Data Encryption Standard: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
← Older editNewer edit →
en>Monkbot
en>Rubulainen
m Fixed broken link
Line 1: Line 1:
{{Infobox block cipher
The name of the author is Joe Ton. My husband and I inhabit North Carolina. One of the things he loves most is to play crochet but he's been taking on new things lately. Office supervising is a few things i do as a living but soon my wife and I will start my business.<br><br>Also visit my page; [https://plus.google.com/u/0/107184730458104048162/posts/YeFmgNGAmWx/ Philippines]
| name         = Data Encryption Standard
| image        = [[File:Data Encryption Standard InfoBox Diagram.png|300px|center]]
| caption      = The Feistel function (F function) of DES
| designers    = [[IBM]]
| publish date  = 1977 (standardized in January 1979)
| derived from  = [[Lucifer (cipher)|Lucifer]]
| derived to    = [[Triple DES]], [[G-DES]], [[DES-X]], [[LOKI89]], [[ICE (cipher)|ICE]]
| key size      = 56 bits
| block size    = 64 bits
| structure    = Balanced [[Feistel network]]
| rounds        = 16
| cryptanalysis = DES is now considered insecure because a [[brute force attack]] is possible (see [[EFF DES cracker]]). As of 2008, the best analytical attack is [[linear cryptanalysis]], which requires 2<sup>43</sup> [[known plaintext]]s and has a time complexity of 2<sup>39–43</sup> (Junod, 2001).}}
 
The '''Data Encryption Standard''' ('''DES''', {{IPAc-en|ˌ|d|iː|ˌ|iː|ˈ|ɛ|s}} or {{IPAc-en|ˈ|d|ɛ|z}}) is a previously predominant [[symmetric-key algorithm]] for the [[encryption]] of electronic data. It was highly influential in the advancement of modern [[cryptography]] in the academic world. Developed in the early 1970s at [[IBM]] and based on an earlier design by [[Horst Feistel]], the algorithm was submitted to the [[National Bureau of Standards]] (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with the [[National Security Agency]] (NSA), the NBS eventually selected a slightly modified version, which was published as an official [[Federal Information Processing Standard]] (FIPS) for the [[United States]] in 1977. The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny. Controversies arose out of [[classified information|classified]] design elements, a relatively short [[key length]] of the [[symmetric-key algorithm|symmetric-key]] [[block cipher]] design, and the involvement of the NSA, nourishing suspicions about a [[backdoor (computing)|backdoor]]. The intense academic scrutiny the algorithm received over time led to the modern understanding of block ciphers and their [[cryptanalysis]].
 
DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; in January, 1999, [[distributed.net]] and the [[Electronic Frontier Foundation]] collaborated to publicly break a DES key in 22 hours and 15 minutes (see [[Data Encryption Standard#Chronology|chronology]]). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible to mount in practice. The algorithm is believed to be practically secure in the form of [[Triple DES]], although there are theoretical attacks. In recent years, the cipher has been superseded by the [[Advanced Encryption Standard]] (AES). Furthermore, DES has been withdrawn as a standard by the [[National Institute of Standards and Technology]] (formerly the National Bureau of Standards).
 
Some documentation makes a distinction between DES as a standard and DES as an algorithm, referring to the algorithm as the '''DEA''' ('''Data Encryption Algorithm''').
 
== History of DES ==
The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US government's [[computer security]] needs, the US standards body NBS (National Bureau of Standards)&nbsp;— now named [[NIST]] (National Institute of Standards and Technology)&nbsp;— identified a need for a government-wide standard for encrypting unclassified, sensitive information.<ref>It was created by IBM's (International Business Machines) {{cite conference|author=Walter Tuchman|title=A brief history of the data encryption standard|booktitle=Internet besieged: countering cyberspace scofflaws|publisher=
ACM Press/Addison-Wesley Publishing Co. New York, NY, USA|pages=275–280|year=1997}}</ref> Accordingly, on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design criteria. None of the submissions, however, turned out to be suitable. A second request was issued on 27 August 1974. This time, [[International Business Machines|IBM]] submitted a candidate which was deemed acceptable&nbsp;— a cipher developed during the period 1973–1974 based on an earlier algorithm, [[Horst Feistel]]'s [[Lucifer (cipher)|Lucifer]] cipher. The team at IBM involved in cipher design and analysis included Feistel, [[Walter Tuchman]], [[Don Coppersmith]], Alan Konheim, Carl Meyer, Mike Matyas, [[Roy Adler]], [[Edna Grossman]], Bill Notz, Lynn Smith, and [[Bryant Tuckerman]].
 
=== NSA's involvement in the design ===
On 17 March 1975, the proposed DES was published in the ''[[Federal Register]]''. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from [[public-key cryptography]] pioneers [[Martin Hellman]] and [[Whitfield Diffie]],<ref>{{note|dh-exh}} {{cite journal
| last1=Diffie
| first1=Whitfield
| last2=Hellman
| first2=Martin E.
| date=June 1977
| title=Exhaustive Cryptanalysis of the NBS Data Encryption Standard
| journal=Computer
| volume=10
| issue=6
| pages=74–84
| doi=10.1109/C-M.1977.217750
| url=http://www.computer.org/portal/web/csdl/doi/10.1109/C-M.1977.217750
}}</ref> citing a shortened [[key length]] and the mysterious "[[Substitution box|S-boxes]]" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they&nbsp;— but no-one else&nbsp;— could easily read encrypted messages.<ref>{{Cite web|url=http://www.rsa.com/rsalabs/node.asp?id=2227|title=Has DES been broken?|author=RSA Laboratories|accessdate=2009-11-08}}</ref> Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different."<ref>{{Cite book|last=Schneier|title=Applied Cryptography|edition=2nd|page=280}}</ref> The [[United States Senate Select Committee on Intelligence]] reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:
{{quote|In the development of DES, NSA convinced [[IBM]] that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.<ref>{{Cite book|first=D.W.|last=Davies|coauthors=W.L. Price|title=Security for computer networks, 2nd ed.|publisher=John Wiley & Sons|year=1989}}</ref>}}
However, it also found that
{{quote|NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.<ref>{{Cite journal|author=Robert Sugarman (editor)|title=On foiling computer crime|journal=IEEE Spectrum|date=July 1979|publisher=[[IEEE]]}}</ref>}}
Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"<ref>{{Cite journal|author=P. Kinnucan|title=Data Encryption Gurus: Tuchman and Meyer|journal=Cryptologia|volume=2|issue=4|date=October 1978|doi=10.1080/0161-117891853270|page=371}}</ref>
In contrast, a declassified NSA book on cryptologic history states:
{{quote|In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the Agency on his Lucifer modification."<ref>{{Cite journal|author=Thomas R. Johnson|title=American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980|journal=United States Cryptologic History|volume=5|issue=3}}</ref>}}
and
{{quote|NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.<ref>{{Cite web|url=http://cryptome.org/0001/nsa-meyer.htm|title=American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232 |author = Thomas R. Johnson| accessdate=2010-01-03 |publisher = [[National Security Agency]], DOCID 3417193 (file released on 2009-12-18, hosted at cryptome.org)| date= 2009-12-18}}</ref>}}
Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by [[Eli Biham]] and [[Adi Shamir]] of [[differential cryptanalysis]], a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.<ref>{{Cite book|last=Konheim|title=Computer Security and Cryptography|page=301}}</ref> According to [[Steven Levy]], IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.<ref name=Levy>Levy, ''Crypto'', p. 55</ref> Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it".<ref name=Levy/> Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."<ref name="schneier20040927">{{Cite news|last=Schneier|first=Bruce|title=Saluting the data encryption legacy|url=http://news.cnet.com/Saluting-the-data-encryption-legacy/2010-1029_3-5381232.html|accessdate=2010-10-28|newspaper=CNet|date=2004-09-27}}</ref>
 
=== The algorithm as a standard ===
Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as [[Federal Information Processing Standard|FIPS]] PUB 46, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3), the latter prescribing "[[Triple DES]]" (see below). On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following [[Advanced Encryption Standard process|a public competition]]. On 19 May 2005, FIPS 46-3 was officially withdrawn, but [[NIST]] has approved [[Triple DES]] through the year 2030 for sensitive government information.<ref name=SP800-67>[[National Institute of Standards and Technology]], [http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf NIST Special Publication 800-67 ''Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher'', Version 1.1]</ref>
 
The algorithm is also specified in ANSI X3.92,<ref>[[American National Standards Institute]], ANSI X3.92-1981 ''American National Standard, Data Encryption Algorithm''</ref> NIST SP 800-67<ref name=SP800-67/> and ISO/IEC 18033-3<ref>{{Cite web|url=http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=54531 |title=ISO/IEC 18033-3:2010 Information technology&nbsp;— Security techniques&nbsp;— Encryption algorithms&nbsp;— Part 3: Block ciphers |publisher=Iso.org |date=2010-12-14 |accessdate=2011-10-21}}</ref> (as a component of [[TDEA]]).
 
Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a [[brute force attack]] in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of [[cryptanalysis]] are discussed in more detail later in this article.
 
