Data Encryption Standard - Wikipedia https://en.wikipedia.

org/wiki/Data_Encryption_Standard

Data Encryption Standard

The Data Encryption Standard (DES /ˌdiːˌiːˈɛs, dɛz/) is a
Data Encryption Standard
symmetric-key algorithm for the encryption of electronic data.
Although its short key length of 56 bits, criticized from the
beginning, makes it too insecure for most current applications,
it was highly influential in the advancement of modern
cryptography.

Developed in the early 1970s at IBM and based on an earlier

design by Horst Feistel, the algorithm was submitted to the
National Bureau of Standards (NBS) following the agency's
invitation to propose a candidate for the protection of sensitive,
unclassified electronic government data. In 1976, after
consultation with the National Security Agency (NSA), the NBS
eventually selected a slightly modified version (strengthened
against differential cryptanalysis, but weakened against brute-
force attacks), which was published as an official Federal
Information Processing Standard (FIPS) for the United States
The Feistel function (F function) of DES
in 1977.
General
The publication of an NSA-approved encryption standard
Designers IBM
simultaneously resulted in its quick international adoption and
First 1975 (Federal Register)
widespread academic scrutiny. Controversies arose out of
published (standardized in January 1977)
classified design elements, a relatively short key length of the
symmetric-key block cipher design, and the involvement of the Derived from Lucifer
NSA, nourishing suspicions about a backdoor. Today it is Successors Triple DES, G-DES, DES-X,
known that the S-boxes that had raised those suspicions were LOKI89, ICE
in fact designed by the NSA to actually remove a backdoor they
Cipher detail
secretly knew (differential cryptanalysis). However, the NSA
Key sizes 56 bits (+8 parity bits)
also ensured that the key size was drastically reduced such that
they could break it by brute force attack (the computing power Block sizes 64 bits
to brute force DES however did not exist in 1975).[2] The Structure Balanced Feistel network
intense academic scrutiny the algorithm received over time led Rounds 16
to the modern understanding of block ciphers and their
Best public cryptanalysis
cryptanalysis.
DES has been considered insecure right from
DES, as stated above, is insecure. This is mainly due to the 56- the start because of the feasilibity of brute-force
bit key size being too small. In January 1999, distributed.net attacks[1] Such attacks have been
demonstrated in practice (see EFF DES
and the Electronic Frontier Foundation collaborated to publicly
cracker) and are now available on the market
break a DES key in 22 hours and 15 minutes (see chronology). as a service. As of 2008, the best analytical
There are also some analytical results which demonstrate attack is linear cryptanalysis, which requires 243
theoretical weaknesses in the cipher, although they are known plaintexts and has a time complexity of

1 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

infeasible to mount in practice. The algorithm is believed to be 239–43 (Junod, 2001).

practically secure in the form of Triple DES, although there are
theoretical attacks. This cipher has been superseded by the Advanced Encryption Standard (AES). Furthermore, DES
has been withdrawn as a standard by the National Institute of Standards and Technology.

Some documentation makes a distinction between DES as a standard and as an algorithm, referring to the algorithm as
the DEA (Data Encryption Algorithm).

Contents
History
NSA's involvement in the design
The algorithm as a standard
Chronology
Description
Overall structure
The Feistel (F) function
Key schedule
Security and cryptanalysis
Brute-force attack
Attacks faster than brute force
Minor cryptanalytic properties
Simplified DES
Replacement algorithms
See also
Notes
References
External links

History
The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US government's computer
security needs, the US standards body NBS (National Bureau of Standards)—now named NIST (National Institute of
Standards and Technology)—identified a need for a government-wide standard for encrypting unclassified, sensitive
information.[3]

Around the same time, engineer Mohamed Atalla in 1972 founded Atalla Corporation and developed the first hardware
security module (HSM), the so-called "Atalla Box" which was commercialized in 1973. It protected offline devices with
an un-guessable PIN generating key, and was a commercial success. Banks and credit card companies were fearful that
Atalla would dominate the market, which spurred the development of an international encryption standard.[4] Atalla
was an early competitor to IBM in the banking market, and was cited as an influence by IBM employees who worked
on the DES standard.[5] The IBM 3624 later adopted a similar PIN verification system to the earlier Atalla system.[6]

On 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design

2 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

criteria. None of the submissions, however, turned out to be suitable. A second request was issued on 27 August 1974.
This time, IBM submitted a candidate which was deemed acceptable—a cipher developed during the period 1973–1974
based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher design and analysis
included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna
Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman.

NSA's involvement in the design

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in
the following year two open workshops were held to discuss the proposed standard. There was some criticism from
various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie,[1] citing a
shortened key length and the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion
was that the algorithm had been covertly weakened by the intelligence agency so that they—but no-one else—could
easily read encrypted messages.[7] Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off
to Washington. They came back and were all different."[8] The United States Senate Select Committee on Intelligence
reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified
summary of their findings, published in 1978, the Committee wrote:

In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted
in the development of the S-box structures; and certified that the final DES algorithm was, to the best of
their knowledge, free from any statistical or mathematical weakness.[9]

However, it also found that

NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the
algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was
more than adequate for all commercial applications for which the DES was intended.[10]

Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM
using IBMers. The NSA did not dictate a single wire!"[11] In contrast, a declassified NSA book on cryptologic history
states:

In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings were
disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director
for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to
Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the
Agency on his Lucifer modification."[12]

and

NSA worked closely with IBM to strengthen the algorithm against all except brute-force attacks and to
strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the
length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[13][14]

3 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery
and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block
ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly
suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith
published some of the original design criteria for the S-boxes.[15] According to Steven Levy, IBM Watson researchers
discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.[16]
Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very
powerful tool, used against many schemes, and there was concern that such information in the public domain could
adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents
confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S.
government classified. They said do it. So I did it".[16] Bruce Schneier observed that "It took the academic community
two decades to figure out that the NSA 'tweaks' actually improved the security of DES."[17]

The algorithm as a standard

Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977
as FIPS PUB 46, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983,
1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3), the latter prescribing "Triple DES" (see
below). On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public
competition. On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST has approved Triple DES through the year
2030 for sensitive government information.[18]

The algorithm is also specified in ANSI X3.92 (Today X3 is known as INCITS and ANSI X3.92 as ANSI INCITS 92),[19]
NIST SP 800-67[18] and ISO/IEC 18033-3[20] (as a component of TDEA).

Another theoretical attack, linear cryptanalysis, was published in 1994, but it was the Electronic Frontier Foundation's
DES cracker in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a
replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in this article.

The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of
methods to crack block ciphers. According to a NIST retrospective about DES,

The DES can be said to have "jump-started" the nonmilitary study and development of
encryption algorithms. In the 1970s there were very few cryptographers, except for those in
military or intelligence organizations, and little academic study of cryptography. There are
now many active academic cryptologists, mathematics departments with strong programs in
cryptography, and commercial information security companies and consultants. A generation
of cryptanalysts has cut its teeth analyzing (that is, trying to "crack") the DES algorithm. In
the words of cryptographer Bruce Schneier,[21] "DES did more to galvanize the field of
cryptanalysis than anything else. Now there was an algorithm to study." An astonishing share
of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the
DES is the standard against which every symmetric key algorithm since has been
compared.[22]

Chronology

4 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

Date Year Event

15 May 1973 NBS publishes a first request for a standard encryption algorithm

27 August 1974 NBS publishes a second request for encryption algorithms

17 March 1975 DES is published in the Federal Register for comment

August 1976 First workshop on DES

September 1976 Second workshop, discussing mathematical foundation of DES

November 1976 DES is approved as a standard

15 January 1977 DES is published as a FIPS standard FIPS PUB 46

1983 DES is reaffirmed for the first time

1986 Videocipher II, a TV satellite scrambling system based upon DES, begins use by HBO

22 January 1988 DES is reaffirmed for the second time as FIPS 46-1, superseding FIPS PUB 46

Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-round DES-like
July 1991
cryptosystem.

