Fact-checked by Grok 2 weeks ago

EFF DES cracker

The EFF DES cracker, nicknamed Deep Crack, was a custom-built hardware machine developed by the Electronic Frontier Foundation (EFF) in 1998 to perform brute-force attacks on the Data Encryption Standard (DES), a symmetric-key block cipher with a 56-bit key length adopted as a U.S. federal standard in 1977.^[1] Designed to test over 88 billion keys per second using specialized microchips, it recovered the DES key for RSA Laboratories' DES Challenge II in 56 hours, securing a $10,000 prize and shattering the prior record of 39 days set by distributed computing networks.^[1] Constructed in under a year for less than $250,000, the system comprised multiple circuit boards housing custom-designed chips optimized for DES key search, demonstrating that DES could be practically compromised by modestly resourced attackers.^[1] The project aimed to refute U.S. government claims that DES remained secure against brute-force attacks, amid debates over export restrictions on stronger cryptography that limited commercial availability of robust encryption tools.^[2] EFF's effort highlighted the feasibility of building unclassified hardware capable of exhausting DES's 2⁵⁶ key space in days rather than years, countering assertions by officials that only nation-states could pose such threats.^[2] In collaboration with distributed.net, an enhanced demonstration later cracked DES Challenge III in 22 hours and 15 minutes, further underscoring DES's obsolescence.^[2] Deep Crack's success catalyzed the cryptographic community's shift away from DES, prompting recommendations for longer keys or alternatives like Triple DES and paving the way for the Advanced Encryption Standard (AES) selection process initiated by NIST in 1997.^[2] By open-sourcing design principles in publications such as Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design, EFF advanced transparency in security evaluation, influencing policy reforms that eased export controls and emphasized empirical testing over theoretical assurances.^[2] The machine exemplified first-principles hardware optimization for cryptanalysis, relying on parallelized key trials via field-programmable gate arrays and application-specific integrated circuits precursors, without dependence on classified technology.^[1]

Historical Context

Origins of DES and Key Size Debates

The Data Encryption Standard (DES) traces its origins to IBM's Lucifer cipher, an early block cipher developed in the late 1960s and refined in the early 1970s as a proprietary encryption system for protecting sensitive data.^[3] In 1972, the National Bureau of Standards (NBS, predecessor to NIST) conducted a study on U.S. government computer security needs, identifying the lack of a standardized encryption algorithm for non-classified data protection, which prompted a call for proposals in May 1973.^[4] IBM submitted a modified version of Lucifer, featuring a 64-bit block size and a 64-bit key (with 8 bits for parity, yielding 56 effective key bits), which underwent review and modifications by the National Security Agency (NSA) before NBS selected it in 1975.^[3] The algorithm was finalized and published as Federal Information Processing Standard (FIPS) 46 on January 15, 1977, mandating its use for federal non-classified data encryption.^[5] The reduction of the key size from Lucifer's earlier variants, which supported up to 128 bits, to DES's 56 effective bits became a focal point of debate, attributed partly to IBM's desire to implement the cipher on a single hardware chip and NSA recommendations for export controls and perceived adequacy against contemporary threats.^[6] During the 1975 public comment period on the proposed standard, cryptographers including Whitfield Diffie and Martin Hellman criticized the 56-bit key as insufficient for long-term security, projecting that advances in computing hardware—extrapolating from trends like Moore's law—could enable brute-force exhaustive searches of the 2^{56} key space within a decade using custom-built rigs costing under $1 million.^[7] They argued that the key length prioritized short-term feasibility over enduring protection, potentially leaving systems vulnerable to state or well-resourced attackers as processor speeds and parallelization improved.^[7] NSA involvement in modifying the algorithm's S-boxes and endorsing the key size fueled suspicions of deliberate weakening to facilitate government decryption, though the agency publicly affirmed in 1975 that the design resisted all known cryptanalytic attacks and that the key length sufficed for unclassified commercial applications, without disclosing classified rationale.^[8] Independent analyses, including those by academic researchers in the late 1970s, verified the S-boxes' resistance to differential cryptanalysis (unknown at the time) but upheld concerns over brute-force vulnerability, estimating that DES's key space could be searched in approximately 22 hours using 2,000 custom chips each performing 100,000 encryptions per second—feasible with projected 1980s technology.^[8] Despite these debates, NBS adopted DES unchanged, balancing standardization needs against critics' calls for longer keys like 80 or 128 bits, a decision later validated as prescient by the algorithm's resilience to non-brute-force attacks but presciently flawed in key strength.^[7]

