How long to trust 3DES
- From: "Alan" <a__l__a__n@xxxxxxxxxxx>
- Date: 12 Sep 2006 09:05:23 -0700
Numerous applications continue to use 3DES (For discussion purposes,
think of three key triple DES, CBC, protecting files in the 5-10Gb
range) to protect valuable information. In some cases information is
being encrypted today that must remain secure for 10, 15, maybe 20
years or more. So it must be asked: Will 3DES - encrypted content be
secure against anticipated threats over that time frame?
It is easy to say just replace 3DES with one of the standard AES
configurations, but a business must be made based on costs and risk
analysis. To do that risk analysis, we have to know how soon the
attacker's capability will overtake 3DES (in other words, when will the
cost of the attack be justified by the value of the asset to the
attacker?) I understand the value of the asset over time. I need to
know the capability of an attacker over time.
I'm looking for a reasonable approach to assess the changing risk over
time so we can make a logical business decision about replacing the
algorithm. Any comments or advice would be welcome.