56-bit encryption

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In computing, 56-bit encryption refers to a key size of fifty-six bits, or seven bytes, for symmetric encryption. While stronger than 40-bit encryption, this still represents a relatively low level of security in the context of a brute force attack.


The US government traditionally regulated encryption for reasons of national security, law enforcement and foreign policy. Encryption was regulated from 1976 by the Arms Export Control Act until control was transferred to the Department of Commerce in 1996.

56-bit refers to the size of a symmetric key used to encrypt data, with the number of unique possible permutations being (72,057,594,037,927,936). 56-bit encryption has its roots in DES, which was the official standard of the US National Bureau of Standards from 1976, and later also the RC5 algorithm. US government regulations required any users of stronger 56-bit symmetric keys to submit to key recovery through algorithms like CDMF or key escrow,[1] effectively reducing the key strength to 40-bit, and thereby allowing organisations such as the NSA to brute-force this encryption. Furthermore, from 1996 software products exported from the United States were not permitted to use stronger than 56-bit encryption, requiring different software editions for the US and export markets.[2] In 1999, US allowed 56-bit encryption to be exported without key escrow or any other key recovery requirements.

The advent of commerce on the Internet and faster computers raised concerns about the security of electronic transactions initially with 40-bit, and subsequently also with 56-bit encryption. In February 1997, RSA Data Security ran a brute force competition with a $10,000 prize to demonstrate the weakness of 56-bit encryption; the contest was won four months later.[3] In July 1998, a successful brute-force attack was demonstrated against 56-bit encryption with Deep Crack in just 56 hours.[4]

In 2000, all restrictions on key length were lifted, except for exports to embargoed countries.[5]

56-bit DES encryption is now obsolete, having been replaced as a standard in 2002 by the 128-bit (and stronger) Advanced Encryption Standard. DES continues to be used as a symmetric cipher in combination with Kerberos because older products do not support newer ciphers like AES.[6]

See also[edit]


  1. ^ Infoworld Media Group, Inc (30 June 1997). "Hackers Prove 56-bit DES is not Enough". InfoWorld: 77.
  2. ^ "Microsoft Strong Encryption Downloads". Microsoft. 2011. Retrieved 8 September 2011.
  3. ^ "Group Cracks 56-bit Encryption". CNET. 18 June 1997. Retrieved 19 January 2012.
  4. ^ Congressional Record. 17. 144. United States Senate. October 7–9, 1998. p. 25124. ISBN 9780160680830.
  5. ^ Jeanne J. Grimmett (11 January 2001). "CRS Report for Congress" (PDF). Legislative Attorney, American Law Division. Cite journal requires |journal= (help)
  6. ^ https://support.microsoft.com/en-us/kb/3057154