Defence Signals Directorate Reveal their secrets....Protect our own

Library

Library

Infosec policy

DSD INFORMATION SECURITY POLICY ADVICE 2/2003

WITHDRAWAL OF APPROVAL FOR SINGLE DES

Date of Effect: 10 December 2003

Background

The Data Encryption Standard (DES/Single DES) was developed in 1977 for the "protection of sensitive information" [FIPS 46-3]. Whilst there are no known flaws in the algorithm, computational power is increasing to the point that exhaustive searches of the key-space are becoming increasingly viable as a means of attack. With the advent of Triple DES (3DES/TDES/DES-3), the Advanced Encryption Standard (AES) and other DSD-approved cryptographic algorithms, there should be no requirement for Australian Government agencies to continue using DES for the protection of classified Australian Government information.

For more information see;

DSD-approved algorithms: Australian Communications-Electronic Security Instructions (ACSI) 33
DES and Triple DES: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
AES: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Policy

DES no longer approved

Effective immediately, the DES algorithm is withdrawn from the list of DSD-approved cryptographic algorithms and is no longer approved by DSD for the protection of classified Australian Government information.

Existing products

Agencies must migrate away from DES for the protection of classified Australian Government information by 1 January 2005.

Exception: Where there is no alternative to DES within legacy systems, agencies:

• must undertake a risk assessment on the continued use of DES; and
• should contact DSD for advice.

New procurements

Agencies should only procure DSD-approved products, noting that effective immediately, DES is no longer approved.

Affected Products

EPL products

A number of products listed on the Evaluated Products List (EPL) utilise DES and are therefore affected by this policy.

Use of affected products

Some products utilise cryptography as their core functionality however others, such as the firewalls, only utilise cryptography in a support function.

In the cases where the cryptography is the core functionality of the product, agencies must migrate away from the products in accordance with the policy for 'Existing products'.

In cases where the cryptography provides support functionality, agencies may continue using the product but must stop using any security services that rely on the single DES cryptography.
Note: the above statements also apply to products not listed on the EPL.

Email – assist@dsd.gov.au
Post – Information Security Group
Defence Signals Directorate
Locked Bag 5076
Kingston ACT 2604