Solved

3DES vs. AES-256

Posted on 2004-04-16
5
11,087 Views
Last Modified: 2008-03-04
Through a firmware upgrade I now have the option of using AES-256 on my VPNs instead of 3DES with essentially the same throughput. To take advatage of this upgrade, I need to shuffle around a few firewalls. Is the security increase worth the effort? I know we're talk'n 160 billion years to crack vs. 150 trillion (or something like that) but does anyone in the know have an opinion?
0
Comment
Question by:mrpez1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10850341
The only underlying issues are
1) the patent on the DES encryption algorithm expired and is now free to use. It won't be too much longer before there are cracking engines
2) the US Govt has decreed AES to be the new encryption standard for use on Gov't networks

No encryption medthod will protect you any more than another unless you have the proper policies, meet proper regulations, and deploy it using industry standard best practices.

I can't think of any good value or return on investment if the change costs you any money (staff time=money), and is not mandated by some policy or regulation that your company has to abide by.


0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 10868663
1)  There already are cracking engines...

http://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/

2)  The record for cracking 3DES stands at 22 hours

3)  AES is designed for software encryption, whereas DES was based around hardware encryption chips (VPN accelerator boards).  So AES will work a lot faster on all boxes, rather than just those with VPN accelerator cards in.
0
 
LVL 5

Author Comment

by:mrpez1
ID: 10868913
Are you sure that's not DES? 22 hours to crack 168 bits without a shortcut is pretty impressive even for the NSA.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 150 total points
ID: 10869283
Single DES has been cracked, but according to this article, 3DES still has not:
http://kingkong.me.berkeley.edu/~kenneth/courses/sims250/des.html

Also shows some good pros/cons of 3DES vs AES
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10869734
Yup.. .make that DES, not 3DES... sorry !
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question