Re: DES code in the kernel

Michael Higgins (
Thu, 18 Jul 1996 13:01:36 -0400 (EDT)

Herbert Rosmanith <> writes:
> You know that IBM originally came up with an 128bit key DES, but was
> requested by the NSA to reduce it to 56 ? And that the NSA tried to
> suppress diploma thesis and ph.d. thesis on the area ? Trust DES
> only as much as you trust the NSA ...

This is misleading. DES was based on LUCIFER, which had a 128 bit
key. But IBM's original submission for DES had a 112 bit key.

The NSA did reduce the key size to 56 bits, and made a number of
design changes in the DES S-boxes. It seems obvious that the key
reduction would make a brute force search more feasible (but only for
an organization with the budget of the NSA). However, it became clear
in the early 90s that NSA's S-box design changes made DES resistant to
differential cryptanalysis (apparently known to NSA in the 70s but
only recently discovered in the general cryptographic community).
Which makes one think that the NSA really did have some beneficial
contributions to make.

It is still extremely difficult to brute force DES. Feasible for very
large corporations maybe, but it's still usually cheaper to buy off a
human who knows the information than to build the special purpose DES
cracker and wait for it.

You should go read Applied Cryptography by Schneier if you need to
make informed decisions about which crypto algorithms to use. There
are subtle issues involved.