Data Encryption Standard no longer up for the job

It’s the end of an era for one form of VPN encryption: the federal government says that simple Data Encryption Standard can no longer stand up against brute-force attacks.

The National Institute of Standards and Technology (NIST) says federal agencies should instead use DES-3 or AES, two alternate standards that are much more difficult to break. Even throwing massive parallel computing at the task of breaking the encryption keys would take eons, making the data protected pretty safe.

The implications for most user organizations are small. For years, most vendors have supported DES and DES-3, meaning if a customer had been using DES, they could probably just turn on DES-3 if they were getting nervous. It’s still no simple matter to crack DES, but it is possible, and NIST regards that as too risky for government work.

AES was designated as good for government encryption after it was chosen by NIST from among other entries in a bakeoff three years ago. Not only is it more secure than DES, it also draws less on processors. Vendors whose gear supports both report higher throughput with AES-encrypted traffic than with DES-3 traffic because of this. The “3” in DES-3 indicates it is encrypted three times using different keys.

NIST says it would take 149 trillion years to crack AES, while DES-3 could be broken in a mere 4.9 billion years. The amount of time it takes to crack these shrinks over time as computing power improves, but even with projected improvements, AES is believed to be good for decades.

So users with an IPSec VPN might want to turn on AES to improve speed and security. It may soon become necessary anyway for companies that do business with the government.