Microsoft removes DES encryption from Windows

Encryption with DES has long been considered insecure, for more than two decades now. Now Microsoft is putting its money where its mouth is: DES encryption is finally being removed from Windows.

Back in 1998 , IT security researchers demonstrated that DES keys, which were also limited to 56 bits in length due to US export restrictions, could be cracked in less than three days and with a limited budget. The US government at the time argued that this was only possible with much greater effort and that the short keys were therefore not a problem. The researchers disproved this with a "supercomputer" built by the Electronic Frontier Foundation (EFF) at the time with almost 2,000 specially designed CPUs (ASICs) with a clock frequency of less than 40 MHz, which cost around 250,000 US dollars.

September is the end

On the list of functions removed from Windows, Microsoft now writes that the Data Encryption Standard (DES) is considered insecure against modern cryptographic attacks and will be replaced by more robust encryption algorithms. DES has been disabled by default since Windows 7 and Windows Server 2008 R2. DES will be removed from Windows 11 24H2 and Windows Server 2025 and later versions. Support for it will end in September 2025.

On Thursday, Microsoft also included this change in the list of features removed from Windows Server 2025. Last week, Microsoft moved Powershell 2.0 from removed features to features that are no longer being developed on this list, which should extend the grace period for it a little longer.

Around ten years ago, OpenSSL had to correct a function that helps to prevent the generation of 16 particularly insecure and extremely weak DES keys. Typing errors had crept into the test function, which impaired it; however, according to the project, the test function was never used at the time anyway. But even at that time, it had long been clear that DES was better left alone.

(dmk)