Biham and Shamir report the first theoretical attack with less complexity than brute force:
1992
differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts.

30
1993 DES is reaffirmed for the third time as FIPS 46-2
December

The first experimental cryptanalysis of DES is performed using linear cryptanalysis

1994
(Matsui, 1994).

June 1997 The DESCHALL Project breaks a message encrypted with DES for the first time in public.

July 1998 The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours.

January 1999 Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.

DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the preferred use of
25 October 1999
Triple DES, with single DES permitted only in legacy systems.

26
2001 The Advanced Encryption Standard is published in FIPS 197
November

26 May 2002 The AES becomes effective

The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the
26 July 2004
Federal Register[23]

NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96 (https://web.archive.or
19 May 2005
g/web/20080625202735/http://csrc.nist.gov/publications/fips/05-9945-DES-Withdrawl.pdf))

The FPGA-based parallel machine COPACOBANA of the Universities of Bochum and Kiel,
April 2006 Germany, breaks DES in 9 days at a $10,000 hardware cost.[24] Within a year software
improvements reduced the average time to 6.4 days.

The successor of COPACOBANA, the RIVYERA machine, reduced the average time to
Nov. 2008
less than a single day.

The Open Source password cracking software hashcat (https://hashcat.net/hashcat/)

added in DES brute force searching on general purpose GPUs. Benchmarking shows a
August 2016 single off the shelf Nvidia GeForce GTX 1080 Ti GPU costing $1000 USD recovers a key
in an average of 15 days (full exhaustive search taking 30 days). Systems have been built
with eight GTX 1080 Ti GPUs which can recover a key in an average of under 2 days.[25]

5 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

A chosen-plaintext attack utilizing a rainbow table can recover the DES key for a single
specific chosen plaintext 1122334455667788 in 25 seconds. A new rainbow table has to
July 2017 be calculated per plaintext. A limited set of rainbow tables have been made available for
download.[26]

Description
For brevity, the following description omits the exact
transformations and permutations which specify the
algorithm; for reference, the details can be found in
DES supplementary material.

DES is the archetypal block cipher—an algorithm that takes a fixed-

length string of plaintext bits and transforms it through a series of
complicated operations into another ciphertext bitstring of the same
length. In the case of DES, the block size is 64 bits. DES also uses a key
to customize the transformation, so that decryption can supposedly
only be performed by those who know the particular key used to
encrypt. The key ostensibly consists of 64 bits; however, only 56 of
these are actually used by the algorithm. Eight bits are used solely for
checking parity, and are thereafter discarded. Hence the effective key
length is 56 bits.

The key is nominally stored or transmitted as 8 bytes, each with odd

parity. According to ANSI X3.92-1981 (Now, known as ANSI INCITS
92-1981), section 3.5:

One bit in each 8-bit byte of the KEY may be utilized for
error detection in key generation, distribution, and
storage. Bits 8, 16,..., 64 are for use in ensuring that each
byte is of odd parity.

Like other block ciphers, DES by itself is not a secure means of

encryption, but must instead be used in a mode of operation. FIPS-81
specifies several modes for use with DES.[27] Further comments on the
usage of DES are contained in FIPS-74.[28]

Decryption uses the same structure as encryption, but with the keys
used in reverse order. (This has the advantage that the same hardware
or software can be used in both directions.)
Figure 1— The overall Feistel structure of
DES
Overall structure
The algorithm's overall structure is shown in Figure 1: there are 16
identical stages of processing, termed rounds. There is also an initial and final permutation, termed IP and FP, which
are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have no cryptographic significance, but were

6 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

included in order to facilitate loading blocks in and out of mid-1970s 8-bit based hardware.[29]

Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is
known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes—
the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is
identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption
and decryption algorithms.

The ⊕ symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a block together with some of
the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped
before the next round. After the final round, the halves are swapped; this is a feature of the Feistel structure which
makes encryption and decryption similar processes.

The Feistel (F) function

The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages:

1. Expansion: the 32-bit half-block is expanded to 48 bits using the

expansion permutation, denoted E in the diagram, by duplicating
half of the bits. The output consists of eight 6-bit (8 * 6 = 48 bits)
pieces, each containing a copy of 4 corresponding input bits, plus
a copy of the immediately adjacent bit from each of the input
pieces to either side.
2. Key mixing: the result is combined with a subkey using an XOR
operation. Sixteen 48-bit subkeys—one for each round—are
derived from the main key using the key schedule (described
below).
3. Substitution: after mixing in the subkey, the block is divided into
eight 6-bit pieces before processing by the S-boxes, or
substitution boxes. Each of the eight S-boxes replaces its six
input bits with four output bits according to a non-linear
transformation, provided in the form of a lookup table. The
S-boxes provide the core of the security of DES—without them,
the cipher would be linear, and trivially breakable.
4. Permutation: finally, the 32 outputs from the S-boxes are Figure 2—The Feistel function (F-
rearranged according to a fixed permutation, the P-box. This is function) of DES
designed so that, after permutation, the bits from the output of
each S-box in this round are spread across four different S-boxes
in the next round.
The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-
called "confusion and diffusion" respectively, a concept identified by Claude Shannon in the 1940s as a necessary
condition for a secure yet practical cipher.

Key schedule
Figure 3 illustrates the key schedule for encryption—the algorithm which generates the subkeys. Initially, 56 bits of the
key are selected from the initial 64 by Permuted Choice 1 (PC-1)—the remaining eight bits are either discarded or used
as parity check bits. The 56 bits are then divided into two 28-bit halves; each half is thereafter treated separately. In
successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits
are selected by Permuted Choice 2 (PC-2)—24 bits from the left half, and 24 from the right. The rotations (denoted by
"<<<" in the diagram) mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out

7 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

of the 16 subkeys.

The key schedule for decryption is similar—the subkeys are in reverse

order compared to encryption. Apart from that change, the process is
the same as for encryption. The same 28 bits are passed to all rotation
boxes.

Security and cryptanalysis

Although more information has been published on the cryptanalysis of
DES than any other block cipher, the most practical attack to date is
still a brute-force approach. Various minor cryptanalytic properties
are known, and three theoretical attacks are possible which, while
having a theoretical complexity less than a brute-force attack, require
an unrealistic number of known or chosen plaintexts to carry out, and
are not a concern in practice.

Brute-force attack
For any cipher, the most basic method of attack is brute force—trying
every possible key in turn. The length of the key determines the
Figure 3— The key-schedule of DES
number of possible keys, and hence the feasibility of this approach.
For DES, questions were raised about the adequacy of its key size early
on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which
dictated a need for a replacement algorithm. As a result of discussions involving external consultants including the
NSA, the key size was reduced from 128 bits to 56 bits to fit on a single chip.[30]

In academia, various proposals for a DES-cracking machine were advanced.

In 1977, Diffie and Hellman proposed a machine costing an estimated
US$20 million which could find a DES key in a single day.[1][31] By 1993,
Wiener had proposed a key-search machine costing US$1 million which
would find a key within 7 hours. However, none of these early proposals
were ever implemented—or, at least, no implementations were publicly
acknowledged. The vulnerability of DES was practically demonstrated in
the late 1990s. In 1997, RSA Security sponsored a series of contests,
offering a $10,000 prize to the first team that broke a message encrypted
with DES for the contest. That contest was won by the DESCHALL Project,
led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of
thousands of computers across the Internet. The feasibility of cracking DES
The EFF's US$250,000 DES
quickly was demonstrated in 1998 when a custom DES-cracker was built by
cracking machine contained 1,856
the Electronic Frontier Foundation (EFF), a cyberspace civil rights group, custom chips and could brute-force
at the cost of approximately US$250,000 (see EFF DES cracker). Their a DES key in a matter of days—the
motivation was to show that DES was breakable in practice as well as in photo shows a DES Cracker circuit
theory: "There are many people who will not believe a truth until they can board fitted with several Deep Crack
see it with their own eyes. Showing them a physical machine that can chips.