Government Export Controls and Crypto Policy

In the 1990s, the U.S. government imposed stringent export controls on cryptographic technologies under the Export Administration Regulations (EAR), administered by the Department of Commerce, and the International Traffic in Arms Regulations (ITAR), overseen by the State Department, classifying strong encryption as a controlled commodity akin to munitions.^[9] These regulations restricted exports of non-government encryption to key strengths of 40 bits or the 56-bit Data Encryption Standard (DES), with stronger algorithms requiring licenses or key escrow mechanisms to ensure U.S. intelligence access.^[10] The policy rationale emphasized national security, positing that DES provided adequate protection for commercial use while preventing adversaries from acquiring unbreakable codes, though officials downplayed the feasibility of brute-force attacks on 56-bit keys by asserting that effective cracking hardware would exceed $1 million in cost and remain beyond reach of foreign governments or private entities without massive state resources.^[11] The Electronic Frontier Foundation (EFF) launched its DES cracker project in 1997 explicitly to refute these claims and inject empirical evidence into the cryptography export debate. By constructing specialized hardware capable of testing 100 billion keys per second at a total cost of about $250,000, EFF demonstrated on July 17, 1998, that a 56-bit DES challenge from RSA Data Security could be cracked in 56 hours using off-the-shelf components and custom field-programmable gate arrays (FPGAs).^[1] This achievement underscored the vulnerability of export-approved encryption, as DES—promoted by the government as a secure baseline—proved susceptible to dedicated attacks far cheaper and faster than anticipated, thereby challenging the controls' premise that weaker crypto sufficed for international markets without risking proliferation of superior defenses.^[2] EFF's efforts amplified criticisms that export restrictions handicapped U.S. industry by forcing bifurcated product lines—stronger domestic versions versus crippled exports—while adversaries faced no such barriers, potentially eroding American competitiveness in global e-commerce and data security. The project's hardware design was released under a public domain license to sidestep export controls on cryptographic technical data, though accompanying software documentation was initially limited to print to avoid ITAR violations.^[1] In response to such demonstrations, mounting industry lobbying, and legal challenges like Bernstein v. United States Department of Justice, the Clinton administration in September 1999 deregulated most retail encryption exports, permitting stronger keys without licenses to non-embargoed nations and effectively ending blanket restrictions on algorithms exceeding DES strength.^[12]

Early Cracking Attempts

In the years following the adoption of the Data Encryption Standard (DES) in 1977, initial concerns about its 56-bit key length prompted theoretical assessments of brute-force feasibility. Cryptographers Whitfield Diffie and Martin Hellman argued in 1977 that a coordinated hardware effort costing approximately $1 million could exhaust the 2^{56} key space in about one day, highlighting vulnerabilities as computing power advanced. These estimates relied on projections of custom chip performance, assuming parallel processing units capable of millions of encryptions per second, but lacked implemented hardware due to prohibitive costs and technological limitations at the time. Practical hardware experiments emerged in the 1980s, with researchers proposing specialized chips for key testing. For instance, designs from that era envisioned single chips evaluating around 500,000 keys per second, scalable to larger arrays, though actual prototypes remained small-scale and insufficient for full exhaustive searches, often limited to demonstrating partial key space coverage over extended periods. These efforts underscored causal trade-offs in cost, speed, and scale: while Moore's Law trends suggested accelerating viability, economic barriers delayed comprehensive builds, with no public full-keyspace cracks achieved.^[13] A significant advance occurred in 1993 when Michael J. Wiener of Bell-Northern Research detailed an architecture for an exhaustive DES cracker costing under $1 million, utilizing approximately 8,000 custom application-specific integrated circuits (ASICs) operating at 50 MHz to test keys at rates enabling an average crack time of 3.5 hours. Wiener's design optimized pipeline processing for DES's Feistel structure, minimizing inter-chip communication overhead, and included power-efficient cooling via immersion in mineral oil. He also demonstrated a prototype using off-the-shelf field-programmable gate arrays (FPGAs), achieving modest throughput to validate the approach, though scaling to full capacity required custom fabrication not pursued commercially at the time. This work empirically demonstrated that DES security rested on assumptions of static hardware economics, vulnerable to targeted engineering rather than general-purpose computing.^[14]^[15]

Development

EFF's Project Initiation

The Electronic Frontier Foundation (EFF) initiated its DES cracker project in 1997 as an investigation into the feasibility of hardware-based brute-force attacks on the Data Encryption Standard (DES), aiming to empirically demonstrate the algorithm's vulnerability due to its 56-bit key size.^[11] The effort was driven by concerns over ongoing U.S. government export controls on stronger cryptography and claims by officials that DES remained sufficiently secure for commercial use, with the project seeking to quantify the real-world cost and speed of cracking to inform public policy debates.^[1] EFF co-founder John Gilmore served as the project leader, coordinating the research to build unclassified hardware capable of searching the full 2^56 keyspace efficiently.^[16] Initial work focused on assessing custom field-programmable gate array (FPGA) designs for DES key search, drawing on prior academic and industry analyses of DES weaknesses while avoiding classified techniques.^[2] By early 1998, the project had progressed to prototyping, motivated in part by distributed computing efforts like DESCHALL that highlighted software limitations against dedicated hardware.^[17] EFF's approach emphasized transparency, with the goal of publishing detailed methodologies to counter perceptions of DES adequacy propagated by agencies like the National Security Agency.^[11] This initiation marked EFF's shift from advocacy to hands-on engineering demonstration, underscoring that brute-force attacks were becoming economically viable for non-state actors.^[1]

Funding and Team Assembly

The Electronic Frontier Foundation (EFF) fully funded the DES cracker project, with total costs amounting to approximately $210,000.^[11] This budget included $80,000 allocated for design, integration, and testing, alongside $130,000 for materials such as custom chips, circuit boards, power supplies, and other components.^[11] EFF co-founder John Gilmore played a pivotal role in securing and managing these funds, enabling the project's completion well under an initial $250,000 target without reliance on external grants or sponsorships.^[17] Team assembly began in 1997 under EFF's coordination, drawing on a compact group of fewer than ten part-time experts from cryptography, hardware engineering, and software development domains.^[17] Paul Kocher, president of Cryptography Research, served as the principal designer, specifying the custom DES-cracking ASIC chips, developing the core software architecture, and overseeing hardware-software integration.^[18] Tom Vu from Cryptography Research contributed the VHDL designs for the chips, while Josh Jaffe supported related technical efforts.^[17] Hardware fabrication was outsourced to Advanced Wireless Technologies, which produced 1,856 custom ASIC chips and 29 circuit boards, with assistance from Mike Cheponis of California Wireless, as well as Mitch Bradley and Mark Insley from FirmWorks for integration and testing.^[11] Software components, including drivers and control systems, were developed primarily by Kocher and Eric Young as a volunteer effort over 2-3 weeks, released in public domain by April 1998.^[11] John Gilmore managed overall project logistics, with legal support from EFF staff Lee Tien and John Liebman to navigate policy and export considerations.^[11] This lean, specialized collaboration allowed completion of the machine in about 18 months from chip contract signing in September 1997.^[17]

RSA DES Challenges as Catalysts

In January 1997, RSA Security initiated the DES Challenges, a series of public contests offering monetary prizes for brute-force cracking of DES-encrypted messages with known plaintext, aimed at underscoring the vulnerabilities of the 56-bit key size.^[2] The inaugural challenge was solved in 96 days by the DESCHALL Project, a distributed computing effort coordinating thousands of Internet-connected machines, revealing that DES could be compromised through coordinated volunteer resources but requiring extended timeframes.^[19] Subsequent iterations, including DES Challenge II-1 issued in late 1997, were cracked faster—in 39 days—by distributed.net, a similar volunteer network, demonstrating accelerating feasibility as computational power grew and coordination improved.^[2] These software-based successes, while highlighting DES's theoretical breakability, relied on massive, decentralized participation, prompting debates on practical threats from well-resourced adversaries like governments or corporations unhindered by volunteer constraints. The challenges directly spurred the Electronic Frontier Foundation (EFF) to launch its DES Cracker project in 1998, seeking to prove that dedicated, affordable hardware could drastically reduce cracking times without distributed networks, thereby exposing DES's inadequacy against targeted attacks.^[1] EFF's machine, completed for under $250,000, won DES Challenge II-2 on July 17, 1998, by recovering the key in 56 hours—orders of magnitude faster than prior efforts—validating hardware's superior efficiency for exhaustive key searches.^[20] This hardware demonstration extended the challenges' impact, influencing DES Challenge III in January 1999, where EFF collaborated with distributed.net to crack the key in 22 hours, further eroding confidence in DES and catalyzing industry shifts toward longer-key alternatives like Triple DES and AES.^[19] The EFF's participation reframed the contests from proofs-of-concept reliant on crowdsourcing to evidence of scalable, low-cost threats, intensifying pressure on policymakers and standards bodies to phase out DES.^[1]

Technical Design

Hardware Components and Architecture

The EFF DES Cracker employed a straightforward parallel architecture centered on a host personal computer interfacing with an array of custom application-specific integrated circuit (ASIC) chips dedicated to DES key searching. The host PC, running Linux or Windows 95, coordinated the brute-force search by allocating blocks of the 56-bit keyspace to the chips, loading plaintext and ciphertext data, and processing match results from the chips' internal recognizers.^[11]^[17] This design prioritized superscalar parallelism within chips over deep pipelining, enabling efficient key testing via on-chip DES engines, key schedulers, and comparison logic, with each chip handling multiple independent search units.^[17] Core hardware components consisted of 1,536 custom "Deep Crack" ASIC chips, fabricated by Advanced Wireless Technologies using VHDL for design and verification. Each chip integrated 24 parallel search units, a FIPS PUB 46-compliant DES encryption core with optimized S-boxes and permutations, a key counter for sequential testing, and static RAM for plaintext filtering to reduce false positives. Operating at 40 MHz, individual chips evaluated approximately 60 million keys per second, yielding a system-wide rate of over 92 billion keys per second across all units.^[11]^[17] Chips communicated via 50-pin ribbon cables for data distribution and results aggregation, with interfaces to the host PC managed through parallel ports or National Instruments PC-DIO-24 cards at base address 0x210.^[17] The chips were mounted on 24 custom 9U VMEbus circuit boards, each accommodating 64 chips, housed in two Sun-4/470 chassis for power and cooling. Each board incorporated SRAM buffers and hybrid circuits supporting four 1 Mbit RAMs per chip for intermediate storage during key expansion and encryption. Power supplies and forced-air cooling systems sustained continuous operation, with the entire assembly scalable to up to 16,384 chips on 256 boards if expanded. Total material costs approximated $130,000, with design expenses adding to a project budget under $250,000.^[1]^[17] Alternative prototypes explored field-programmable gate arrays (FPGAs) or complex programmable logic devices (CPLDs) like Altera FLEX8000 series for prototyping, but production relied on ASICs for density and speed.^[17] This hardware configuration achieved DES key recovery in an average of 4.5 days, demonstrating the feasibility of dedicated silicon for exhaustive search against 2^56 possibilities. Each key test required 16-17 clock cycles, incorporating speculative execution and early mismatch detection to minimize full encryptions.^[11]^[17] The design's modularity allowed software-directed keyspace partitioning, avoiding redundant searches and enabling collaboration with distributed computing efforts.^[1]

Brute-Force Methodology

The EFF DES cracker, Deep Crack, executed a brute-force attack by exhaustively enumerating the full 56-bit DES keyspace of $2^{56} = 72,057,594,037,927,936 possible keys, testing each until the correct one decrypted a target ciphertext to match its known corresponding plaintext.^[2] This method rejected partial or probabilistic attacks, instead relying on complete coverage to guarantee discovery of the key, as DES's symmetric structure permits no shortcuts beyond exhaustive search without additional cryptanalytic weaknesses.^[11] Key trials proceeded in parallel across hardware units, with subsets of the keyspace partitioned and assigned to avoid duplication; keys within each subset were generated sequentially via hardware counters or equivalent mechanisms to increment systematically through binary combinations.^[21] For verification, each trial involved a complete DES decryption of the fixed challenge ciphertext using the candidate key, followed by a direct bitwise comparison of the output against the expected plaintext; a full match signaled success and interrupted the process to report the key to the controlling host computer.^[2] This plaintext-recovery criterion ensured unambiguous identification, as random keys yield pseudorandom outputs with negligible collision probability under DES.^[21] To enhance efficiency, the design incorporated optimizations such as looped or pipelined DES implementations that minimized latency between trials, though it prioritized raw throughput over complex key scheduling to maintain hardware simplicity and reliability across the array.^[21] The methodology's scalability allowed integration with distributed computing networks, where Deep Crack handled dense hardware-parallel segments while volunteer PCs covered sparser regions, collectively achieving up to 245 billion keys per second in demonstrations.^[2] This rigorous, hardware-driven enumeration proved DES's susceptibility to feasible real-world attacks using off-the-shelf components and custom engineering, without relying on software emulation's inefficiencies.^[1]

Performance and Optimization

The EFF DES cracker achieved a peak performance of 92.16 billion keys per second, enabling it to exhaustively search the 2^{56} DES keyspace in an average of 4.52 days under ideal conditions.^[17] In practice, during the July 1998 demonstration against RSA Data Security's DES Challenge II, the machine operated at an effective rate of approximately 88 billion keys per second, recovering the target key after 56 hours of continuous operation.^[1] This performance stemmed from 1,536 custom application-specific integrated circuits (ASICs), each incorporating 24 parallel search units capable of evaluating 2.5 million keys per second at a 40 MHz clock speed.^[17] Optimization focused on minimizing latency in the DES core while maximizing throughput via hardware-specific tailoring. The ASICs employed a pipelined architecture requiring only 16 clock cycles per full DES encryption-decryption cycle, with speculative precomputation of S-box lookups to overlap computation stages and reduce pipeline stalls.^[17] Key generation was accelerated using Galois linear feedback shift registers (LFSRs) for efficient pseudorandom traversal of keyspace subsets, bypassing slower incrementers and minimizing gate propagation delays in the 32-bit key counter logic.^[17] To mitigate false positives in plaintext verification, a dual-ciphertext recognizer filtered outputs, ensuring high-fidelity matches without halting the search pipeline.^[17] Further efficiencies arose from system-level adaptations, including automatic configuration software that detected and bypassed defective chips—initial fabrication yields were imperfect, reducing effective capacity to about 70% in early tests—while distributing workload across 29 VMEbus boards housed in modified Sun-4/470 chassis for dense packing and reliable inter-board signaling via ribbon cables.^[17] The design supported both ECB and CBC modes, with VHDL-synthesized components like permutation tables (PC-1, PC-2) and multiplexers optimized for brute-force rather than general-purpose encryption, prioritizing raw key trial volume over flexibility.^[17] These choices, implemented at a total hardware cost under $210,000, demonstrated that specialized silicon could render 56-bit keys operationally insecure against determined adversaries equipped with modest resources.^[17]

