31 March 1998
Source: Hardcopy The New York Times, March 31, 1998, p. D8

Powerful New Encryption Standard Delayed by Weakness

By John Markoff

A Government standards group has delayed the adoption of a new data scrambling standard for protecting the world's most sensitive financial transactions, including most banks' electronic funds transfers, after the discovery by two computer scientists of a weakness that could allow the code to be cracked.

The flaw was discovered by Eli Biham, a well-known cryptographer at the Technion research institution in Israel, and by Lars Knudsen at the University of Bergen in Norway. A paper detailing their discovery is to be presented at a technical conference in May.

In their paper, which is available on the Technion Web site, Mr. Biham and Mr. Knudsen report that an ultra-strong version of the United States Data Encryption Standard known as Triple D.E.S. can under certain circumstances be reduced in strength so that it is no more robust than the current encryption algorithm, which financial institutions have widely used as a security mechanism for several decades.

Computer security experts are eager to replace the current code because it has become vulnerable to new code-cracking techniques. When the code was developed, its designers had predicted that if it could be broken it would take hundreds of years, requiring constant trial-and-error calculations by the world's fastest supercomputers.

But the code was publicly broken for the first time last year by a loosely organized group of computer users just to show that it could be done. Thousands of members of the group volunteered the use of their own computers, ranging from desktop PC's to supercomputers, whose processors were combined over the Internet to attack the problem over a five-month period with an approach known as massively distributed computing. In distributed computing, each computer tests just a few of a vast array of possible keys, or numbers, to break the code.

The strength of most modern encryption systems is determined by the length of the numerical key that is used to encrypt the information. While the proposed new standard uses a key the same length as the current key -- 56 bits -- it encrypts the message three times with three different keys. For each key, there are several possible ways of encrypting the data, known as modes. Mr. Biham and Mr. Knudsen said the flaw appeared in a single mode of the Triple D.E.S. proposal, which is before a subcommittee of the American National Standards Institute.

The scientists stressed in an interview that their paper, which also proposes several modifications to strengthen the standard, described only a theoretical weakness and not a practical means of breaking the Triple D.E.S. But they suggested that the weakness was cause for concern.

As a result of the distribution of the paper within the subcommittee, it decided to drop the vulnerable mode of the proposed standard, said the chairman, Blake Greenlee.

"My hat's off to Eli; he did a nice job," Mr. Greenlee said. The subcommittee that is evaluating the standards is known as X9.F1, and it oversees the development of new cryptographic tools.

The subcommittee is now awaiting final approval of its revised standard by the entire committee, he said. Once the committee gives its approval, there is a 60-day public comment period before the new standard takes effect.

The Triple D.E.S. is intended to serve as a stopgap measure while the National Institute for Standards and Technology completes work on a still more secure design known as the Advanced Encryption Standard, or A.E.S. Competing proposals for that system, which is intended to protect computer data transmissions well into the next century, will be submitted this summer.

The A.E.S. will have key lengths of 128, 192 and 256 bits, as compared with the current 56-bit length of D.E.S., placing it safely beyond the reach of the most powerful computers now anticipated for the future.

The original D.E.S. key is a secret number that is used to perform a series of mathematical scrambling operations on a message or on other computer data. When the scrambled message is received, the same secret key is used to reverse the process and unscramble the data.

The current D.E.S. is based on research that was originally done at the International Business Machines Corporation's Thomas J. Watson Research Laboratory in the 1970's as part of a project code-named "Lucifer." It was adopted as a national standard in 1977.

30 March 1998, PC Week:

New Crypto Standards

With a deadline for final submissions two months away, security vendors are beginning to unveil the algorithms they hope will replace DES.

Several security companies and cryptographers, including Cylink Corp. and independent cryptographer Bruce Schneier, will soon unveil their proposals for the Advanced Encryption Standard.

Cylink has had a team of cryptographers working on a Data Encryption Standard replacement since last summer, said Chuck Williams, chief scientist at the Sunnyvale, Calif., company. Dubbed Safer+, the new algorithm will come in 128- bit, 192-bit and 256-bit key lengths, with a block size of 128 bits.

Schneier will submit a new version of his popular Blowfish algorithm, called Blowfish 128. It increases the key size and block size of Blowfish and reduces the time it takes to set up a key.

