but they are not going into panic mode.

"The DES challenge was an interesting academic exercise and it verifies our experts' expectations, but the result has little to do with the ability of ill-intentioned individuals or groups to attack bank information systems and payment networks," said Kawika Daguio, the American Bankers Association's data security expert.

DES is not the only weapon in banks' defensive arsenal. For retail uses like ATMs they typically change encryption keys daily, and they do so far more frequently for high-value wholesale wires, Mr. Daguio said.

At the same time, Federal Reserve officials said they are moving quickly to implement an improved technique known as "triple-DES." Triple-DES effectively doubles the length of the encryption key, making brute force computation attacks even more difficult.

When it comes to protecting Fed Wire "we don't ever feel we can rest on our laurels," said Dara Hunt, senior vice president and manager of wholesale payments at the Federal Reserve Bank of New York.

She said Fed Wire would be moving to triple-DES in phases over the coming months, and the entire network should be upgraded by early next year.

Mr. Verser, while allowing he is "not a banking industry insider," stood by his opinion that single-DES is increasingly vulnerable.

"Clearly, good key-management practices, including frequent changes to the key, reduce the threat, but they do not eliminate the threat," Mr. Verser said.

This article previously appeared in American Banker's Web edition.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER