As already mentioned, the choice of protection mechanisms must be informed by an analysis of the attacks that are likely to be made, and the length of time for which the information must be protected (the `cover time'). This is a basic security engineering principle, and one the IMG's senior adviser discusses in his book [18]. We will discuss in turn the capability of opponents, and the cover time appropriate for medical data.
The IMG strategy states that encryption using single-round DES, with 56 bit
keys, is not at present enough. The key length of DES is a well discussed
problem that was first raised by Diffie and Hellman shortly after that
algorithm was proposed as a standard [31]. If we attack DES by trying
all the possible keys, then we will on average have to test of them
before we find the right one. Now
=
x
x
,
and
is about a million; so a custom machine with a million processors,
each capable of testing a million keys a second, could break a DES key in less
than a day.
A 1993 analysis, assuming the faster chips available by then, argues that a machine built for $1m could break a DES key in about three hours; and it can be expected that within the next few months, the first public announcement of a successful DES keysearch will be made. A US company, in order to promote the use of a block cipher called RC5, has offered a number of public rewards for successful keysearch against ciphers of varying keylengths. A 40 bit key was found in 3.5 hours, and a 48 bit key in 13 days -- in both cases using software on a number of machines in parallel. An attempt on their 56 bit DES challenge key is now getting underway, and a recent technical innovation allows DES keys to be searched 3-5 times more quickly than was previously the case [16].