AES DUKPT can replace TDES DUKPT
It is with great sadness that I learned of the demise of my first friend in cryptography, DES. I know I speak for all of us, all of us on planet Earth, when I extend a warm and heartfelt thanks for the many years of service. Even when we thought DES was dying, shortly after the turn of the century, DES lived on as two key TDES after 2010. Many today still refuse to admit the original demise of single key DES, but now not only is single key DES no longer with us, the predecessor two key TDES has also passed.
We tried to ignore the original announcement in 2015, by NIST. We said it can’t be true! If we ignore the announcement, it must surely go away. But alas, the news is true! After four years of ignoring the plainly obvious, we must accept the brutal and terrible truth. DES is gone! Many will cling to hopes, dreams, rainbows, and unicorn tears, and say let’s triple it now, but this too will fail. It is time to move on…
Maybe it’s just one of the many phases associated with recovering from immense trauma, but in retrospect, I can’t help but feel like we should have known, right from the start. When DES appeared to be a 64-bit key, it only used 56 bits for encryption. Regardless of the obvious deception, DES was beautiful and we accepted the dirty little secret. We moved on, and we said, we can just double it. We’ll double it and make it 112 bits of encryption. Now, some of us went too far and tried to cheat the system with clever techniques of masquerading by concatenating the original key with itself to further give the appearance of a double length key. We share a certain amount of accountability for your deception. Yet, many accepted and assumed that two wrongs actually made a right.
Just as we’ve learned to accept that the food pyramid we grew up with, establishing a baseline of carbohydrates, is now evil and wrong, so it is with DES. What was once good for us is now bad, and we must accept it.
It seems unimaginable to move on, but we can. Opportunities for migrating to AES have been circulating for years now. Many manufacturers have been capable to support AES in lieu of TDES for many years. Our standards bodies have published acceptable use standards and offered interoperable techniques.
Irrespective of apparent and common PCI SSC schizophrenia, where we have blog posts declaring two key DES is only 80 bits of strength, but publishing tables that declare it is both 80 and 112, we mustn’t continue waiting for the full list of redactions. We’ve been informed. Waiting to be fined is a fool’s errand. Waiting to be breached is now willful negligence. We can do this. Eight byte blocks will now be sixteen. AES DUKPT can replace TDES DUKPT. Devices can be re-injected. Key management techniques can be updated. Assessors can learn new standards. This is what we are all paid to do. We move on, or we fade away. I for one, choose to move on. If you want some help or guidance, get in contact with us. But, stop delaying the inevitable or the next Industry related obituary may be regarding your company.
Contact firstname.lastname@example.org for more information.