Achievements and Demonstrations

Cracking DES Challenge II

The Electronic Frontier Foundation's (EFF) DES Cracker, dubbed Deep Crack, cracked RSA Laboratories' DES Challenge II-2 on July 17, 1998, by recovering the 56-bit key encrypting a known plaintext message.^[1]^[2] The challenge offered a $10,000 prize for the first to decrypt the message, which Deep Crack achieved in 56 hours, shattering the previous record of 39 days set by distributed.net's volunteer computing network for DES Challenge II-1.^[1]^[22] Deep Crack operated at a sustained rate of 88 billion keys per second, enabling it to exhaust roughly 88% of the 72 quadrillion possible DES keys within the allotted time.^[1] This brute-force approach relied on 1,856 custom application-specific integrated circuits (ASICs) designed specifically for DES key testing, housed across 29 printed circuit boards and controlled by a standard personal computer running Linux.^[2] The entire machine was constructed for under $250,000 using commercially available components, underscoring the feasibility of dedicated hardware attacks against DES.^[1]^[2] The successful crack validated EFF's contention that DES's 56-bit key length provided inadequate security against determined adversaries with access to specialized hardware, as the attack required no advanced cryptanalytic techniques beyond exhaustive search.^[1] EFF documented the project in the 1998 book Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design, which detailed the hardware architecture, design challenges, and policy implications of DES's vulnerability.^[2] This achievement prompted renewed calls from cryptographers and civil liberties advocates for transitioning to stronger encryption standards, highlighting how government resistance to exportable strong crypto had left widely deployed systems exposed.^[1]

Collaboration with distributed.net

In January 1999, the Electronic Frontier Foundation (EFF) collaborated with distributed.net to tackle RSA Security's DES Challenge III, which involved recovering a 56-bit DES key from a provided ciphertext.^[22] This partnership integrated EFF's Deep Crack hardware—capable of testing approximately 100 billion keys per second—into distributed.net's distributed computing framework, allowing the specialized machine to contribute alongside a volunteer network of roughly 100,000 personal computers worldwide.^[19]^[23] The collaboration was facilitated by modifications to distributed.net's software, enabling Deep Crack to process key search workloads in coordination with the distributed clients, thereby pooling heterogeneous computational resources for a unified brute-force attack.^[22] The joint effort succeeded on January 19, 1999, recovering the key in a record 22 hours, 15 minutes, and 4 seconds, far surpassing previous DES challenges that had required days or months.^[24] This achievement demonstrated the effectiveness of hybrid cracking methodologies, combining purpose-built ASIC hardware with volunteer-driven distributed processing, and highlighted DES's vulnerability to scalable, real-world attacks even without relying solely on massive centralized supercomputing.^[19] RSA Security awarded the $10,000 prize to EFF and distributed.net, underscoring the practical obsolescence of 56-bit DES for protecting sensitive data.^[23] The collaboration built on distributed.net's prior success with DES Challenge II-1, solved in 39 days using only distributed computing, but leveraged Deep Crack to accelerate the process dramatically.^[22]

Cost and Scalability Analysis

The EFF DES cracker, known as Deep Crack, was constructed for under $250,000 in 1998, covering the design of custom application-specific integrated circuits (ASICs), fabrication of 1,856 chips, assembly of 29 circuit boards, and integration with a standard host personal computer.^[1]^[25] This expenditure yielded a brute-force search rate of approximately 92 billion keys per second, enabling the decryption of a 56-bit DES key in an average of 2.5 days for the DES Challenge II-2, far outperforming contemporaneous general-purpose computing alternatives on a cost-per-key-searched basis.^[26] The hardware's modular architecture, relying on parallel arrays of custom chips optimized for DES's S-box operations, supported linear scalability: performance scaled directly with the number of added boards or chips, without significant diminishing returns from inter-component communication overhead.^[17] Projections based on this design indicated that scaling to a $1 million budget—roughly quadrupling the hardware—could reduce average exhaustive search time for a 56-bit key to about one day, assuming proportional chip yields and fabrication efficiencies.^[26] However, scalability was inherently limited to DES-specific brute force, as the ASICs lacked reprogrammability for other ciphers, rendering the approach non-generalizable without redesign costs exceeding the original investment. In comparison to distributed volunteer computing efforts, such as distributed.net's software-based cracking which relied on millions of heterogeneous CPUs achieving far lower effective keys-per-second per dollar due to overheads in coordination and underutilized cycles, Deep Crack demonstrated superior efficiency for targeted DES attacks.^[27] Post-1998 advancements in semiconductor fabrication further enhanced prospective scalability; equivalent performance could have been realized for under $100,000 by 2000 through commoditized components and process shrinks, underscoring the project's role in highlighting hardware specialization's economic advantages for narrow cryptographic workloads.^[27]

