Shostack + Friends Blog Archive


Time for DES to go?

In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day.

NIST has now proposed to decertify DES (sorry, PDF). Some entities are opposed to this, because they have spent money on DES compliant gear, and would like to keep using it.

They are able to argue for the validity of their choice by pointing to the continuing certification of DES, despite the evidence it should go away. This is a downside of standards–they slow innovation by creating a constituency against change.

At Crypto this year, NIST asked for comments. Here are mine, on behalf of an organization that might not otherwise speak up.

Dear NIST,

I am writing to you on behalf of Corleone International, a family business for over 4 generations.

Corleone International has made substantial investments over time in security and security analysis equipment in support of our various business lines. These outlays have included people, processes and technologies to facilitate our involvement in the financial sector.

Recently, the continued use of DES has allowed us to make a substantial return on our investment through “partnerships” with a number of leading financial institutions. We would hate to see our investments invalidated by a premature de-certification of the DES, which is working well for us.


“Don” Vito Corleone, Chairman, Corleone International

You can send your comments opposing re-certification to, or read more at NIST (sidebar on the right).