next up previous
Next: Cost of strong mechanisms Up: Strength of Encryption Mechanisms Previous: Nature of attackers

Cover time

However, even if we assume that Red Pike will be replaced by something better in 2002 (and that this can be done without undue expense or disruption to fielded systems), it still does not follow that 64 bit keys are adequate to protect medical traffic today. The reason for this is that some of today's messages must be protected for a long time.

According to Moore's law, computing capability doubles every eighteen months. Thus the extra eight bits of protection afforded by using 64 bit rather than 56 bit keys translates into an extra twelve years of protection. Otherwise put, the capabilities of individuals lag slightly more than a decade behind those of governments; and if governments can already find 64 bit keys today, then individual attackers will be in the same position in 2010 at the latest.

But how long does medical data need to be protected?

Consider the effects of a revelation being made today that a senior Cabinet Minister had been treated for venereal disease while a teenager. This could clearly do harm, and clinicians seek to protect patients from such harm where practical. The timespan of protection required could, in such cases, be about a human lifespan -- say 70 years. (It could be even longer in the case of genetic information.)

This translates into key lengths in the range of 112 bits (as offered by the standard variant of triple DES) through to 128 bits (as offered by algorithms such as WAKE, SAFER SK-128 and RC4).

A similar argument to the above can be found in a standard textbook on cryptography [77], which recommends a key length of 128 bits for personal information.

Ross Anderson
Mon Oct 6 12:47:34 BST 1997