Impact and Legacy

Acceleration of DES Obsolescence

The Electronic Frontier Foundation's DES cracker, operationalized in July 1998, empirically demonstrated the feasibility of brute-force attacks on the 56-bit Data Encryption Standard by recovering a key from the RSA DES Challenge II in 56 hours using custom hardware costing approximately $250,000.^[20] This achievement provided concrete evidence that DES, adopted by the U.S. government in 1977, was vulnerable to determined adversaries with access to specialized equipment, shifting the cryptography debate from theoretical concerns over key length to practical timelines for compromise.^[1] Prior warnings from cryptographers about DES's shrinking effective security margin due to Moore's Law were thus validated, underscoring that exhaustive search of the 2^56 keyspace—about 72 quadrillion possibilities—could be completed within days rather than years.^[17] The demonstration accelerated institutional recognition of DES's obsolescence, prompting the National Institute of Standards and Technology (NIST) to reinforce its ongoing transition efforts. Although NIST had initiated the Advanced Encryption Standard (AES) development in 1997 amid growing unease over DES, the EFF's results highlighted the urgency, influencing federal guidelines to deprecate single-DES usage in favor of interim measures like Triple DES while prioritizing AES adoption.^[7] By 1999, FIPS 46-3 explicitly endorsed AES coexistence with DES for gradual migration, but the cracker's proof-of-concept expedited industry shifts, as organizations reassessed risks of DES deployment in financial systems, government communications, and emerging internet protocols.^[28] Long-term, the EFF project catalyzed broader cryptographic realism, contributing to NIST's formal withdrawal of DES approval in 2005, after which AES-128 and stronger variants became the federal standard for protecting sensitive information.^[29] The event emphasized scalable hardware threats, informing subsequent standards like AES (finalized in 2001) to incorporate larger key sizes (128, 192, or 256 bits) resistant to foreseeable brute-force economics.^[30] This empirical push avoided prolonged reliance on DES variants, fostering a landscape where key lengths below 80 bits are now broadly considered insecure against state-level resources.^[31]

Transition to Stronger Standards like AES

The EFF DES cracker's demonstration in July 1998, which recovered a DES key in 56 hours using custom hardware costing approximately $250,000, provided empirical evidence of DES's vulnerability to brute-force attacks, underscoring the inadequacy of its 56-bit effective key length against specialized computing resources.^[11] This real-world feasibility of key exhaustion—achieving over 90 billion keys per second—contrasted sharply with theoretical assessments, compelling cryptographic policymakers to prioritize alternatives resistant to similar hardware accelerations.^[1] In anticipation of such breakthroughs, the National Institute of Standards and Technology (NIST) had launched the AES development process in 1997, soliciting public submissions for a successor to DES with block sizes of 128 bits and key lengths starting at 128 bits to ensure security margins far exceeding DES's.^[30] The DES cracker's success reinforced the urgency of this transition, validating concerns that DES's key space of 2^56 operations was within reach of non-state actors, while AES's minimum 2^128 key space demanded resources orders of magnitude beyond practical limits, even with advanced ASICs. NIST selected the Rijndael algorithm as AES on October 2, 2000, publishing it as FIPS 197 in 2001, thereby establishing a symmetric cipher designed for both software efficiency and long-term brute-force resilience.^[32] As a bridge measure, Triple DES (3DES)—encrypting data thrice with distinct DES keys, yielding an effective 168-bit strength—was approved by NIST in 1999 for legacy systems, though its slower performance and potential vulnerability to related attacks positioned it as temporary.^[32] The DES cracker's implications extended to this interim solution, as subsequent analyses showed 3DES's effective security closer to 112 bits against exhaustive search, still feasible with scaled hardware but far costlier than single DES. By 2005, NIST formally withdrew DES validation, mandating AES for federal use and phasing out 3DES by 2030 in updated guidelines, reflecting the cracker's role in empirically driving obsolescence timelines.^[31] This shift emphasized key length as a primary defense against hardware-accelerated attacks, influencing modern standards to incorporate not only larger keys but also structures resistant to linear and differential cryptanalysis, lessons absent in DES's Feistel design.^[30] The transition validated first-principles scaling: doubling key bits exponentially increases attacker effort, rendering AES impervious to the DES cracker's methodology even if replicated at greater scale.