DES was created more than 20 years ago to become the symmetric, or private key, standard for the federal government.

NAI licenses encryption technology

In related cryptography news, Network Associates Inc. this month licensed encryption technology from a Swiss research lab.

Officials of NAI, which in the fall purchased the crypto developer Pretty Good Privacy Inc., said they don't know much about the encryption technology they are licensing from cnLabs. All they know, they said, is what they asked for: the functional equivalent of PGP's strong cryptography.

cnLabs will sell the strong encryption to NAI's subsidiary in the Netherlands, where it will be installed on NAI products, said Peter Watkins, vice president and general manager of NAI's security division, in Santa Clara, Calif.

The deal will enable NAI to skirt the U.S. government's current encryption export laws. With some exceptions, the Commerce Department bars export of encryption software that uses keys longer than 40 bits. Keys of 56 bits can be used if a company promises to build in a key recovery mechanism that would give law enforcement officials a back door into the encrypted data. Even talking with a foreign company about how to use strong encryption could be construed as a felony violation of the law.

Watkins said NAI contacted Commerce officials two weeks ago and announced its intent to work out the deal with the Swiss lab but had not heard back from them.

30 March 1998, Business Wire:

Canada`s Cryptography Policy Debate Begins in Ottawa March 31

March 31, 1998

Ottawa -- Entrust Technologies Inc. will host 11 key industry players Tuesday March 31, 1998 as Canada's debate over cryptography policy and electronic commerce comes to a head.

The meeting will focus on the Government of Canada's recent introduction of the discussion paper entitled (A Cryptography Policy Framework for Electronic Commerce,) which is available in electronic format at


With this report, the government has initiated a unique collaborative effort by proactively seeking industry and general public feedback on policy issues that relate to cryptography and electronic commerce.

The following company representatives will participate in the discussion which will be chaired by Mr. Alan Pickering, former Director-General of the CSE(Communications Security Establishment):

Netscape Communications Canada Ltd.: Mr. Todd Finch, President. Nortel: Mr. Dermot Kavanagh, Manager, Regulatory Standards. Hewett-Packard (Canada) Ltd.: Ms. Lynn Anderson, Enterprise Marketing Manager, Computer Organization Entrust Technologies Ltd.: Mr. Brian O'Higgins, Executive VP and CTO, and DR. Paul Van Oorschot, Chief Scientist. Certicom Corporation: Mr. Phil Deck, President and CEO KyberPASS Corporation: Mr. Ron Walker, President and CEO. MilkyWay Networks: Mr. Robert Koblovsky, VP Marketing. TimeStep Corporation: Mr. Tim Hember, President Electronic Frontier Canada: Dr. David Jones, President and Secretary. Chrysalis-ITS: Ms. Benita Baker, Manager of Marketing Communications. Information Technology Association of Canada: Mr. David Betts, Vice-President, Programs. JetForm Corporation: Mr. Ralph Doran, Vice-President, Product Development.

Entrust expects that the policy and business issues discussed will transcend geographic borders. A report on the views expressed during the meeting will be submitted to government on behalf of the participating companies. Logistical Details:

Date: Tuesday, March 31, 1998

Time: 1 p.m.

Place: Provinces II Ballroom, Westin Hotel, 11

Colonel By Drive, Ottawa, Ontario.

Entrust has established a teleconference line for those media who cannot attend the session in person. To participate, please dial 1-800-599-9440 at approximately 12:50 p.m. on Tuesday, March 31, 1998. The passcode is 639603 and the conference number is 847746. You will be in listen-only mode through the majority of the conference, but the Chair will break the discussion periodically in order for the participants to field questions from the observers.

Issues for debate include the following:

-- How best to balance consumer, business, law enforcement and security and interests.

-- Input on options for access to stored encrypted data.

-- Encryption of real-time communications.

-- Export controls for encryption products.

-- Legal and national security issues.

-- Applicability of all policies in a global context.

CONTACT: Entrust Technologies | Carrie Bendzsa, 613/247-3455 | E-mail: carrie.bendzsa@entrust.com | or | Neale-May & Partners | Catherine Tiangha, 212/317-0900 x 12 | E-mail: ctiangha@nealemay.com