In the mid 1970â??s there was a computer chip encryption system called DES. The NSA forced the "key" to have fewer bits..

[bolbim33]

In the mid 1970â??s there was a computer chip encryption system called DES. The NSA forced the â??keyâ?? to have fewer bits than the developers preferred. Why would they do this? Why were non-NSA cryptographers upset about it?

 

[ViRGE]

Because they were intentionally weakening security. DES 40, for example, has been cracked, multiple times. Dnet has had several DES projects, the last of which we managed to find the key in under 24 hours. Now what makes that so bad is that a cracking machine had been built that provided half of all the power in Dnets contest, at a cost of only $250,000. So you could say that you could crack DES every 12 hours for what's probably now less than 1 million dollars.😱 Up until very recently, 40bit DES was the export standard; you couldn't export products out of the USA that use a more powerful encryption scheme; that obviously, was a problem for everyone else.😱

 

[Zim Hosein]

ViRGE, since you are knowledgable in this topic, is 40bit still the standard today?

 

[IJump]

I know a little about this stuff. (Call me a geek, but I have a copy of Applied Cryptography sitting on my desk 😱) DES was adopted by the government of the US as a standard in 1976. ANSI approved it, under the name data encryption algorithm or DEA in 1981. The government initiated the process for a "new DES" around 1987, but no alternatives were available. The end of use of the DES was scheduled for 1992 then extended to 1998. But it is actually still approved for use, along with three other algorithms.

AES, Skipjack, & Triple DES are the new algorithms that have been approved.: Info Here

The Advanced Encryption Standard is prefered, It is capable of using 128, 192 and 256 bit keys to encrypt data in blocks of 128bits.

 

[ViRGE]

I could have sworn that the current export restriction is AES 56bit, but IJump's documentation seems to prove otherwise. So I'll just say I'm clueless on that one.😱

 

[IJump]

<< I could have sworn that the current export restriction is AES 56bit, but IJump's documentation seems to prove otherwise. So I'll just say I'm clueless on that one.😱 >>



For export, the standards are also subject to Government export controls specified in "Title 15, Code of Federal Regulations (CFR) Part 740.17; Title 15, CFR Part 742; and Title 15, CFR Part 774, Category 5, Part 2". That may be where the 56bit part comes in. I will check on that.......

Here is the CFR that applies to the export of cryptographic material.

 

[IJump]

[Code of Federal Regulations]
[Title 15, Volume 2]
[Revised as of January 1, 2002]

"Retail encryption commodities and software. Exports and
reexports to any end-user of encryption commodities, software and
components are authorized after review and classification by
BXA as retail under ECCNs 5A002 and 5D002. Encryption products exported
or reexported under this paragraph (b)(3) can be used to provide
services to any entity. Internet or telecommunications service providers
can obtain retail products under License Exception ENC and use them to
provide any service to any entity. Retail encryption commodities,
software and components are products:
.
.
.
"56-bit products with key exchange mechanisms greater than 512
bits and up to and including 1024 bits, or equivalent products not
classified as mass market, or finance-specific encryption commodities
and software of any key length restricted by design (e.g., highly field-
formatted with validation procedures and not easily diverted to other
end-uses) and used to secure financial communications such as electronic
commerce may be exported under the retail provisions of this section
immediately after submitting a completed classification request to BXA.
.
.
.
"Key length increases. Exporters can increase the key lengths of
previously classified products and continue to export without another
review. No other change in the cryptographic functionality is allowed.


Looking through all of the regulation, the best that I can tell is that they have now allowed an increase in key length. This revision was dated Jan 2002, so it may have been fairly recent.