Math 5410 Data Encryption Standard (DES)

The DES algorithm based on LUCIFER designed by Horst Feistel was developed at IBM in 1972. This algorithm was approved by the National Bureau of Standards (now NIST) after assessment of DES strength and modifications by the National Security Agency, and became a Federal standard in 1977.

Description of the algorithm.

(See text section 4.4)

also, look at Susan Landau's article Standing the Test of Time: The Data Encryption Standard in the March 2000 issue of the Notices of the American Mathematical Society (pp. 341 - 349). This can be viewed on-line as a (.ps file) or a (.pdf file).

Possible weaknesses

1. Key length (effectively 56 bits) is now considered to be too short.

In 1977, Diffie and Hellman claimed that an appropriate machine consisting of a million LSI chips could try all 256 ~ 1017 keys in one day for the entire search. The cost would be about $20 million for such a machine.

In 1993, Michael Wiener gave a detailed design of a key search machine based on a chip that could test 5 x 107 keys per second, and could be built with current technology for $10.50 per chip. A frame consisting of 5760 chips can be built for $100,000 and would allow a DES key to be found in about 1.5 days on average. A machine using 10 frames would cost a million dollars but would reduce the search time to about 3.5 hours.

Starting in 1996, in an attempt to prove the inadequacy of this key length, Ron Rivest (through his company RSALabs) conducted four contests, offering cash rewards ($10,000) for any individual or group who could break a DES encrypted message. The first contest was won in Jan. 1997 by a group (Deschall - organized by Rake Verser) using a distributed network approach, taking 96 days. The second challenge was won in Feb. 1998 by another group (Distributed.Net) in 41 days. The third in July 1998 by the Electronic Frontier Foundation using a specially built computer (Deep Crack) costing less than $250,000 in 56 hours. The last contest was won in January 1999 by a combination of distributed network (Distributed.Net) and Deep Crack in 22 hours and 15 minutes.

2. S-box construction. The complete specifications of the S-boxes has remained secret. This has lead some to believe that NSA has a backdoor into the DES algorithm. However, in the 1990's IBM published its design criteria for the S-boxes to allay some of these concerns. The criteria indicate how the S-boxes were specified to prevent certain sophisticated cryptographic attacks (in particular differential cryptanalysis). The S-boxes satisfying these criteria were found by computer search. This however does not address any changes that NSA made to the S-box design.

Other Developments

In 1986, NIT in Japan developed the Fast Data Encipherment Algorithm (FEAL-8). It was designed to be a high-speed software cipher and is used in FAX terminals, modems and telephone cards due to its compactness. Further development has given FEAL-N and FEAL- NX (which uses a 128 bit key). (The N refers to the number of rounds and is a power of 2).

In 1990, Brown, Piepzyk and Seberry at UNSW (Univ. of New South Wales - Australia) proposed a DES-like cipher LOKI which uses a full 64-bit key.

In the 1991, Biham and Shamir introduced a method called differential cryptanalysis and demonstrated that many symmetric cryptosystems can be broken by their method. This has been one of the most effective attacks on DES type systems.

DES was up for review by NIST in 1992 and the decision was made to keep it as a standard (to the surprise of many). It was not expected to remain a standard after the 1997 review, but due to NIST's activities concerning the new AES (Advanced Encryption Standard) the decision was made to keep DES as the standard (but only triple DES was to be considered secure). DES will be dropped as the standard (but triple DES will still be supported) in March 2002, and be replaced by AES.

AES is designed to withstand cryptographic attack against (unclassified) government information well into this new century. It is to be optionally used by the private sector. However, since it will provide far more security than DES does, this optionality is really a smoke screen, AES will become the defacto standard for the private sector. Information on the selection and specifics of the Rijndael algorithm for AES can be obtained on-line from NIST.

Modes of Operation

DES can be used in a number of ways to provide secure information transfer. The standard procedure of blocking the message into blocks of length 64 bits and enciphering each block (using the same key) is known as the electronic codebook mode (ECB). It can also be used to produce a key stream cipher, this is known as the output feedback mode (OFB). In this mode of operation, an initialization string of 64 bits is encrypted with DES and then the output is again encrypted, and again, and again ... This produces a bit stream (the original string and each of its encryptions) which is then xor'ed (addition mod 2) with the message to produce the encrypted message as in the one-time pad.

Another mode of operation is called cipher block chaining mode (CBC) in which the enciphered output of a message block is xor'ed with the next message block before it is run through DES. In this mode of operation, any altered message block will affect all the ciphertext blocks that follow it. This is a useful property in certain applications, in particular, in the construction of message authentication codes (MAC's).

Message Authentication

In some applications, it is more important to know that a message has not been altered rather than keeping it secret. This can be achieved by tacking on to a message a special code, some type of encrypted ciphertext that depends on the message, called a message authentication code (MAC). If the plaintext message is altered in some way, the MAC would not be correct, thus alerting the message receiver of the tampering. DES can be used to produce MAC's in the following way. The sender uses DES in CBC mode to encipher the message. The very last block of the enciphered message is the MAC. The plaintext message and the MAC are then sent to the receiver. The receiver then runs the plaintext that was received through DES (in CBC mode with the same key) and compares the MAC that was just calculated with the MAC that was transmitted.

Of course, if the entire transaction is to be done in secret, the plaintext and MAC can be run through DES (in any mode, but with a different key) before transmission.