Tech Time Warp: Far past time to move to AES encryption

In May 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Partnership for Interoperable Communications (FPIC) released a whitepaper warning government agencies about the dangers of relying on the Data Encryption Standard (DES)—a nearly 50-year-old technology—for cybersecurity. Let’s get into this week’s Tech Time Warp.

The message should have been received long ago: A group of friends proved on June 17, 1997, that the computers of the late 90s could easily bring down this type of 56-bit symmetric encryption.

Since 1976, the government and financial institutions had relied on DES to protect sensitive information. Originally proposed by IBM as a 128-bit solution under the name “Lucifer,” DES was reduced to 56 bits by the National Institute of Standards and Technology (NIST) and declared the national standard for security on Nov. 23, 1976. And for 20-plus years, DES was fairly secure. That was until desktop computers became fast enough to coordinate brute force attacks that could run through the more than 72 quadrillion possible encryption keys in a 56-bit system.

Realizing that computers had reached that capacity, RSA Security Inc. issued a challenge with a prize of $10,000 to the first team that cracked the DES algorithm. The winning team—Rocked—called themselves “DESCHALL” for “DES Challenge” and cracked the code using an Internet-based infrastructure. DESCHALL team members used every computer they could get their hands on to systematically try every possible key combination. In the end, they hit the correct key after testing only 25 percent of possible combinations over the course of five months.

To further prove the point that 56-bit encryption wasn’t secure, RSA issued two more DES algorithm challenges. This encouraged participants to crack the code in less time than achieved in the prior challenge. Both times, the challenge was met.

The emergence of AES

In response, NIST adopted the Advanced Encryption Standard, or AES, as the global standard for security on Dec. 4, 2001. AES relies on the Rijndael algorithm, which offers 128- to 256-bit encryption keys. This means that for 128-bit security, there are there are approximately 340 undecillion possible keys. (That’s 340 followed by 36 zeros, just in case you are unfamiliar with “undecillion.”) More than 20 years later, AES is still the standard for encryption.

Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.

Photo: ranjith ravindran / Shutterstock

This post originally appeared on Smarter MSP.