Lessons for Modern Cryptography

The EFF DES cracker empirically demonstrated the inadequacy of DES's 56-bit effective key length against brute-force attacks, recovering an encrypted challenge key on July 17, 1998, after searching approximately 88 billion keys per second for 56 hours using custom hardware assembled for under $250,000.^[11] This feat exposed how short keys enable exhaustive searches within practical timeframes and budgets, as the total keyspace of 2^56 possibilities proved traversable by specialized rigs far cheaper than supercomputers.^[11] For modern symmetric ciphers, the lesson is clear: key lengths below 90 bits risk similar vulnerabilities given hardware optimizations, necessitating minimums of 128 bits or more to maintain security margins against projected advances in compute density and parallelism.^[11]^[33] Specialized hardware architectures, such as the cracker's array of 1,856 application-specific integrated circuits (ASICs) designed for DES's S-box operations, achieved performance unattainable by general-purpose CPUs of the era, outperforming software-only efforts by factors exceeding 100,000.^[11] This underscores a enduring principle for cryptographic design: attacks leveraging field-programmable gate arrays (FPGAs) or custom silicon can erode security far faster than Moore's Law alone predicts, as seen in subsequent reductions where equivalent DES-cracking capability dropped to about $15,000 and 7 hours by the mid-2000s.^[33] Modern practitioners must thus incorporate hardware attack models into threat assessments, favoring algorithms resistant to parallelization and encouraging diversification beyond single-cipher reliance to mitigate targeted accelerations. The project's collaboration with distributed.net, which combined the hardware with volunteer software searches to crack DES Challenge II in 22 hours and 15 minutes on January 19, 1999, illustrated the hybrid threat of centralized rigs augmented by global distributed computing.^[2] This hastened DES's obsolescence, directly influencing federal transitions to Triple DES (effective key length 168 bits) as an interim measure and the selection of AES-128/256 via NIST's 2000 competition, finalized in FIPS 197 on November 26, 2001.^[33] For today's cryptography, the core takeaway is proactive standard evolution: empirical demonstrations like Deep Crack compel ongoing audits of key entropies against real-world attack economics, avoiding overreliance on theoretical security and prioritizing algorithms with provable resistance to both classical brute force and emerging paradigms like quantum computing.^[33] Systems lingering on legacy short-key implementations face amplified risks from botnets or cloud-scale parallelism, reinforcing the need for cryptographic agility in protocols.^[33]

