Professional Documents
Culture Documents
Eric Conrad
Data Encryption Standard
Introduction
DES is the Data Encryption Standard, a United States government standard encryption
algorithm for encrypting and decrypting unclassified data. DES is described by Federal
Information Processing Standards (FIPS) 46; the most recent revision is FIPS 46-3.1 DES
is based on IBM’s Lucifer cipher
DES is a block cipher that takes a plaintext string as input and creates a ciphertext string
of the same length. It uses a symmetric key, which means that the same key is used to
convert ciphertext back into plaintext.
The DES block size is 64 bits. The key size is also 64 bits, although 8 bits of the key are
used for parity (error detection), which makes the effective DES key size 56 bits. A 56-
bit key length is now considered weak due to advances in computer processing power.
With proper hardware, a brute force attack that systematically attempts all 2^56 (72
quadrillion) different DES keys is possible. One example of such hardware is
Copacobana (Cost-Optimized Parallel COde Breaker)2, built by two German universities
for roughly $10,000. It can crack a 56-bit DES key in an average of nine days.
The Advanced Encryption Standard (AES) became the new FIPS-approved encryption
standard on November 26, 2001, replacing DES3. Triple DES (described in FIPS 46-3)
can still be used as a FIPS-approved algorithm.
The term Data Encryption Algorithm (DEA) is sometimes used, which describes the
actual algorithm (as opposed to the standard). In this context, TDEA is an acronym for
Triple DES. ANSI X9.52-1998 describes Triple Data Encryption Algorithm Modes of
Operation4 For the sake of consistency, this paper uses the term DES.
Modes of DES
FIPS 81 describes four approved modes of DES: Electronic Codebook (ECB) mode,
Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and Output
Feedback (OFB) mode. 5 The National Institute of Standards and Technology (NIST)
Special Publication 800-38A describes a 5th method, Counter (CTR).6 These modes can
be used with both DES and Triple DES.
Key differences in each mode are error propagation and block vs. stream ciphers.
• Error propagation means an error in a step of encryption or decryption (such as a
bit flipped from 0 to 1) propagates to subsequent steps, which causes further
errors.
The pattern is visible because repeated blocks of plaintext pixels in the bitmap are
encrypted into repeated blocks of respective ciphertext pixels.
In this mode, errors do not propagate, as each block is encrypted independently.
The term Codebook refers to cryptographic code books, which contain dictionaries of
words or phrases (such as “Attack has begun”) with a coded equivalent (“The eagle has
flown”).
No pattern is visible. This is true for all DES modes other than ECB.
In this mode, errors propagate, as each previous step’s encrypted output is XORed
(“chained”) with the new block of plaintext.
8
The acronym ‘3DES’ is sometimes used in the industry. It should be avoided, as it causes confusion with
respect to keying options like 3TDES (see below).
9 NIST SP 800-67, page viii. URL: http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf
10 Lucks, Stefan. Attacking Triple Encryption. URL:
http://th.informatik.uni-mannheim.de/People/Lucks/papers/pdf/3des.pdf.gz
11
FIPS 46-3, page 15
12
FIPS 46-3, page 16
1TDES EDE is functionally the same as DES. Assuming a plaintext string of “SECRET”:
1. “SECRET” becomes ciphertext.
2. Ciphertext becomes “SECRET.”
3. “SECRET” becomes ciphertext.
Step 3 is identical to Step 1. Given the same plaintext and key, cipherhext generated with
1TDES is identical to DES-generated ciphertext.
3TDES EDE is the strongest form. 2TDES EDE is frequently used in the banking
industry, using common hardware, such as the IBM 4758 PCI Cryptographic
Coprocessor13. 1TDES EDE exists for backwards compatibility with legacy systems
using DES and should not be used for secure applications.
Other modes that are not FIPS-approved are also used in the industry. The most common
is 3TDES EEE (3-key Triple DES in Encrypt – Encrypt – Encrypt order).
Summary
Although there is no silver bullet when it comes to network security, cryptography can
play a key role in protecting critical information. There are three general types of
cryptography: symmetric, asymmetric, and hash. This paper focused on one of the key
symmetric key algorithms: DES.
13
Bond, Mike and Clayton, Richard. “Experience Using a Low-Cost FPGA Design to Crack DES Keys”
URL: http://www.cl.cam.ac.uk/~rnc1/descrack/DEScracker.html