crack DES in a few days is the only way to convince some people that they

8 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

really cannot trust their security to DES." The machine brute-forced a key in a little more than 2 days' worth of
searching.

The next confirmed DES cracker was the COPACOBANA machine built in 2006 by teams of the Universities of
Bochum and Kiel, both in Germany. Unlike the EFF machine, COPACOBANA consists of commercially available,
reconfigurable integrated circuits. 120 of these field-programmable gate arrays (FPGAs) of type XILINX Spartan-3
1000 run in parallel. They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable
hardware makes the machine applicable to other code breaking tasks as well.[32] One of the more interesting aspects of
COPACOBANA is its cost factor. One machine can be built for approximately $10,000.[33] The cost decrease by roughly
a factor of 25 over the EFF machine is an example of the continuous improvement of digital hardware—see Moore's
law. Adjusting for inflation over 8 years yields an even higher improvement of about 30x. Since 2007, SciEngines
GmbH, a spin-off company of the two project partners of COPACOBANA has enhanced and developed successors of
COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to break DES to less than one day, using 128
Spartan-3 5000's. SciEngines RIVYERA held the record in brute-force breaking DES, having utilized 128 Spartan-3
5000 FPGAs.[34] Their 256 Spartan-6 LX150 model has further lowered this time.

In 2012, David Hulton and Moxie Marlinspike announced a system with 48 Xilinx Virtex-6 LX240T FPGAs, each
FPGA containing 40 fully pipelined DES cores running at 400 MHz, for a total capacity of 768 gigakeys/sec. The
system can exhaustively search the entire 56-bit DES key space in about 26 hours and this service is offered for a fee
online.[35][36]

Attacks faster than brute force

There are three attacks known that can break the full 16 rounds of DES with less complexity than a brute-force search:
differential cryptanalysis (DC),[37] linear cryptanalysis (LC),[38] and Davies' attack.[39] However, the attacks are
theoretical and are generally considered infeasible to mount in practice;[40] these types of attack are sometimes termed
certificational weaknesses.

Differential cryptanalysis was rediscovered in the late 1980s by Eli Biham and Adi Shamir; it was known earlier to
both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 247 chosen
plaintexts.[37] DES was designed to be resistant to DC.
Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 243 known plaintexts (Matsui, 1993);[38] the
method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported.
There is no evidence that DES was tailored to be resistant to this type of attack. A generalization of LC—multiple
linear cryptanalysis—was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov and
others. (2004); their analysis suggests that multiple linear approximations could be used to reduce the data
requirements of the attack by at least a factor of 4 (that is, 241 instead of 243).[41] A similar reduction in data
complexity can be obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen,
2000).[42] Junod (2001) performed several experiments to determine the actual time complexity of linear
cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to 239–241 DES
evaluations.[43]
Improved Davies' attack: while linear and differential cryptanalysis are general techniques and can be applied to a
number of schemes, Davies' attack is a specialized technique for DES, first suggested by Donald Davies in the
eighties,[39] and improved by Biham and Biryukov (1997).[44] The most powerful form of the attack requires 250
known plaintexts, has a computational complexity of 250, and has a 51% success rate.
There have also been attacks proposed against reduced-round versions of the cipher, that is, versions of DES with
fewer than 16 rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a
"security margin" the full version retains.

