Non-government cryptologists have been saying this for some time -- some of them were saying it from the beginning -- but the US government has consistently ridiculed such suggestions.
A group of well-known cryptographers looked at key lengths in a 1996 paper. They suggested a minimum of 75 bits to consider an existing cipher secure and a minimum of 90 bits for new ciphers. Any additonal transforms we eventually add to Linux FreeS/WAN will use at least a 90-bit key length.
In a recent ruling, a German court described DES as "out-of-date and not safe enough" and held a bank liable for using it.
A large corporation could build one of these out of petty cash. The cost is low enough for a senior manager to hide it in a departmental budget and avoid having to announce or justify the project. Any government agency, from a major municipal police force up, could afford one too. Or any large criminal organisation, any reasonably large political group, labour union or religious group, . . .
One might wonder if a private security or detective agency would have one for rent. They wouldn't need many clients to pay off that investment.
As for the security and intelligence agencies of various nations, some of them may have had DES crackers for years. Possibly very fast ones! Cipher-cracking is one of the few known applications which is easy to speed up by just adding more processors and memory. Within very broad limits, you can make it as fast as you like if you have the budget. The EFF's $200,000 machine breaks DES in a few days. An aviation website gives the cost of a B1 bomber as $200,000,000. Spending that much, an intelligence agency could expect to break DES in an average time of six and a half minutes.
That estimate assumes they use the EFF's technology and just spend more money. They may of course have better technology, and they may have spent the price of an aircraft carrier, not just one aircraft. In short, we have no idea just how quickly these organisations can break DES. Unless they're grossly incompetent or using old technology, they can certainly do it at least as fast as the EFF, but beyond that we can't say. Pick any time unit between days and milliseconds. None of these is entirely unbelievable. More to the point, none of them is of any comfort if you don't want such organisations reading your communications.
Note that this may be a concern even if nothing you do is a threat to anyone's national security. An intelligence agency might well consider it to be in their national interest for certain companies to do well. If you're competing against such companies in a world market and that agency can read your secrets, you have a serious problem.
One might wonder about technolgy the former Soviet Union and its allies developed for cracking DES during the Cold War. They must have tried; the cipher was an American standard and widely used. How well did they succeed? Is their technology now for sale or rent?
It is now absolutely clear that DES is not secure against any well-funded opponent.
A major corporation, university, or government department could break DES by using spare cycles on their existing collection of computers, by dedicating a group of otherwise surplus machines to the problem, or by combining the two approaches. It might take them weeks or months, rather than the days required for the EFF machine, but they could do it.
What about someone working alone, without the resources of a large organisation? For them, cracking DES will not be easy, but it may be possible. A few thousand dollars buys a lot of surplus workstations, and will buy even more as Year 2000 concerns drive more old machines into the surplus market. A pile of such machines will certainly heat your garage nicely and might break DES in a few months or years. Or enroll at a university and use their machines. Or use an employer's machines. Or crack security somewhere and steal the resources to crack a DES key. Or write a virus that steals small amounts of resources on many machines. Or . . .
None of these approaches are really easy or break DES really quickly, but an attacker only needs to find one that is feasible and breaks DES quickly enough to be dangerous. How much would you care to bet that this will be impossible if the attacker is determined and/or clever? How valuable is your data? Are you authorised to risk it on a dubious bet?
DES is not secure against any opponent (even a penniless one) with access (even stolen access) to enough general purpose computers.
The same applies to attacks by networks of computers or by lone rogue programmers. In 10 years a few dozen machines will likely break DES as quickly as a network of thousands does now. In 10 years a large network will break it in days or hours.
We urge you not to enable or use single DES. We do not provide any easy way to do this since the risks are so high.
We do not, and will not, implement any 40-bit cipher.
The winning candidate from the AES project to develop a replacement for DES will almost certainly become widely used for IPSEC, but analysis takes time and no winner is expected in this century.
Meanwhile, there are two variants of DES which appear to be much better than plain DES.
One is Triple DES, usually abbreviated 3DES, which applies DES three times, with three different keys. This is tentatively believed to be much stronger than single DES, and it quite definitely turns brute-force key search into a ridiculous impossibility. 3DES is what much of our code now uses by default. 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at quite respectable speeds.
The other DES variant is DESX, which adds trivial XOR encryption before and after a single DES. This is no stronger than plain DES in general, but it appears to blow brute-force search out of the water just as effectively as 3DES, and it is not significantly slower than plain DES. We have not implemented DESX yet (as of Jan 1999) but may do so eventually. This would be a good project for a volunteer.