References

[1]
EFF DES CRACKER MACHINE BRINGS HONESTY TO CRYPTO ...
Aug 9, 2016 · A DES cracker is a machine that can read information encrypted with DES by finding the key that was used to encrypt that data. DES crackers have ...
[2]
EFF Builds DES Cracker that proves that Data Encryption Standard ...
Jan 19, 1999 · EFF set out to design and build a DES Cracker to counter the claim made by U.S. government officials that American industry or foreign ...Introduction · Background
[3]
DES - ASecuritySite.com
After an evaluation by the NSA, Lucifer's key size was reduced from 112 bits to 56 bits, after which it was published as the DES standard in 1975. DES then ...
[4]
Blog Archive » DES, Breaking DES, and DES Variants - Sysax
May 19, 2014 · History of Data Encryption Standard (DES): The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US ...
[5]
Exploring the Data Encryption Standard - Kobalt.io
Developed in the early 1970s by IBM, the Data Encryption Standard (DES) was established as a federal standard in the United States in 1977. The National ...
[6]
Why was DES with 112 bit keys (IBM) reduced to 56?
May 9, 2016 · The NSA convinced IBM that 56 bits was "enough": But whereas Lucifer had a key that was 112 bits long, the DES key was shortened to 56 bits ...
[7]
Cryptography | CSRC - NIST Computer Security Resource Center
Critics argued that the effective DES key length of 56 bits (64-bit key minus 8 checksum bits) was too short for long-term security, and that expected increases ...Missing: debate | Show results with:debate
[8]
[PDF] The Data Encryption Standard - Princeton University
In response to these concerns, NSA publicly stated that the reduced key size was sufficient for use in unclassified applications and, furthermore, that the IBM ...Missing: debate | Show results with:debate
[9]
Encryption Export Controls - EveryCRSReport.com
Jan 11, 2001 · Encryption exports are controlled under the Arms Export Control Act (AECA) and the Export Administration Act (EAA), the latter statute to expire August 20, ...
[10]
[PDF] US Export Control of Encryption Software: Efforts to Protect National ...
The US has imposed severe export controls on encryption software, classified it as a threat to national security, and tightly controls its export.
[11]
The Electronic Frontier Foundation
Jul 16, 1998 · A 'DES Cracker' is a machine that can read information encrypted with DES by finding the key that was used to encrypt that data. The easiest ...Missing: details | Show results with:details
[12]
Doomed to Repeat History? Lessons from the Crypto Wars of the ...
Jun 17, 2015 · In September 1999, the White House announced a sweeping policy change that removed virtually all restrictions on the export of retail encryption ...Missing: DES | Show results with:DES
[13]
CSC 580: Cryptography and Security in Computing
Published papers from the early 1980's suggested that a DES key-cracking chip could be built that would test around half a million (about 219) keys per ...<|control11|><|separator|>
[14]
[PDF] Efficient DES Key Search
Aug 20, 1993 · We show how to build an exhaustive DES key search machine for $1 million that can find a key in 3.5 hours on average. The design for such a ...
[15]
Brute force attacks on cryptographic keys
Oct 29, 2001 · The July 1998 RSA challenge ("DES Challenge II-2") was won by the EFF DES Cracker machine (sometimes called "Deep Crack"). The EFF press ...
[16]
The RISKS Digest Volume 20 Issue 18
Jan 29, 1999 · ... DES offers adequate security," said John Gilmore, EFF co-founder and project leader. "The government's current encryption policies favoring ...Missing: origins | Show results with:origins
[17]
[PDF] secrets of encryption research, wiretap politics & chip design
... DES Cracking. 1-8. EFF's DES Cracker Project. 1-8. Architecture. 1-9. Who Else Is Cracking DES? 1-16. What To Do If You Depend On DES. 1-17. Conclusion. 1-18. 2 ...
[18]
EFF DES cracker | Crypto Wiki - Fandom
In 1998, the EFF built Deep Crack for less than $250,000. ... In response to DES Challenge II-2, on July 17, 1998, Deep Crack decrypted a DES-encrypted message ...
[19]
Distributed.Net & EFF Win RSA's DES Challenge III
Jan 19, 1999 · Less than one year later and for well under U.S. $250,000, the EFF, using its DES Cracker, entered and won the RSA DES Challenge II-2 ...
[20]
EFF DES Cracker Press Release, July 17, 1998
Jul 17, 1998 · To prove the insecurity of DES, EFF built the first unclassified hardware for cracking messages encoded with it. On Wednesday of this week the ...
[21]
[PDF] Experience Using a Low-Cost FPGA Design to Crack DES Keys
Other work has been done before and since on FPGA based cracker designs such as [14,8] and most of these designs appear to have been synthesised and tested.<|separator|>
[22]
Project DES - distributed.net
Jun 26, 2010 · The RSA DES-II-2 contest was won by the EFF DES Hardware Cracker on 17-Jul-1998, although distributed.net raced closely behind them in terms of ...Missing: Data Security
[23]
Projects - distributed.net
Mar 11, 2015 · We successfully finished it after 22.5 hours with the help of EFF's Deep Crack custom DES cracker and achieved the $10K prize. For more ...Missing: collaboration | Show results with:collaboration<|separator|>
[24]
History & Timeline - distributed.net
RSA's DES Challenge III begins. January 19, 1999. distributed.net and EFF solve the DES-III challenge in a record 22 hours, 15 minutes, 4 seconds. January 23 ...Missing: collaboration | Show results with:collaboration
[25]
crack.sh | The World's Fastest DES Cracker
In 1998 the Electronic Frontier Foundation built the EFF DES Cracker. It cost around $250,000 and involved making 1,856 custom chips and 29 circuit boards, ...
[26]
[PDF] An Overview of Cryptography
Jun 30, 2010 · Since the design is scalable, this suggests that an organization could build a DES cracker that could break 56-bit keys in an average of a ...
[27]
DES is Not Secure - FreeS/WAN
Networks break DES in a few weeks Before the definitive EFF effort, DES had been cracked several times by people using many machines. See this press release ...Missing: attempts | Show results with:attempts
[28]
[PDF] FIPS 46-3, Data Encryption Standard (DES) (withdrawn May 19, 2005)
Oct 25, 1999 · ... DES and the Advanced Encryption Standard (AES) will coexist as. FIPS approved algorithms allowing for a gradual transition to AES. (The AES ...Missing: timeline deprecation
[29]
NIST Withdraws Outdated Data Encryption Standard
Jun 2, 2005 · The DES is being withdrawn because it no longer provides the security that is needed to protect federal government information.Missing: timeline AES
[30]
[PDF] Development of the Advanced Encryption Standard
Aug 16, 2021 · In December of 2001, after five years of effort, the finished standard was approved and published.
[31]
[PDF] Transition to Advanced Encryption Standard (AES), May 2024 - CISA
In 2005, NIST withdrew its approval of the Data Encryption Standard (DES) and incorporated AES as the new encryption algorithm under the Federal Information ...
[32]
Security Implications of Using the Data Encryption Standard (DES)
... DES key in the worst-case time of around 9 days, and in 4.5 days on average. Quoting from [EFF98], "The design of the EFF DES Cracker is simple in concept.
[33]
Security Implications of Using the Data Encryption Standard (DES)
This note discusses DES security implications in detail, so that designers and implementers have all the information they need to make judicious decisions ...<|separator|>