Differential-linear cryptanalysis was proposed by Langford and Hellman in 1994, and combines differential and linear

9 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

cryptanalysis into a single attack.[45] An enhanced version of the attack can break 9-round DES with 215.8 chosen
plaintexts and has a 229.2 time complexity (Biham and others, 2002).[46]

Minor cryptanalytic properties

DES exhibits the complementation property, namely that

where is the bitwise complement of denotes encryption with key and denote plaintext and ciphertext
blocks respectively. The complementation property means that the work for a brute-force attack could be reduced by a
factor of 2 (or a single bit) under a chosen-plaintext assumption. By definition, this property also applies to TDES
cipher.[47]

DES also has four so-called weak keys. Encryption (E) and decryption (D) under a weak key have the same effect (see
involution):

or equivalently,

There are also six pairs of semi-weak keys. Encryption with one of the pair of semiweak keys, , operates identically
to decryption with the other, :

or equivalently,

It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or
simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are
not really any weaker than any other keys anyway, as they do not give an attack any advantage.

DES has also been proved not to be a group, or more precisely, the set (for all possible keys ) under functional
composition is not a group, nor "close" to being a group.[48] This was an open question for some time, and if it had
been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not
increase the security, because encryption under one key would be equivalent to decryption under another key.[49]

Simplified DES
Simplified DES (SDES) was designed for educational purposes only, to help students learn about modern cryptanalytic
techniques. SDES has similar properties and structure as DES, but has been simplified to make it much easier to
perform encryption and decryption by hand with pencil and paper. Some people feel that learning SDES gives insight
into DES and other block ciphers, and insight into various cryptanalytic attacks against them.[50][51][52][53][54][55][56]
[57][58]

Replacement algorithms
Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a
variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include
RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL. Most of these designs kept the 64-bit block size of DES, and
could act as a "drop-in" replacement, although they typically used a 64-bit or 128-bit key. In the Soviet Union the

10 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

GOST 28147-89 algorithm was introduced, with a 64-bit block size and a 256-bit key, which was also used in Russia
later.

DES itself can be adapted and reused in a more secure scheme. Many former DES users now use Triple DES (TDES)
which was described and analysed by one of DES's patentees (see FIPS Pub 46-3); it involves applying DES three times
with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure, although it is quite slow. A
less computationally expensive alternative is DES-X, which increases the key size by XORing extra key material before
and after DES. GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible
to differential cryptanalysis.

On January 2, 1997, NIST announced that they wished to choose a successor to DES.[59] In 2001, after an international
competition, NIST selected a new cipher, the Advanced Encryption Standard (AES), as a replacement.[60] The
algorithm which was selected as the AES was submitted by its designers under the name Rijndael. Other finalists in the
NIST AES competition included RC6, Serpent, MARS, and Twofish.

See also
Brute Force: Cracking the Data Encryption Standard
DES supplementary material
Skipjack (cipher)
Triple DES

