ber 26, 2001, NIST Federal Information Processing Standard Publica-
tion 197, āThe Advanced Encryption Standardā (AES) was published.
The multi-year process of moving away from DES could at least begin.
On July 26, 2004, NIST announced its proposal to withdraw DES as a
standard altogether. In that announcement, NIST said simply, āDES
is now vulnerable to key exhaustion using massive, parallel computa-
tions.ā The proposalā™s request for comments period ended on Septem-
ber 9, 2004. It would seem that in answer to Peter Treiā™s October 1,
1996 question, yes, we can kill single DES.
Instead being limited to 56-bit keys, we now have a standard in
AES with variable key sizes available, providing as much as 256 bits of
278 CHAPTER 41
DES might have been replaced without the RSA DES Challengesā”
the process for replacement did start at NIST before DES fell to a brute
force attack. On the other hand, NISTā™s AES announcement did come
after RSA announced that it would launch the contests, and the failure
of DES to withstand three public brute force attacks between 1997 and
1999 might have proved to be just what was needed to keep pressure
on NIST to follow through with the standard.
What is less clear is whether cryptography would be free today
without the DES Challenges. DESCHALL and its successors were of-
ten cited by lawmakers who kept eļ¬orts to repeal restrictions on cryp-
tography alive in Congress; eļ¬orts of lawmakers to limit cryptography
failed in 1997. Subsequent debate over cryptography continued, until
the SAFE billā”reintroduced into congress yet again in 1999ā”began to
pick up broad support. Even Senator John McCain, who had worked
to defeat cryptography liberalization eļ¬orts in the Senate, became a
believer in the virtues of free cryptography and supported SAFE.
In December 1999, even the White House had changed its position.
New cryptography regulations were released, allowing for a wide va-
riety of āautomatic exemptionsā from export restrictions. Subsequent
tinkering led to an even more liberal policy: with a few exceptions, even
the strongest cryptography could be exported directly overseas by U.S.
The pressure exerted by news of RSAā™s DES Challenges might well
have been just the force needed to cause the Clinton administration to
reverse its position and to stop ļ¬ghting industry eļ¬orts to address the
Today, software is diļ¬erent from what it was in 1997. Now, products
come with strong cryptography built in. From both the perspective of
forcing DES into retirement and allowing U.S. companies to participate
in the global market for cryptography, the Crypto Warsā”the battle
to liberate cryptographyā”were won. While neither the DESCHALL
group nor the RSA Secret Key Challenges can take sole credit, both
are rightly seen as major contributors to one of the most critical battles.
While cryptography today is free in practiceā”through the absence
of restrictionsā”it is noteworthy that the SAFE bill never did make it
to the Senate ļ¬‚oor, and its provisions prohibiting the government from
introducing requirements for restricted cryptography never became law.
As a result of improved protection and reclaimed liberty, in 2004,
many more people are accustomed to the idea of encryption and how
In Retrospect 279
it protects their information against threats to conļ¬dentiality and in-
tegrity. While they donā™t usually understand what exactly it means,
they know the diļ¬erence between āsecureā and āunsecuredā when
theyā™re shopping online. The infrastructure that supports electronic
commerce and global communication is safer against a wide variety of
attacks, and citizens are free to communicate privately with whomever
they choose thanks to cryptographyā™s accessibility.
We should not conclude that privacy is āsolvedā because we now have
the freedom to encrypt.
The need to employ cryptography is becoming increasingly obvi-
ous, and not just for the purpose of transmission of information. In-
formation stored in computers is now being encrypted with greater
frequency. Even where information technology users have not histori-
cally been especially sophisticated (such as health care), industry reg-
ulation designed to improve the accountability of information handling
now requires encryption of certain types of information under certain
Cryptography is now also being used for more controversial pur-
poses, and what appears to be the sequel to the Crypto Wars is already
underway. This time, it isnā™t the balance of rights between individuals
and their government, but consumers and the vendors who sell them
Consider the use of cryptography in new media, such as DVD play-
ers. Most DVDs produced are now encrypted, such that the discs will
not play on devices that have not licensed the key needed to unlock the
video stream. The idea is that by having discs secured against playback
except on devices where the manufacturers have agreed to pay a fee to
disc producers and to enforce certain rules, an exclusive club can be es-
tablished for the playback of copyrighted work. Film producers expect
that the exclusive club would eļ¬ectively protect against the production
of illegally copied discs.
Of course, cryptography is not a tool that prevents the copying of
data. Cryptography is a tool that makes dataā”even if copiedā”useless
to anyone without the key. Thus, cryptographyā™s use in DVD players
does nothing to prevent DVDs from being copied. Cryptography in
280 CHAPTER 41
DVD players only provides an artiļ¬cial extension of producerā™s rights
to playback devices. Itā™s a little like selling you a copy of this book
but having the text be impossible to read unless you also buy a pair
of glasses with a special chip that only I can sell. You can buy your
glasses from anyone you choose, produced by any manufacturer you
like, but the critical component needed to read the book youā™ve already
purchased must always be supplied by me.
That might sound like an anti-consumer position, and lawyers can
(and have been) debating about the legalities involved. In addition
to the law that has been historically applied in cases like this, the
Digital Millennium Copyright Act (DMCA) is being argued. DMCA,
which became eļ¬ective in October 2000, updated U.S. copyright law,
strengthening it considerably in favor of copyright holders.
In particular, DMCA prohibits any attempt to defeat an āeļ¬ectiveā
technical means of copyright enforcement. Putting the obvious logi-
cal question asideā”an eļ¬ective mechanism would withstand attack, so
whatā™s the point of prohibiting attack?ā”we are still left with a trou-
bling question. If consumers cannot independently verify the security of
such systems and if we cannot understand how these systems are likely
to fail, how are we supposed to ensure their validity? Do we naively
assume that āsomeone elseā has taken care of it?
When faced with a technology that claims to protect publishersā™
rights without infringing consumersā™ rights, should consumers and
copyright holders simply accept such claims at face value? Why would
such claims not be subject to the same kind of public dissection and
commentary that aļ¬ect other rights, as was the case with cryptogra-
Princeton professor Edward Felten led a team that responded to a
challenge to crack technologies under consideration for the protection of
digital information put forth by an industry group, the Secure Digital
Music Initiative (SDMI). Feltonā™s paper describing his inquiry and ļ¬nd-
ings was scheduled for publication in a scientiļ¬c context, at the Fourth
International Data Hiding Workshop in April 2001. Upon learning that
Feltonā™s paper was to be published, SDMI and the Recording Industry
Association of America (RIAA) threatened to sue Felton for violating
DMCA because Feltenā™s analysis of their digital āwatermarkingā meth-
ods showed how they could be defeated. After some threats of litigation
were dropped and others resulted in suits being ļ¬led, the paper was ļ¬-
nally published in August 2001 at the USENIX Security Symposium.21
In Retrospect 281
(Other researchers have chosen to censor themselves rather than face
threats of litigation by large industry cartels.22 )
Imagine a system designed to track the activity of Web users sur-
reptitiously, employing cryptographic mechanisms to hide its activityā”
many of these systems have been discovered and documented.23 If the
user of a system wants to see whatā™s happening, would he simply have
to take the software manufacturerā™s word at face value? Would a man-
ufacturer attempt to use DMCA to prevent analysis and commentary
on technology that impacts the lives of its users?
In his book Code and Other Laws of Cyberspace, Lawrence Lessig
makes a compelling argument that the technology all around us, the
basis of our information infrastructure, is not inherently resistant to
centralized control. Among the forces aļ¬ecting the way that these sys-
tems work is the law. Because law also aļ¬ects other forces, such as the
market, it has a disproportionate inļ¬‚uence.
As a consequence of DMCA, there is a body of law granting rights to
copyright holders over how consumers may use their own devices, that
they may not use them in such a way that mechanisms to protect the
content are subverted. Indeed, part of that āprotection mechanismā
could involve having playback devices āphone homeā to report user
activity to the vendor.
As a result of the Crypto Wars, there is now largely an absence of law
regarding the governmentā™s control of cryptography; citizens may use
cryptography to communicate without government inspection. Copy-
right owners may also use cryptography to prevent consumers from
seeing what playback devices are reporting when āphoning home.ā
Hence, increasingly strong publishersā™ rights in combination with the
freedom of cryptography can present a danger to consumers. Simson
Garļ¬nkelā™s Database Nation covers the topic of privacy more generally,
but one important point should be made here: privacy is not a āsolved
problemā because we are free to use cryptography. The people and
organizations who want to watch our actions, whether for proļ¬t, to do
us harm, or simply to get a cheap thrill are also free to encrypt.
Eļ¬orts to liberate cryptography have succeeded, and the world is
now diļ¬erent as a result. In many ways, weā™re safer. In other ways, weā™re
not. What is important to understand is that technology is amoral; it
is neither good nor bad. Only peopleā”free moral agentsā”can act to
good or bad eļ¬ect. Whether the freedom to encrypt helps us or hurts
us ultimately depends on what we do with that freedom.
1 Cipher Deavours and Louis Kruh. The Commercial Enigma: Be-
ginnings of Machine Cryptography. Cryptologia, 26(1), January 2002.
Wilcox. Sharing the Burden: Women in Cryptology during
World War II. NSA Web Site, March 1998. [online]
3 Stephen Budiansky. Battle of Wits. Free Press, 2002.
4G Johnson. Claude Shannon, Mathematician, Dies at 84. The New
York Times, February 27, 2001.
5 Claude E. Shannon. A Mathematical Theory of Communication.
Bell System Technical Journal. 27:379-423 and 623-656, July and Oc-
6 Claude E. Shannon. Communication Theory of Secrecy Systems.
Bell System Technical Journal. 28:656-715, October 1949
7 Tom Athanasiou. DES and NSAā™s New Codes. In Peter G. Neu-
mann, editor, RISKS Digest, volume 6, January 1987.
8 Simon Singh. The Code Book. Anchor, 1999.
9 D.Kahn. The Codebreakers: The Story of Secret Writing. Macmil-
lan Publishing Company, New York, USA, 1967
10 RobertMorris. The Data Encryption Standardā”Retrospective
and Prospects. IEEE Communications Society Magazine, 16(6):11ā“14,
11 National Bureau of Standards. Data Encryption Standard. Fed-
eral Information Processing Standards Pub. 46, Washington, D.C., Jan.
M. Davis. Data Encyption Standard in Perspective. IEEE
Communications Society, November 1978.
13 Hayden B. Peake. The VENONA Progeny. Naval War College Re-
view, 53(3), Summer 2000.
14 Steven Levy. Crypto. Viking, 2001.
speaking, searching the keyspace would not take longer,
but there would be more post-production work required to separate a
possible match from a correct match. The diļ¬erence, in practice, is
16 Germano Caronni and Matt Robshaw. āHow Exhausting is Ex-
haustive Search?ā CryptoBytes 2(3), Winter 1997.
17 TheDESCHALL mailing list archives are still available online at
aSalamon. Internet Statistics. [online]
http://www.dns.net/andras/stats.html, February 1998.
19 The ļ¬rst edition is online at http://www.crypto.com/papers/.
20 The oļ¬cial abbreviation, which appears in RSAā™s documentation
speciļ¬es more detail about the exact conļ¬guration of RC5 than just
the key size. RSA wrote the ļ¬fty-six-bit version of RC5 as āRC5-
32/12/7,ā which speciļ¬ed the āword sizeā (thirty-two bits), the number
of āroundsā (twelve) the cipher would use, and the number of bytes for
the key (seven, times eight bits for each byte gives us ļ¬fty-six bits).
21 Informationon the controversy and the paper itself can be down-
loaded from Princeton at http://www.princeton.edu/sip/sdmi/.
22 Cryptographer Niels Ferguson has an essay on this topic, āCensor-
ship in action: Why I donā™t publish my HDCP results.ā It can be found
online at http://www.macfergus.com/niels/dmca/cia.html.
23 One such system, PC Friendly, comes standard on many DVDs.
1997 Secret Key Challenge, 44ā“45 Bradley, Jeremy, 148
Brooks, Piete, 64
Adleman, Len, 41 Brown, Mikael, 148
Advanced Encryption Standard, 273 brute force, 16, 19ā“21, 23ā“27, 53ā“55, 57,
Ahn, Dave, 183 127
AIX, 44, 95 DES Challenge II, 271
Ajtai, MiklĀ“s, 179
o DES Challenge III, 272
Albertelli, Guy, 95, 147, 189 hardware, 61
Alphabetical Typewriter 97, 5 of 56-bit RC5, 271
American Bankers Association, 20 parallelization, 58
American Civil Liberties Union, 213 software, 59ā“61
American National Standards Institute, BSD Unix, 44
20 Bureau of Export Administration, 71
Americans for Tax Reform, 213 Burns, Conrad, 163, 255, 269
Anderson, Ross, 229
Caesar Cipher, 27