From: Alan on
Numerous applications continue to use 3DES (For discussion purposes,
think of three key triple DES, CBC, protecting files in the 5-10Gb
range) to protect valuable information. In some cases information is
being encrypted today that must remain secure for 10, 15, maybe 20
years or more. So it must be asked: Will 3DES - encrypted content be
secure against anticipated threats over that time frame?

It is easy to say just replace 3DES with one of the standard AES
configurations, but a business must be made based on costs and risk
analysis. To do that risk analysis, we have to know how soon the
attacker's capability will overtake 3DES (in other words, when will the
cost of the attack be justified by the value of the asset to the
attacker?) I understand the value of the asset over time. I need to
know the capability of an attacker over time.

I'm looking for a reasonable approach to assess the changing risk over
time so we can make a logical business decision about replacing the
algorithm. Any comments or advice would be welcome.

From: Paul Rubin on
"Alan" <a__l__a__n(a)hotmail.com> writes:
> I'm looking for a reasonable approach to assess the changing risk over
> time so we can make a logical business decision about replacing the
> algorithm. Any comments or advice would be welcome.

It will stay certified (in some modes) through the year 2030. See:

http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf
From: Alan on
Paul Rubin wrote:
> It will stay certified (in some modes) through the year 2030.

That document specifies that 3DES is approved through 2030 for
sensitive but unclassified information only. Is there some metric I
can use to determine whether or not "sensitive but unclassified" is
equivalent (in terms of value / threat) to assets in my application?
I would guess that NIST did some kind of quantitative analysis of
strength to back up that standard...

Thanks!

From: Peter Fairbrother on
Alan wrote:

> Numerous applications continue to use 3DES (For discussion purposes,
> think of three key triple DES, CBC, protecting files in the 5-10Gb
> range) to protect valuable information. In some cases information is
> being encrypted today that must remain secure for 10, 15, maybe 20
> years or more. So it must be asked: Will 3DES - encrypted content be
> secure against anticipated threats over that time frame?
>
> It is easy to say just replace 3DES with one of the standard AES
> configurations, but a business must be made based on costs and risk
> analysis. To do that risk analysis, we have to know how soon the
> attacker's capability will overtake 3DES (in other words, when will the
> cost of the attack be justified by the value of the asset to the
> attacker?) I understand the value of the asset over time. I need to
> know the capability of an attacker over time.
>
> I'm looking for a reasonable approach to assess the changing risk over
> time so we can make a logical business decision about replacing the
> algorithm. Any comments or advice would be welcome.
>

I would suggest that it is likely to remain secure for that length of time -
and I mean secure in the sense that no-one at all can break it.

There are well-known problems with the short block size and the high work
factor, but over the next 20 years I would not be concerned about the basic
security of the algorithm (barring the building of a quantum computer).


One point though - in 20 years, will the data have to remain secure for yet
another 20 years? In that case I would say no. Today's data is probably
secure for 20 years, but the data encrypted with 3DES in 10 years time may
well not be.



(or perhaps even in 5 years it ight not be safe for the following 20 years,
depending on a) what happens in the next five years and b) the security
level you require - I only use one security level, unless I have to do
otherwise, that being that no-one at all can decrypt it within the time :-)

(there can be valid reasons sometimes why it might be approriate to use a
lower security level, but I am not usually convinced by them - typically I
think the people involved are just cheapskates trying to save money. Not
that saving money is inherently a bad thing, but opening yourself to an
ill-considered risk may well be - and most often the "no-one can break it"
standard is cheap enough.)



But is it time to change? Looking into my crystal ball I'd first ask: change
to what? AES? There isn't much of anything else to change to.

And the security difference between 3DES and AES probably isn't so big that,
barring block size and work factor problems and how they interact with the
financial and security requirements, it would be worth the cost of the
change.


ymmv, as they say.

--
Peter Fairbrother

From: Johnny Bravo on
On 12 Sep 2006 10:43:31 -0700, "Alan" <a__l__a__n(a)hotmail.com> wrote:

>Paul Rubin wrote:
>> It will stay certified (in some modes) through the year 2030.
>
>That document specifies that 3DES is approved through 2030 for
>sensitive but unclassified information only. Is there some metric I
>can use to determine whether or not "sensitive but unclassified" is
>equivalent (in terms of value / threat) to assets in my application?

In rough terms, Sensitive but Unclassified will cost you nothing but possible
embarrasment should it be disclosed. So while your poetry could fall under this
category none of your personal information would; that's even including your
date of birth and home address; which for online purposes should be at least
confidential due to the potential for indentity theft.

For more than you probably ever wanted to know about US classification levels,
see http://en.wikisource.org/wiki/Executive_Order_13292