Notes
1. Diffie, Whitfield; Hellman, Martin E. (June 1977). "Exhaustive Cryptanalysis of the NBS Data Encryption Standard"
(https://web.archive.org/web/20140226205104/http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pd
f) (PDF). Computer. 10 (6): 74–84. doi:10.1109/C-M.1977.217750 (https://doi.org/10.1109%2FC-M.1977.217750).
Archived from the original (http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pdf) (PDF) on
2014-02-26.
2. "The Legacy of DES - Schneier on Security" (https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.ht
ml). www.schneier.com. October 6, 2004.
3. {cite conference|author=Walter Tuchman|title=A brief history of the data encryption standard|booktitle=Internet
besieged: countering cyberspace scofflaws|publisher=ACM Press/Addison-Wesley Publishing Co. New York, NY,
USA|pages=275–280|year=1997}}
4. Bátiz-Lazo, Bernardo (2018). Cash and Dash: How ATMs and Computers Changed Banking (https://books.google.
com/books?id=rWhiDwAAQBAJ&pg=PA284). Oxford University Press. pp. 284 & 311. ISBN 9780191085574.
5. "The Economic Impacts of NIST's Data Encryption Standard (DES) Program" (https://www.nist.gov/sites/default/fil
es/documents/2017/05/09/report01-2.pdf) (PDF). National Institute of Standards and Technology. United States
Department of Commerce. October 2001. Retrieved 21 August 2019.
6. Konheim, Alan G. (1 April 2016). "Automated teller machines: their history and authentication protocols" (https://sli
deheaven.com/automated-teller-machines-their-history-and-authentication-protocols.html). Journal of
Cryptographic Engineering. 6 (1): 1–29. doi:10.1007/s13389-015-0104-3 (https://doi.org/10.1007%2Fs13389-015-
0104-3). ISSN 2190-8516 (https://www.worldcat.org/issn/2190-8516).
7. RSA Laboratories. "Has DES been broken?" (https://web.archive.org/web/20160517015519/http://www.emc.com/e
mc-plus/rsa-labs/standards-initiatives/has-des-been-broken.htm). Archived from the original (http://www.emc.com/
emc-plus/rsa-labs/standards-initiatives/has-des-been-broken.htm) on 2016-05-17. Retrieved 2009-11-08.
8. Schneier. Applied Cryptography (2nd ed.). p. 280.

11 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

9. Davies, D.W.; W.L. Price (1989). Security for computer networks, 2nd ed. John Wiley & Sons.
10. Robert Sugarman (editor) (July 1979). "On foiling computer crime". IEEE Spectrum.
11. P. Kinnucan (October 1978). "Data Encryption Gurus: Tuchman and Meyer". Cryptologia. 2 (4): 371.
doi:10.1080/0161-117891853270 (https://doi.org/10.1080%2F0161-117891853270).
12. Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment
and Reform, 1972-1980, page 232" (https://web.archive.org/web/20130918020036/http://www.nsa.gov/public_info/
_files/cryptologic_histories/cold_war_iii.pdf) (PDF). National Security Agency, DOCID 3417193 (file released on
2009-12-18, hosted at nsa.gov). Archived from the original (http://www.nsa.gov/public_info/_files/cryptologic_histor
ies/cold_war_iii.pdf) (PDF) on 2013-09-18. Retrieved 2014-07-10.
13. Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment
and Reform, 1972-1980, page 232" (http://nsarchive.gwu.edu/NSAEBB/NSAEBB260/nsa-5.pdf) (PDF). National
Security Agency. Retrieved 2015-07-16 – via National Security Archive FOIA request. This version is differently
redacted than the version on the NSA website.
14. Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment
and Reform, 1972-1980, page 232" (http://nsarchive.gwu.edu/NSAEBB/NSAEBB260/nsa-6.pdf) (PDF). National
Security Agency. Retrieved 2015-07-16 – via National Security Archive FOIA request. This version is differently
redacted than the version on the NSA website.
15. Konheim. Computer Security and Cryptography. p. 301.
16. Levy, Crypto, p. 55
17. Schneier, Bruce (2004-09-27). "Saluting the data encryption legacy" (https://www.cnet.com/news/saluting-the-data
-encryption-legacy/). CNet. Retrieved 2015-07-22.
18. National Institute of Standards and Technology, NIST Special Publication 800-67 Recommendation for the Triple
Data Encryption Algorithm (TDEA) Block Cipher, Version 1.1 (http://csrc.nist.gov/publications/nistpubs/800-67-Rev
1/SP-800-67-Rev1.pdf)
19. American National Standards Institute, ANSI X3.92-1981 (now known as ANSI INCITS 92-1981)American
National Standard, Data Encryption Algorithm
20. "ISO/IEC 18033-3:2010 Information technology—Security techniques—Encryption algorithms—Part 3: Block
ciphers" (http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=54531). