Data Encryption Standard

From Wikipedia, the free encyclopedia

Jump to: navigation, search

Data Encryption Standard

The Feistel function (F function) of DES

General

Designers IBM

First published 1977 (standardized in January 1979)

Derived from Lucifer

Successors Triple DES, G-DES, DES-X,

LOKI89, ICE

Cipher detail

Key sizes 56 bits

Block sizes 64 bits

Structure Balanced Feistel network

Rounds 16

Best public cryptanalysis

DES is now considered insecure because a brute force attack

is possible (see EFF DES cracker). As of 2008, the best
analytical attack is linear cryptanalysis, which requires 243
known plaintexts and has a time complexity of 239–43 (Junod,
2001); under a chosen-plaintext assumption, the data
 complexity can be reduced by a factor of four (Knudsen and
Mathiassen, 2000).

The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption. It
was selected by the National Bureau of Standards as an official Federal Information Processing
Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread
use internationally. It is based on a symmetric-key algorithm that uses a 56-bit key. The
algorithm was initially controversial because of classified design elements, a relatively short key
length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently
came under intense academic scrutiny which motivated the modern understanding of block
ciphers and their cryptanalysis.

DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key
size being too small; in January, 1999, distributed.net and the Electronic Frontier Foundation
collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are
also some analytical results which demonstrate theoretical weaknesses in the cipher, although
they are infeasible to mount in practice. The algorithm is believed to be practically secure in the
form of Triple DES, although there are theoretical attacks. In recent years, the cipher has been
superseded by the Advanced Encryption Standard (AES). Furthermore, DES has been withdrawn
as a standard by the National Institute of Standards and Technology (formerly the National
Bureau of Standards).

In some documentation, a distinction is made between DES as a standard and DES the algorithm
which is referred to as the DEA (the Data Encryption Algorithm). When spoken, "DES" is
either spelled out as an abbreviation (/ˌdiːˌiːˈɛs/), or pronounced as a one-syllable acronym
(/ˈdɛz/).

Contents
[hide]

 1 History of DES
o 1.1 NSA's involvement in the design
o 1.2 The algorithm as a standard
o 1.3 Chronology
 2 Replacement algorithms
 3 Description
o 3.1 Overall structure
o 3.2 The Feistel (F) function
o 3.3 Key schedule
 4 Security and cryptanalysis
o 4.1 Brute force attack
o 4.2 Attacks faster than brute-force
 o 4.3 Minor cryptanalytic properties
 5 See also
 6 Notes
 7 References
 8 External links

[edit] History of DES

The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US
government's computer security needs, the US standards body NBS (National Bureau of
Standards) — now named NIST (National Institute of Standards and Technology) — identified a
need for a government-wide standard for encrypting unclassified, sensitive information.[1]
Accordingly, on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a
cipher that would meet rigorous design criteria. None of the submissions, however, turned out to
be suitable. A second request was issued on 27 August 1974. This time, IBM submitted a
candidate which was deemed acceptable — a cipher developed during the period 1973–1974
based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher
design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl
Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant
Tuckerman.

[edit] NSA's involvement in the design

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments
were requested, and in the following year two open workshops were held to discuss the proposed
standard. There was some criticism from various parties, including from public-key
cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and
the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion was
that the algorithm had been covertly weakened by the intelligence agency so that they — but no-
one else — could easily read encrypted messages.[2] Alan Konheim (one of the designers of DES)
commented, "We sent the S-boxes off to Washington. They came back and were all different."[3]
The United States Senate Select Committee on Intelligence reviewed the NSA's actions to
determine whether there had been any improper involvement. In the unclassified summary of
their findings, published in 1978, the Committee wrote:

In the development of DES, NSA convinced IBM that a reduced key size was sufficient;
indirectly assisted in the development of the S-box structures; and certified that the final DES
algorithm was, to the best of their knowledge, free from any statistical or mathematical
weakness.[4]

However, it also found that

NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the
algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size
was more than adequate for all commercial applications for which the DES was intended.[5]

Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm
entirely within IBM using IBMers. The NSA did not dictate a single wire!"[6] In contrast, a
declassified NSA book on cryptologic history states:

In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings
were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum,
deputy director for research and engineering, discovered that Walter Tuchman of IBM was
working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and
brought him in to work jointly with the Agency on his Lucifer modification."[7]

and

NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks
and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to
reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[8]

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the
independent discovery and open publication by Eli Biham and Adi Shamir of differential
cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much
more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM
knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith
published some of the original design criteria for the S-boxes.[9] According to Steven Levy, IBM
Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the
NSA to keep the technique secret.[10] Coppersmith explains IBM's secrecy decision by saying,
"that was because [differential cryptanalysis] can be a very powerful tool, used against many
schemes, and there was concern that such information in the public domain could adversely
affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our
documents confidential... We actually put a number on each one and locked them up in safes,
because they were considered U.S. government classified. They said do it. So I did it".[10] Bruce
Schneier observed that "It took the academic community two decades to figure out that the NSA
'tweaks' actually improved the security of DES."[11]

[edit] The algorithm as a standard

Despite the criticisms, DES was approved as a federal standard in November 1976, and
published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. It
was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-
46-2), and again in 1999 (FIPS-46-3), the latter prescribing "Triple DES" (see below). On 26
May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following
a public competition. On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST has
approved Triple DES through the year 2030 for sensitive government information.[12]
The algorithm is also specified in ANSI X3.92,[13] NIST SP 800-67[12] and ISO/IEC 18033-3[14]
(as a component of TDEA).

Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a brute force
attack in 1998 that demonstrated that DES could be attacked very practically, and highlighted the
need for a replacement algorithm. These and other methods of cryptanalysis are discussed in
more detail later in the article.

The introduction of DES is considered to have been a catalyst for the academic study of
cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective
about DES,

The DES can be said to have "jump started" the nonmilitary study and development of
encryption algorithms. In the 1970s there were very few cryptographers, except for those
in military or intelligence organizations, and little academic study of cryptography. There
are now many active academic cryptologists, mathematics departments with strong
programs in cryptography, and commercial information security companies and
consultants. A generation of cryptanalysts has cut its teeth analyzing (that is trying to
"crack") the DES algorithm. In the words of cryptographer Bruce Schneier,[15] "DES did
more to galvanize the field of cryptanalysis than anything else. Now there was an
algorithm to study." An astonishing share of the open literature in cryptography in the
1970s and 1980s dealt with the DES, and the DES is the standard against which every
symmetric key algorithm since has been compared.[16]

[edit] Chronology

Date Year Event

15 May 1973 NBS publishes a first request for a standard encryption algorithm
27 August 1974 NBS publishes a second request for encryption algorithms
17 March 1974 DES is published in the Federal Register for comment
August 1976 First workshop on DES
September 1976 Second workshop, discussing mathematical foundation of DES
November 1976 DES is approved as a standard
15 January 1977 DES is published as a FIPS standard FIPS PUB 46
1983 DES is reaffirmed for the first time
1986 Videocipher II, a TV satellite scrambling system based upon DES begins use by HBO
22 January 1988 DES is reaffirmed for the second time as FIPS 46-1, superseding FIPS PUB 46
Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-round DES-like
July 1990
cryptosystem.
Biham and Shamir report the first theoretical attack with less complexity than brute force:
1992
differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts.
30 December 1993 DES is reaffirmed for the third time as FIPS 46-2
The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui,
1994
1994).
June 1997 The DESCHALL Project breaks a message encrypted with DES for the first time in public.
July 1998 The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours.
January 1999 Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.
25 October 1999 DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the preferred use of Triple
 DES, with single DES permitted only in legacy systems.
26 November 2001 The Advanced Encryption Standard is published in FIPS 197
26 May 2002 The AES standard becomes effective
The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the Federal
26 July 2004
Register[17]
19 May 2005 NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96)
The FPGA based parallel machine COPACOBANA of the Universities of Bochum and Kiel,
April 2006 Germany, breaks DES in 9 days at $10,000 hardware cost.[18] Within a year software
improvements reduced the average time to 6.4 days.
The successor of COPACOBANA, the RIVYERA machine reduced the average time to less
Nov. 2008
than one single day.

[edit] Replacement algorithms

This section does not cite any references or sources.
Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and
removed. (November 2009)

Concerns about security and the relatively slow operation of DES in software motivated
researchers to propose a variety of alternative block cipher designs, which started to appear in the
late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5
and FEAL. Most of these designs kept the 64-bit block size of DES, and could act as a "drop-in"
replacement, although they typically used a 64-bit or 128-bit key. In the USSR the GOST 28147-
89 algorithm was introduced, with a 64-bit block size and a 256-bit key, which was also used in
Russia later.

DES itself can be adapted and reused in a more secure scheme. Many former DES users now use
Triple DES (TDES) which was described and analysed by one of DES's patentees (see FIPS Pub
46-3); it involves applying DES three times with two (2TDES) or three (3TDES) different keys.
TDES is regarded as adequately secure, although it is quite slow. A less computationally
expensive alternative is DES-X, which increases the key size by XORing extra key material
before and after DES. GDES was a DES variant proposed as a way to speed up encryption, but it
was shown to be susceptible to differential cryptanalysis.

In 2001, after an international competition, NIST selected a new cipher, the Advanced
Encryption Standard (AES), as a replacement. The algorithm which was selected as the AES was
submitted by its designers under the name Rijndael. Other finalists in the NIST AES competition
included RC6, Serpent, MARS and Twofish.

[edit] Description
Figure 1— The overall Feistel structure of DES
For brevity, the following description omits the exact transformations and permutations
which specify the algorithm; for reference, the details can be found in DES
supplementary material.

DES is the archetypal block cipher — an algorithm that takes a fixed-length string of plaintext
bits and transforms it through a series of complicated operations into another ciphertext bitstring
of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to
customize the transformation, so that decryption can supposedly only be performed by those who
know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56
of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are
thereafter discarded. Hence the effective key length is 56 bits, and it is never quoted as such.
Every 8th bit of the selected key is discarded, i.e. positions 8, 16, 24, 32, 40, 48, 56, 64 are
removed from the 64 bit key leaving behind only the 56 bit key.

Like other block ciphers, DES by itself is not a secure means of encryption but must instead be
used in a mode of operation. FIPS-81 specifies several modes for use with DES.[19] Further
comments on the usage of DES are contained in FIPS-74.[20]

[edit] Overall structure

This section does not cite any references or sources.

Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and
removed. (August 2009)

The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of processing,
termed rounds. There is also an initial and final permutation, termed IP and FP, which are
inverses (IP "undoes" the action of FP, and vice versa). IP and FP have almost no cryptographic
significance, but were apparently included in order to facilitate loading blocks in and out of mid-
1970s hardware.

Before the main rounds, the block is divided into two 32-bit halves and processed alternately;
this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption
and encryption are very similar processes — the only difference is that the subkeys are applied in
the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies
implementation, particularly in hardware, as there is no need for separate encryption and
decryption algorithms.

The ⊕ symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a
block together with some of the key. The output from the F-function is then combined with the
other half of the block, and the halves are swapped before the next round. After the final round,
the halves are not swapped; this is a feature of the Feistel structure which makes encryption and
decryption similar processes.

[edit] The Feistel (F) function

The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of
four stages:
Figure 2—The Feistel function (F-function) of DES

1. Expansion — the 32-bit half-block is expanded to 48 bits using the expansion

permutation, denoted E in the diagram, by duplicating half of the bits. The output
consists of eight 6-bit(8*6=48bits) pieces, each containing a copy of 4 corresponding
input bits, plus a copy of the immediately adjacent bit from each of the input pieces to
either side.
2. Key mixing — the result is combined with a subkey using an XOR operation. Sixteen 48-
bit subkeys — one for each round — are derived from the main key using the key
schedule (described below).
3. Substitution — after mixing in the subkey, the block is divided into eight 6-bit pieces
before processing by the S-boxes, or substitution boxes. Each of the eight S-boxes
replaces its six input bits with four output bits according to a non-linear transformation,
provided in the form of a lookup table. The S-boxes provide the core of the security of
DES — without them, the cipher would be linear, and trivially breakable.
4. Permutation — finally, the 32 outputs from the S-boxes are rearranged according to a
fixed permutation, the P-box. This is designed so that, after expansion, each S-box's
output bits are spread across 6 different S boxes in the next round.

The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-
expansion provides so-called "confusion and diffusion" respectively, a concept identified by
Claude Shannon in the 1940s as a necessary condition for a secure yet practical cipher.

[edit] Key schedule

Figure 3— The key-schedule of DES

Figure 3 illustrates the key schedule for encryption  — the algorithm which generates the
subkeys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-
1) — the remaining eight bits are either discarded or used as parity check bits. The 56 bits are
then divided into two 28-bit halves; each half is thereafter treated separately. In successive
rounds, both halves are rotated left by one or two bits (specified for each round), and then 48
subkey bits are selected by Permuted Choice 2 (PC-2) — 24 bits from the left half, and 24 from
the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used
in each subkey; each bit is used in approximately 14 out of the 16 subkeys.

The key schedule for decryption is similar — the subkeys are in reverse order compared to
encryption. Apart from that change, the process is the same as for encryption. The same 28 bits
are passed to all rotation boxes.

[edit] Security and cryptanalysis

This section does not cite any references or sources.
Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and
removed. (November 2009)

Although more information has been published on the cryptanalysis of DES than any other block
cipher, the most practical attack to date is still a brute force approach. Various minor
cryptanalytic properties are known, and three theoretical attacks are possible which, while having
a theoretical complexity less than a brute force attack, require an unrealistic number of known or
chosen plaintexts to carry out, and are not a concern in practice.

[edit] Brute force attack

For any cipher, the most basic method of attack is brute force — trying every possible key in
turn. The length of the key determines the number of possible keys, and hence the feasibility of
this approach. For DES, questions were raised about the adequacy of its key size early on, even
before it was adopted as a standard, and it was the small key size, rather than theoretical
cryptanalysis, which dictated a need for a replacement algorithm. As a result of discussions
involving external consultants including the NSA, the key size was reduced from 128 bits to 56
bits to fit on a single chip.[21]

The EFF's US$250,000 DES cracking machine contained 1,856 custom chips and could brute
force a DES key in a matter of days — the photo shows a DES Cracker circuit board fitted with
several Deep Crack chips.

In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and
Hellman proposed a machine costing an estimated US$20 million which could find a DES key in
a single day. By 1993, Wiener had proposed a key-search machine costing US$1 million which
would find a key within 7 hours. However, none of these early proposals were ever implemented
—or, at least, no implementations were publicly acknowledged. The vulnerability of DES was
practically demonstrated in the late 1990s. In 1997, RSA Security sponsored a series of contests,
offering a $10,000 prize to the first team that broke a message encrypted with DES for the
contest. That contest was won by the DESCHALL Project, led by Rocke Verser, Matt Curtin,
and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility
of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the
Electronic Frontier Foundation (EFF), a cyberspace civil rights group, at the cost of
approximately US$250,000 (see EFF DES cracker). Their motivation was to show that DES was
breakable in practice as well as in theory: "There are many people who will not believe a truth
until they can see it with their own eyes. Showing them a physical machine that can crack DES
in a few days is the only way to convince some people that they really cannot trust their security
to DES." The machine brute-forced a key in a little more than 2 days search.
The next confirmed DES cracker was the COPACOBANA machine built in 2006 by teams of
the Universities of Bochum and Kiel, both in Germany. Unlike the EFF machine,
COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of
these Field-programmable gate arrays (FPGAs) of type XILINX Spartan3-1000 run in parallel.
They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable
hardware makes the machine applicable to other code breaking tasks as well. One of the more
interesting aspects of COPACOBANA is its cost factor. One machine can be built for
approximately $10,000. The cost decrease by roughly a factor of 25 over the EFF machine is an
impressive example for the continuous improvement of digital hardware. Adjusting for inflation
over 8 years yields an even higher improvement of about 30x. Since 2007, SciEngines GmbH, a
spin-off company of the two project partners of COPACOBANA has enhanced and developed
successors of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to
break DES to less than one day, using 128 Spartan-3 5000's. Currently SciEngines RIVYERA
holds the record in brute-force breaking DES utilizing 128 Spartan-3 5000 FPGAs.[22]

[edit] Attacks faster than brute-force

There are three attacks known that can break the full sixteen rounds of DES with less complexity
than a brute-force search: differential cryptanalysis (DC), linear cryptanalysis (LC), and Davies'
attack. However, the attacks are theoretical and are unfeasible to mount in practice[citation needed];
these types of attack are sometimes termed certificational weaknesses.

 Differential cryptanalysis was rediscovered in the late 1980s by Eli Biham and Adi
Shamir; it was known earlier to both IBM and the NSA and kept secret. To break the full
16 rounds, differential cryptanalysis requires 247 chosen plaintexts.[citation needed] DES was
designed to be resistant to DC.
 Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 243 known plaintexts
(Matsui, 1993); the method was implemented (Matsui, 1994), and was the first
experimental cryptanalysis of DES to be reported. There is no evidence that DES was
tailored to be resistant to this type of attack. A generalization of LC — multiple linear
cryptanalysis — was suggested in 1994 (Kaliski and Robshaw), and was further refined
by Biryukov et al. (2004); their analysis suggests that multiple linear approximations
could be used to reduce the data requirements of the attack by at least a factor of 4 (i.e.
241 instead of 243). A similar reduction in data complexity can be obtained in a chosen-
plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001)
performed several experiments to determine the actual time complexity of linear
cryptanalysis, and reported that it was somewhat faster than predicted, requiring time
equivalent to 239–241 DES evaluations.
 Improved Davies' attack: while linear and differential cryptanalysis are general
techniques and can be applied to a number of schemes, Davies' attack is a specialized
technique for DES, first suggested by Donald Davies in the eighties, and improved by
Biham and Biryukov (1997). The most powerful form of the attack requires 250 known
plaintexts, has a computational complexity of 250, and has a 51% success rate.

There have also been attacks proposed against reduced-round versions of the cipher, i.e. versions
of DES with fewer than sixteen rounds. Such analysis gives an insight into how many rounds are
needed for safety, and how much of a "security margin" the full version retains. Differential-
linear cryptanalysis was proposed by Langford and Hellman in 1994, and combines differential
and linear cryptanalysis into a single attack. An enhanced version of the attack can break 9-round
DES with 215.8 known plaintexts and has a 229.2 time complexity (Biham et al., 2002).

[edit] Minor cryptanalytic properties

DES exhibits the complementation property, namely that

where is the bitwise complement of x. EK denotes encryption with key K. P and C denote
plaintext and ciphertext blocks respectively. The complementation property means that the work
for a brute force attack could be reduced by a factor of 2 (or a single bit) under a chosen-
plaintext assumption.

DES also has four so-called weak keys. Encryption (E) and decryption (D) under a weak key
have the same effect (see involution):

EK(EK(P)) = P or equivalently, EK = DK
There are also six pairs of semi-weak keys. Encryption with one of the pair of semiweak keys,
K1, operates identically to decryption with the other, K2:
or equivalently,

It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing
for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or
semiweak key by chance are negligible. The keys are not really any weaker than any other keys
anyway, as they do not give an attack any advantage.

DES has also been proved not to be a group, or more precisely, the set {EK} (for all possible
keys K) under functional composition is not a group, nor "close" to being a group (Campbell and
Wiener, 1992). This was an open question for some time, and if it had been the case, it would
have been possible to break DES, and multiple encryption modes such as Triple DES would not
increase the security.

It is known that the maximum cryptographic security of DES is limited to about 64 bits, even
when independently choosing all round subkeys instead of deriving them from a key, which
would otherwise permit a security of 768 bits.

[edit] See also

Cryptography portal

 Triple DES
 Skipjack (cipher)
  Symmetric key algorithm

[edit] Notes
1. ^ It created by IBM (International Business machine )Walter Tuchman (1997). "A brief history of
the data encryption standard". Internet besieged: countering cyberspace scofflaws. ACM Press/Addison-
Wesley Publishing Co. New York, NY, USA. pp. 275–280.
2. ^ RSA Laboratories. "Has DES been broken?". http://www.rsa.com/rsalabs/node.asp?id=2227.
Retrieved 2009-11-08.
3. ^ Schneier. Applied Cryptography (2nd ed.). p. 280.
4. ^ Davies, D.W.; W.L. Price (1989). Security for computer networks, 2nd ed.. John Wiley & Sons.
5. ^ Robert Sugarman (editor) (July 1979). "On foiling computer crime". IEEE Spectrum (IEEE).
6. ^ P. Kinnucan (October 1978). "Data Encryption Gurus: Tuchman and Meyer". Cryptologia 2 (4):
371. doi:10.1080/0161-117891853270.
7. ^ Thomas R. Johnson. "American Cryptology during the Cold War, 1945-1989.Book III:
Retrenchment and Reform, 1972-1980". United States Cryptologic History 5 (3).
8. ^ Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-
1989.Book III: Retrenchment and Reform, 1972-1980, page 232". NSA, DOCID 3417193 (file released on
2009-12-18, hosted at cryptome.org). http://cryptome.org/0001/nsa-meyer.htm. Retrieved 2010-01-03.
9. ^ Konheim. Computer Security and Cryptography. p. 301.
10. ^ a b Levy, Crypto, p. 55
11. ^ Schneier, Bruce (2004-09-27). "Saluting the data encryption legacy". CNet.
http://news.cnet.com/Saluting-the-data-encryption-legacy/2010-1029_3-5381232.html. Retrieved 2010-10-
28.
12. ^ a b National Institute of Standards and Technology, NIST Special Publication 800-67
Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher , Version 1.1
13. ^ American National Standards Institute, ANSI X3.92-1981 American National Standard, Data
Encryption Algorithm
14. ^ "ISO/IEC 18033-3:2005 Information technology — Security techniques — Encryption
algorithms — Part 3: Block ciphers". Iso.org. 2008-10-15.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=37972. Retrieved 2009-
06-02.
15. ^ Bruce Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, Second
edition, John Wiley and Sons, New York (1996) p. 267
16. ^ William E. Burr, "Data Encryption Standard", in NIST's anthology "A Century of Excellence in
Measurements, Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901–2000.
HTML PDF
17. ^ "FR Doc 04-16894". Edocket.access.gpo.gov. http://edocket.access.gpo.gov/2004/04-
16894.htm. Retrieved 2009-06-02.
18. ^ S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, A. Rupp, M. Schimmler, "How to Break DES for Euro
8,980". 2nd Workshop on Special-purpose Hardware for Attacking Cryptographic Systems — SHARCS
2006, Cologne, Germany, April 3–4, 2006.
19. ^ "FIPS 81 - Des Modes of Operation". Itl.nist.gov. http://www.itl.nist.gov/fipspubs/fip81.htm.
Retrieved 2009-06-02.
20. ^ "FIPS 74 - Guidelines for Implementing and Using the NBS Data". Itl.nist.gov.
http://www.itl.nist.gov/fipspubs/fip74.htm. Retrieved 2009-06-02.
21. ^ Stallings, W. Cryptography and network security: principles and practice. Prentice Hall, 2006.
p. 73
22. ^ Break DES in less than a single day [Press release of Firm, demonstrated on 2009 Workshop]
[edit] References

Triple DES
From Wikipedia, the free encyclopedia
Jump to: navigation, search

Triple Data Encryption Algorithm

General

First published 1998 (ANS X9.52)

Derived from DES

Cipher detail

Key sizes 168, 112 or 56 bits (Keying option 1, 2, 3

respectively)

Block sizes 64 bits

Structure Feistel network

Rounds 48 DES-equivalent rounds

Best public cryptanalysis

Lucks: 232 known plaintexts, 2113 operations including 290

DES encryptions, 288 memory; Biham: find one of 228 target
keys with a handful of chosen plaintexts per key and 284
encryptions

In cryptography, Triple DES (3DES[1]) is the common name for the Triple Data Encryption
Algorithm (TDEA or Triple DEA) block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block. Because of the availability of increasing
computational power, the key size of the original DES cipher was becoming subject to brute
force attacks; Triple DES was designed to provide a relatively simple method of increasing the
key size of DES to protect against such attacks, without designing a completely new block cipher
algorithm.

Contents
[hide]

 1 Definitive standards
 2 Name of the algorithm
 3 Algorithm
 4 Keying options
o 4.1 Other terms used to refer to the keying options
 5 Encryption of more than one block
 6 Security
 7 Usage
 8 See also
 9 References and notes

[edit] Definitive standards

The Triple Data Encryption Algorithm (TDEA) is defined in each of:

 ANS[2] X9.52-1998 Triple Data Encryption Algorithm Modes of Operation[3] (withdrawn)

 FIPS PUB 46-3 Data Encryption Standard (DES) (PDF) (withdrawn[4])
 NIST Special Publication 800-67 Recommendation for the Triple Data Encryption
Algorithm (TDEA) Block CipherPDF (483 KB)
 ISO/IEC 18033-3:2005 Information technology — Security techniques — Encryption
algorithms — Part 3: Block ciphers

[edit] Name of the algorithm

The earliest standard that defines the algorithm (ANS X9.52, published in 1998) describes it as
the "Triple Data Encryption Algorithm (TDEA)" — i.e. three operations of the Data Encryption
Algorithm specified in ANSI X3.92 — and does not use the terms "Triple DES" or "DES" at all.
FIPS PUB 46-3 (1999) defines the "Triple Data Encryption Algorithm (TDEA)", but also uses
the terms "DES" and "Triple DES". It uses the terms "Data Encryption Algorithm" and "DES"
interchangeably, including starting the specification with:

The Data Encryption Standard (DES) shall consist of the following Data Encryption Algorithm
(DES) [sic] and Triple Data Encryption Algorithm (TDEA, as described in ANSI X9.52).
NIST SP 800-67 (2004, 2008[5]) primarily uses the term TDEA, but also refers to "Triple DES
(TDEA)". ISO/IEC 18033-3 (2005) uses "TDEA", but mentions that:

The TDEA is commonly known as Triple DES (Data Encryption Standard).