The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective about DES,
:The DES can be said to have "jump started" the nonmilitary study and development of encryption algorithms. In the 1970s there were very few cryptographers, except for those in military or intelligence organizations, and little academic study of cryptography. There are now many active academic cryptologists, mathematics departments with strong programs in cryptography, and commercial information security companies and consultants. A generation of cryptanalysts has cut its teeth analyzing (that is trying to "crack") the DES algorithm. In the words of cryptographer [[Bruce Schneier]],<ref>Bruce Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, Second edition, John Wiley and Sons, New York (1996) p. 267</ref> "DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to study." An astonishing share of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the standard against which every symmetric key algorithm since has been compared.<ref>William E. Burr, "Data Encryption Standard", in NIST's anthology "A Century of Excellence in Measurements, Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901–2000.  [http://nvl.nist.gov/pub/nistpubs/sp958-lide/html/250-253.html HTML] [http://nvl.nist.gov/pub/nistpubs/sp958-lide/250-253.pdf PDF]</ref>
 
=== Chronology ===
{| class="wikitable" style="font-size:85%;"
|-
! Date
! Year
! Event
|-
| 15 May
| 1973
| NBS publishes a first request for a standard encryption algorithm
|-
| 27 August
| 1974
| NBS publishes a second request for encryption algorithms
|-
| 17 March
| 1975
| DES is published in the ''Federal Register'' for comment
|-
| August
| 1976
| First workshop on DES
|-
| September
| 1976
| Second workshop, discussing mathematical foundation of DES
|-
| November
| 1976
| DES is approved as a standard
|-
| 15 January
| 1977
| DES is published as a FIPS standard FIPS PUB 46
|-
|
| 1983
| DES is reaffirmed for the first time
|-
|
| 1986
| [[Videocipher]] II, a TV satellite scrambling system based upon DES, begins use by HBO
|-
| 22 January
| 1988
| DES is reaffirmed for the second time as FIPS 46-1, superseding FIPS PUB 46
|-
| July
| 1991
| Biham and Shamir rediscover [[differential cryptanalysis]], and apply it to a 15-round DES-like cryptosystem.
|-
|
| 1992
| Biham and Shamir report the first theoretical attack with less complexity than brute force: [[differential cryptanalysis]]. However, it requires an unrealistic 2<sup>47</sup> [[chosen plaintext]]s.
|-
| 30 December
| 1993
| DES is reaffirmed for the third time as FIPS 46-2
|-
|
| 1994
| The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).
|-
| June
| 1997
| The [[DESCHALL Project]] breaks a message encrypted with DES for the first time in public.
|-
| July
| 1998
| The [[Electronic Frontier Foundation|EFF]]'s [[EFF DES cracker|DES cracker]] (Deep Crack) breaks a DES key in 56 hours.
|-
| January
| 1999
| Together, [[Deep Crack]] and [[distributed.net]] break a DES key in 22 hours and 15 minutes.
|-
| 25 October
| 1999
| DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the preferred use of [[Triple DES]], with single DES permitted only in legacy systems.
|-
| 26 November
| 2001
| The [[Advanced Encryption Standard]] is published in FIPS 197
|-
| 26 May
| 2002
| The AES becomes effective
|-
| 26 July
| 2004
| The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the ''Federal Register''<ref>{{Cite web|url=http://edocket.access.gpo.gov/2004/04-16894.htm |title=FR Doc 04-16894 |publisher=Edocket.access.gpo.gov |date= |accessdate=2009-06-02}}</ref>
|-
| 19 May
| 2005
| NIST withdraws FIPS 46-3 (see [http://csrc.nist.gov/publications/fips/05-9945-DES-Withdrawl.pdf Federal Register vol 70, number 96])
|-
| April
| 2006
| The [[Field-programmable gate array|FPGA]] based parallel machine [[Custom hardware attack#History|COPACOBANA]] of the Universities of Bochum and Kiel, Germany, breaks DES in 9 days at $10,000 hardware cost.<ref name="copacobana-2006">S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, A. Rupp, M. Schimmler, "How to Break DES for Euro 8,980". 2nd Workshop on Special-purpose Hardware for Attacking Cryptographic Systems&nbsp;— SHARCS 2006, Cologne, Germany, April 3–4, 2006.</ref> Within a year software improvements reduced the average time to 6.4 days.
|-
| Nov.
| 2008
| The successor of [[Custom hardware attack#History|COPACOBANA]], the RIVYERA machine reduced the average time to less than one single day.
|}
 
==Description==
<imagemap>
File:DES-main-network.png|thumb|250px|''[[:File:DES-main-network.png|Figure 1]]''— The overall Feistel structure of DES
rect 0 130 639 229 [[DES supplementary material#Initial permutation (IP)|Initial permutation]]
rect 220 300 421 405 [[#The Feistel (F) function|Feistel function]]
rect 220 594 421 701 [[#The Feistel (F) function|Feistel function]]
rect 220 1037 421 1144 [[#The Feistel (F) function|Feistel function]]
rect 220 1330 421 1437 [[#The Feistel (F) function|Feistel function]]
rect 0 1478 639 1577 [[DES supplementary material#Final permutation (IP-1)|Final permutation]]
circle 50 351 26 [[Exclusive or|XOR]]
circle 50 647 26 [[Exclusive or|XOR]]
circle 50 1090 26 [[Exclusive or|XOR]]
circle 50 1383 26 [[Exclusive or|XOR]]
</imagemap>
:''For brevity, the following description omits the exact transformations and permutations which specify the algorithm; for reference, the details can be found in [[DES supplementary material]].''
DES is the archetypal [[block cipher]]&nbsp;— an [[algorithm]] that takes a fixed-length string of [[plaintext]] bits and transforms it through a series of complicated operations into another [[ciphertext]] bitstring of the same length. In the case of DES, the [[block size (cryptography)|block size]] is 64 bits. DES also uses a [[key (cryptography)|key]] to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking [[parity bit|parity]], and are thereafter discarded. Hence the effective [[key length]] is 56 bits, and it is always quoted as such.
 
The key is nominally stored or transmitted as 8 [[byte]]s, each with odd parity. According to ANSI X3.92-1981, section 3.5:
 
{{quote|One bit in each 8-bit byte of the ''KEY'' may be utilized for error detection in key generation, distribution, and storage. Bits 8, 16,..., 64 are for use in ensuring that each byte is of odd parity.}}
 
Like other block ciphers, DES by itself is not a secure means of encryption but must instead be used in a [[block cipher mode of operation|mode of operation]]. FIPS-81 specifies several modes for use with DES.<ref>{{Cite web|url=http://www.itl.nist.gov/fipspubs/fip81.htm |title=FIPS 81 - Des Modes of Operation |publisher=Itl.nist.gov |date= |accessdate=2009-06-02}}</ref> Further comments on the usage of DES are contained in FIPS-74.<ref>{{Cite web|url=http://www.itl.nist.gov/fipspubs/fip74.htm |title=FIPS 74 - Guidelines for Implementing and Using the NBS Data |publisher=Itl.nist.gov |date= |accessdate=2009-06-02}}</ref>
 
=== Overall structure ===
{{Unreferenced section|date=August 2009}}
The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of processing, termed ''rounds''. There is also an initial and final [[permutation]], termed ''IP'' and ''FP'', which are [[inverse (function)|inverses]] (IP "undoes" the action of FP, and vice versa). IP and FP have no cryptographic significance, but were included in order to facilitate loading blocks in and out of mid-1970s 8-bit based hardware.<ref>{{Cite book|last=Schneier|title=Applied Cryptography|edition=1st|page=271}}</ref>
 
Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the [[Feistel scheme]]. The Feistel structure ensures that decryption and encryption are very similar processes&nbsp;— the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms.
 
The ⊕ symbol denotes the [[XOR|
exclusive-OR]] (XOR) operation. The ''F-function'' scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.
 
=== The Feistel (F) function ===
The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages:
<imagemap>
File:DES-f-function.png|thumb|250px|''[[:File:DES-f-function.png|Figure 2]]''—The Feistel function (F-function) of DES
rect 10 88 322 170 [[DES supplementary material#Expansion function (E)|Expansion function]]
rect 9 340 77 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 1]]
rect 89 340 157 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 2]]
rect 169 340 237 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 3]]
rect 247 340 315 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 4]]
rect 327 340 395 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 5]]
rect 405 340 473 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 6]]
rect 485 340 553 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 7]]
rect 565 340 633 395 [[DES supplementary material#Substitution boxes (S-boxes)|Substitution box 8]]
rect 9 482 630 565 [[DES supplementary material#Permutation (P)|Permutation]]
circle 319 232 21 [[Exclusive or|XOR]]
</imagemap>
# ''Expansion''&nbsp;— the 32-bit half-block is expanded to 48 bits using the ''expansion permutation'', denoted ''E'' in the diagram, by duplicating half of the bits. The output consists of eight 6-bit (8 * 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side.
# ''Key mixing''&nbsp;— the result is combined with a ''subkey'' using an XOR operation. 16 48-bit subkeys&nbsp;— one for each round&nbsp;— are derived from the main key using the ''[[key schedule]]'' (described below).
# ''Substitution''&nbsp;— after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the ''[[Substitution box|S-boxes]]'', or ''substitution boxes''. Each of the eight S-boxes replaces its six input bits with four output bits according to a non-linear transformation, provided in the form of a [[lookup table]]. The S-boxes provide the core of the security of DES&nbsp;— without them, the cipher would be linear, and trivially breakable.
# ''Permutation''&nbsp;— finally, the 32 outputs from the S-boxes are rearranged according to a fixed [[permutation]], the ''P-box''. This is designed so that, after permutation, each S-box's output bits are spread across 4 different S boxes in the next round.
 
The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "[[confusion and diffusion]]" respectively, a concept identified by [[Claude Shannon]] in the 1940s as a necessary condition for a secure yet practical cipher.
 
=== Key schedule ===
<imagemap>
File:DES-key-schedule.png|thumb|250px|''[[:File:DES-key-schedule.png|Figure 3]]''— The key-schedule of DES
rect 96 28 298 58 [[DES supplementary material#Permuted choice 1 (PC-1)|Permuted choice 1]]
rect 127 122 268 155 [[DES supplementary material#Permuted choice 2 (PC-2)|Permuted choice 2]]
rect 127 216 268 249 [[DES supplementary material#Permuted choice 2 (PC-2)|Permuted choice 2]]
rect 127 357 268 390 [[DES supplementary material#Permuted choice 2 (PC-2)|Permuted choice 2]]
rect 127 451 268 484 [[DES supplementary material#Permuted choice 2 (PC-2)|Permuted choice 2]]
rect 96 91 127 116 [[DES supplementary material#Rotations in the key-schedule|Left shift by 1]]
rect 268 91 299 116 [[DES supplementary material#Rotations in the key-schedule|Left shift by 1]]
rect 96 185 127 210 [[DES supplementary material#Rotations in the key-schedule|Left shift by 1]]
rect 268 185 299 210 [[DES supplementary material#Rotations in the key-schedule|Left shift by 1]]
rect 96 326 127 351 [[DES supplementary material#Rotations in the key-schedule|Left shift by 2]]
rect 268 326 299 351 [[DES supplementary material#Rotations in the key-schedule|Left shift by 2]]
rect 96 419 127 444 [[DES supplementary material#Rotations in the key-schedule|Left shift by 1]]
rect 268 419 299 444 [[DES supplementary material#Rotations in the key-schedule|Left shift by 1]]
</imagemap>
Figure 3 illustrates the ''key schedule'' for encryption &nbsp;— the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 by ''Permuted Choice 1'' (''PC-1'')&nbsp;— the remaining eight bits are either discarded or used as [[parity bit|parity]] check bits. The 56 bits are then divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits are selected by ''Permuted Choice 2'' (''PC-2'')&nbsp;— 24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out of the 16 subkeys.
 
The key schedule for decryption is similar&nbsp;— the subkeys are in reverse order compared to encryption. Apart from that change, the process is the same as for encryption. The same 28 bits are passed to all rotation boxes.
 
== Security and cryptanalysis ==
Although more information has been published on the cryptanalysis of DES than any other block cipher, the most practical attack to date is still a brute force approach. Various minor cryptanalytic properties are known, and three theoretical attacks are possible which, while having a theoretical complexity less than a brute force attack, require an unrealistic number of [[known plaintext|known]] or [[chosen plaintext]]s to carry out, and are not a concern in practice.
 
=== Brute force attack ===
For any cipher, the most basic method of attack is [[brute force attack|brute force]]&nbsp;— trying every possible key in turn. The [[key length|length of the key]] determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised about the adequacy of its key size early on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm. As a result of discussions involving external consultants including the NSA, the key size was reduced from 128 bits to 56 bits to fit on a single chip.<ref name="stallings-2006">Stallings, W. ''Cryptography and network security: principles and practice''. Prentice Hall, 2006. p. 73</ref>
 
[[File:Board300.jpg|thumb|The [[Electronic Frontier Foundation|EFF]]'s US$250,000 [[EFF DES cracker|DES cracking machine]] contained 1,856 custom chips and could brute force a DES key in a matter of days&nbsp;— the photo shows a DES Cracker circuit board fitted with several Deep Crack chips.]]
 
In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day. By 1993, Wiener had proposed a key-search machine costing US$1 million which would find a key within 7 hours. However, none of these early proposals were ever implemented—or, at least, no implementations were publicly acknowledged. The vulnerability of DES was practically demonstrated in the late 1990s. In 1997, [[RSA Security]] sponsored a series of contests, offering a $10,000 prize to the first team that broke a message encrypted with DES for the contest. That contest was won by the [[DESCHALL Project]], led by Rocke Verser, [[Matt Curtin]], and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the [[Electronic Frontier Foundation]] (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000 (see [[EFF DES cracker]]). Their motivation was to show that DES was breakable in practice as well as in theory: "''There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES.''" The machine brute-forced a key in a little more than 2 days search.
 
The next confirmed DES cracker was the COPACOBANA machine built in 2006 by teams of the [[Ruhr University|Universities of Bochum]] and [[University of Kiel|Kiel]], both in [[Germany]]. Unlike the EFF machine, COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of these [[field-programmable gate array]]s (FPGAs) of type XILINX Spartan-3 1000 run in parallel. They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable hardware makes the machine applicable to other code breaking tasks as well.<ref>{{cite web
| title = Getting Started, COPACOBANA — Cost-optimized Parallel Code-Breaker
| url = http://www.copacobana.org/paper/copacobana_gettingstarted.pdf
| date = December 12, 2006
| accessdate = March 6, 2012
}}</ref>  One of the more interesting aspects of COPACOBANA is its cost factor. One machine can be built for approximately $10,000.<ref>{{cite book
| author = Reinhard Wobst
| title = Cryptology Unlocked
| date = October 16, 2007
| publisher = John Wiley & Sons
}}</ref> The cost decrease by roughly a factor of 25 over the EFF machine is an example of the continuous improvement of [[digital hardware]] -- see [[Moore's law]]. Adjusting for inflation over 8 years yields an even higher improvement of about 30x. Since 2007, [[SciEngines GmbH]], a spin-off company of the two project partners of COPACOBANA has enhanced and developed successors of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to break DES to less than one day, using 128 Spartan-3 5000's. Currently SciEngines RIVYERA holds the record in brute-force breaking DES, having utilized 128 Spartan-3 5000 FPGAs.<ref>[http://www.sciengines.com/company/news-a-events/74-des-in-1-day.html Break DES in less than a single day] [Press release of Firm, demonstrated on 2009 Workshop]</ref> Their 256 Spartan-6 LX150 model has even lowered this time.
 
=== Attacks faster than brute-force ===
There are three attacks known that can break the full 16 rounds of DES with less complexity than a brute-force search: [[differential cryptanalysis]] (DC), linear cryptanalysis (LC), and [[Davies' attack]]. However, the attacks are theoretical and are unfeasible to mount in practice{{Citation needed|date=August 2010}}; these types of attack are sometimes termed certificational weaknesses.
 
* [[Differential cryptanalysis]] was rediscovered in the late 1980s by [[Eli Biham]] and [[Adi Shamir]]; it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 2<sup>49</sup> [[chosen plaintext]]s.<ref name="biham-1992">Biham, E. and Shamir, A. ''Differential Cryptanalysis of the Data Encryption Standard - Advances in Cryptology - CRYPTO '92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings''. 1992. p. 487-496</ref> DES was designed to be resistant to DC.
* [[Linear cryptanalysis]] was discovered by [[Mitsuru Matsui]], and needs 2<sup>43</sup> [[known plaintext]]s (Matsui, 1993); the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack. A generalization of LC&nbsp;— ''multiple linear cryptanalysis''&nbsp;— was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov and others. (2004); their analysis suggests that multiple linear approximations could be used to reduce the data requirements of the attack by at least a factor of 4 (that is, 2<sup>41</sup> instead of 2<sup>43</sup>). A similar reduction in data complexity can be obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001) performed several experiments to determine the actual time complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to 2<sup>39</sup>–2<sup>41</sup> DES evaluations.
* ''Improved Davies' attack'': while linear and differential cryptanalysis are general techniques and can be applied to a number of schemes, Davies' attack is a specialized technique for DES, first suggested by [[Donald Davies]] in the eighties, and improved by Biham and [[Alex Biryukov|Biryukov]] (1997). The most powerful form of the attack requires 2<sup>50</sup> [[known plaintext]]s, has a computational complexity of 2<sup>50</sup>, and has a 51% success rate.
 
There have also been attacks proposed against reduced-round versions of the cipher, that is, versions of DES with fewer than 16 rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains. [[Differential-linear cryptanalysis]] was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single attack. An enhanced version of the attack can break 9-round DES with 2<sup>15.8</sup> chosen plaintexts and has a 2<sup>29.2</sup> time complexity (Biham and others, 2002).
 
=== Minor cryptanalytic properties ===
DES exhibits the complementation property, namely that
:<math>E_K(P)=C \Leftrightarrow E_{\overline{K}}(\overline{P})=\overline{C}</math>
where <math>\overline{x}</math> is the [[bitwise complement]] of <math>x.</math> <math>E_K</math> denotes encryption with key <math>K.</math> <math>P</math> and <math>C</math> denote plaintext and ciphertext blocks respectively. The complementation property means that the work for a [[brute force attack]] could be reduced by a factor of 2 (or a single bit) under a [[chosen-plaintext attack|chosen-plaintext]] assumption. By definition, this property also applies also to TDES cipher.
 
DES also has four so-called ''[[Weak key#Weak_keys_in_DES|weak keys]]''. Encryption (''E'') and decryption (''D'') under a weak key have the same effect (see [[involution (mathematics)|involution]]):
:<math>E_K(E_K(P)) = P</math> or equivalently, <math>E_K = D_K.</math>
There are also six pairs of ''semi-weak keys''. Encryption with one of the pair of semiweak keys, <math>K_1</math>, operates identically to decryption with the other, <math>K_2</math>:
:<math>E_{K_1}(E_{K_2}(P)) = P</math> or equivalently, <math>E_{K_2} = D_{K_1}.</math>
It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are not really any weaker than any other keys anyway, as they do not give an attack any advantage.
 
DES has also been proved not to be a [[group (mathematics)|group]], or more precisely, the set <math>\{E_K\}</math> (for all possible keys <math>K</math>) under [[functional composition]] is not a group, nor "close" to being a group.<ref>[http://dl.acm.org/citation.cfm?id=705523 Campbell and Wiener, 1992]</ref> This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as [[Triple DES]] would not increase the security.
 
It is known that the maximum cryptographic security of DES is limited to about 64 bits, even when independently choosing all round subkeys instead of deriving them from a key, which would otherwise permit a security of 768 bits.
 
== Replacement algorithms ==
{{Unreferenced section|date=November 2009}}
Concerns about security and the relatively slow operation of DES in [[software]] motivated researchers to propose a variety of alternative [[block cipher]] designs, which started to appear in the late 1980s and early 1990s: examples include [[RC5]], [[Blowfish (cipher)|Blowfish]], [[International Data Encryption Algorithm|IDEA]], [[NewDES]], [[SAFER]], [[CAST5]] and [[FEAL]]. Most of these designs kept the 64-bit [[block size (cryptography)|block size]] of DES, and could act as a "drop-in" replacement, although they typically used a 64-bit or 128-bit key. In the [[USSR]] the [[GOST 28147-89]] algorithm was introduced, with a 64-bit block size and a 256-bit key, which was also used in [[Russia]] later.
 
DES itself can be adapted and reused in a more secure scheme. Many former DES users now use [[Triple DES]] (TDES) which was described and analysed by one of DES's patentees (see [[Federal Information Processing Standard|FIPS]] Pub 46-3); it involves applying DES three times with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure, although it is quite slow. A less computationally expensive alternative is [[DES-X]], which increases the key size by XORing extra key material before and after DES. [[GDES]] was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.
 
On January 2, 1997, NIST announced that they wished to choose a successor to DES.<ref>http://csrc.nist.gov/archive/aes/pre-round1/aes_9701.txt</ref> In 2001, after an international competition, NIST selected a new cipher, the Advanced Encryption Standard (AES), as a replacement.<ref>http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf</ref> The algorithm which was selected as the AES was submitted by its designers under the name [[Rijndael]]. Other finalists in the NIST [[AES competition]] included [[RC6]], [[Serpent (cipher)|Serpent]], [[MARS (cryptography)|MARS]], and [[Twofish]].
 
== See also ==
{{Portal|Cryptography}}
* [[DES supplementary material]]
* [[Triple DES]]
* [[Skipjack (cipher)]]
* [[Symmetric key algorithm]]
 