None of the standards that define the algorithm use the term "3DES".

[edit] Algorithm
Triple DES uses a "key bundle" which comprises three DES keys, K1, K2 and K3, each of 56 bits
(excluding parity bits). The encryption algorithm is:

ciphertext = EK3(DK2(EK1(plaintext)))

I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3.

Decryption is the reverse:

plaintext = DK1(EK2(DK3(ciphertext)))

I.e., decrypt with K3, encrypt with K2, then decrypt with K1.

Each triple encryption encrypts one block of 64 bits of data.

In each case the middle operation is the reverse of the first and last. This improves the strength of
the algorithm when using keying option 2, and provides backward compatibility with DES with
keying option 3.

[edit] Keying options

The standards define three keying options:

 Keying option 1: All three keys are independent.

 Keying option 2: K1 and K2 are independent, and K3 = K1.
 Keying option 3: All three keys are identical, i.e. K1 = K2 = K3.

Keying option 1 is the strongest, with 3 × 56 = 168 independent key bits.

Keying option 2 provides less security, with 2 × 56 = 112 key bits. This option is stronger than
simply DES encrypting twice, e.g. with K1 and K2, because it protects against meet-in-the-middle
attacks.

Keying option 3 is equivalent to DES, with only 56 key bits. This option provides backward
compatibility with DES, because the first and second DES operations cancel out. It is no longer
recommended by the National Institute of Standards and Technology (NIST),[6] and is not
supported by ISO/IEC 18033-3.

[edit] Other terms used to refer to the keying options

"Keying option n" is the term used by the standards (X9.52, FIPS PUB 46-3, SP 800-67,
ISO/IEC 18033-3) that define the TDEA. However, other terms are used in other standards and
related recommendations, and general usage.

 For keying option 1:

o 3TDEA, in NIST SP 800-57[7] and SP 800-78-2[8]
o Triple-length keys, in general usage[9][10]

 For keying option 2:

o 2TDEA, in NIST SP 800-57[7] and SP 800-78-1[8]
o Double-length keys, in general usage[9][10]

[edit] Encryption of more than one block

As with all block ciphers, encryption and decryption of multiple blocks of data may be
performed using a variety of modes of operation, which can generally be defined independently
of the block cipher algorithm. However ANS X9.52 specifies directly, and NIST SP 800-67
specifies (via SP 800-38A[11]), that some modes shall only be used with certain constraints on
them that do not necessarily apply to general specifications of those modes. For example, ANS
X9.52 specifies that for cipher block chaining, the initialization vector shall be different each
time, whereas ISO/IEC 10116[12] does not. FIPS PUB 46-3 and ISO/IEC 18033-3 define only the
single block algorithm, and do not place any restrictions on the modes of operation for multiple
blocks.

[edit] Security
In general Triple DES with three independent keys (keying option 1) has a key length of 168 bits
(three 56-bit DES keys), but due to the meet-in-the-middle attack the effective security it
provides is only 112 bits. Keying option 2 reduces the key size to 112 bits. However, this option
is susceptible to certain chosen-plaintext or known-plaintext attacks[13][14] and thus it is designated
by NIST to have only 80 bits of security.[7]

The best attack known on keying option 1 requires around 232 known plaintexts, 2113 steps, 290
single DES encryptions, and 288 memory[15] (the paper presents other tradeoffs between time and
memory). This is not currently practical and NIST considers keying option 1 to be appropriate
through 2030.[7] If the attacker seeks to discover any one of many cryptographic keys, there is a
memory-efficient attack which will discover one of 228 keys, given a handful of chosen plaintexts
per key and around 284 encryption operations.[16]
[edit] Usage
The electronic payment industry uses Triple DES and continues to develop and promulgate
standards based upon it (e.g. EMV).[17][18]

Microsoft OneNote and Microsoft Outlook 2007 use

http://www.scribd.com/doc/23323965/java-card-word-document