== Notes ==
{{Reflist|30em}}
 
==References==
<div class="references-small">
*{{Cite journal| author=[[Eli Biham|Biham, Eli]] and [[Adi Shamir|Shamir, Adi]] |title=Differential Cryptanalysis of DES-like Cryptosystems |journal=[[Journal of Cryptology]] |volume=4 |issue=1 |year=1991 |pages=3–72 |url=http://www.springerlink.com/content/k54h077np8714058/ |doi=10.1007/BF00630563}} ([http://nfotemple.free.fr/site_cryptokg/site_roy/differential%20cryptanalysis%20of%20des-like%20cryptosystems.pdf preprint])
*[[Eli Biham|Biham, Eli]] and [[Adi Shamir|Shamir, Adi]], Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0-387-97930-1, ISBN 3-540-97930-1.
*[[Eli Biham|Biham, Eli]] and [[Alex Biryukov]]: An Improvement of Davies' Attack on DES. J. Cryptology 10(3): 195–206 (1997)
*[[Eli Biham|Biham, Eli]], Orr Dunkelman, Nathan Keller: Enhancing Differential-Linear Cryptanalysis. [[ASIACRYPT]] 2002: pp254–266
*[[Eli Biham|Biham, Eli]]: A Fast New DES Implementation in Software
* [http://cryptome.org/cracking-des/cracking-des.htm Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design], [[Electronic Frontier Foundation]]
*{{Cite journal|author=Biryukov, A, C. De Canniere and M. Quisquater|editor1-last=Franklin|editor1-first=Matt |title=On Multiple Linear Approximations |journal=[[Lecture Notes in Computer Science]] |volume=3152 |year=2004 |pages=1–22 |url=http://www.springerlink.com/content/16udaqwwl9ffrtxt/ |doi=10.1007/b99099}} ([http://www.esat.kuleuven.ac.be/~abiryuko/mla.pdf preprint]).
*Campbell, Keith W., Michael J. Wiener: DES is not a Group. CRYPTO 1992: pp512–520
* [[Don Coppersmith|Coppersmith, Don]]. (1994). [http://web.archive.org/web/20070615132907/http://www.research.ibm.com/journal/rd/383/coppersmith.pdf The data encryption standard (DES) and its strength against attacks]. ''IBM Journal of Research and Development'', '''38'''(3), 243–250.
*[[Whitfield Diffie|Diffie, Whitfield]] and [[Martin Hellman]], "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74–84
*Ehrsam and others., Product Block Cipher System for Data Security, {{US patent|3962539}}, Filed February 24, 1975
*[[John Gilmore (activist)|Gilmore, John]], "Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design", 1998, O'Reilly, ISBN 1-56592-520-3.
*Junod, Pascal. [http://crypto.junod.info/sac01.html "On the Complexity of Matsui's Attack."] [[Selected Areas in Cryptography]], 2001, pp199–211.
* [[Burt Kaliski|Kaliski, Burton S.]], [[Matt Robshaw]]: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39
* [[Lars R. Knudsen|Knudsen, Lars]], John Erik Mathiassen: A Chosen-Plaintext Linear Attack on DES. [[Fast Software Encryption]] - FSE 2000: pp262–272
*Langford, Susan K., Martin E. Hellman: Differential-Linear Cryptanalysis. CRYPTO 1994: 17–25
*[[Steven Levy|Levy, Steven]], [[Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age]], 2001, ISBN 0-14-024432-8.
* {{Cite journal|first=Mitsuru|editor1-last=Helleseth|last=Matsui|editor1-first=Tor|title=Linear Cryptanalysis Method for DES Cipher |journal=[[Lecture Notes in Computer Science]] |volume=765 |year=1994 |pages=386–397 |url=http://www.springerlink.com/content/92509p5l4ravyn62/ |doi=10.1007/3-540-48285-7}} ([http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.50.8472 preprint])
* {{Cite journal|author=Mitsuru Matsui |title=The First Experimental Cryptanalysis of the Data Encryption Standard |journal=[[Lecture Notes in Computer Science]] |volume=839 |year=1994 |pages=1–11 |url=http://www.springerlink.com/content/vrteugmt7erqqbw1/ |doi=10.1007/3-540-48658-5_1}}
* National Bureau of Standards, Data Encryption Standard, FIPS-Pub.46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977.
* Christof Paar, Jan Pelzl, [http://wiki.crypto.rub.de/Buch/movies.php#3  "The Data Encryption Standard (DES) and Alternatives"], free online lectures on Chapter 3 of "Understanding Cryptography, A Textbook for Students and Practitioners". Springer, 2009.
 
</div>
 
==External links==
{{commons category|Data Encryption Standard}}
*[http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf FIPS 46-3: The official document describing the DES standard] (PDF); [http://www.itl.nist.gov/fipspubs/fip46-2.htm An older version in HTML]
*[http://www.sciengines.com/copacobana COPACOBANA, a $10,000 DES cracker based on FPGAs by the Universities of Bochum and Kiel]
*[http://dhost.info/pasjagor/des/ DES step-by-step presentation and reliable message encoding application]
*[http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0891.ps A Fast New DES Implementation in Software - Biham]
*[http://eprint.iacr.org/2004/057.ps.gz On Multiple Linear Approximations]
*[http://www.rfc-editor.org/rfc/rfc4772.txt RFC4772 : Security Implications of Using the Data Encryption Standard (DES)]
{{Cryptography navbox | block}}
 
[[Category:Broken block ciphers]]
[[Category:Feistel ciphers]]
[[Category:Data Encryption Standard]]
 
{{Link GA|pl}}
{{Link FA|ca}}
{{Link FA|it}}

Revision as of 19:48, 22 February 2014

The name of the author is Joe Ton. My husband and I inhabit North Carolina. One of the things he loves most is to play crochet but he's been taking on new things lately. Office supervising is a few things i do as a living but soon my wife and I will start my business.

Also visit my page; Philippines

Retrieved from "https://en.formulasearchengine.com/index.php?title=Data_Encryption_Standard&oldid=219183"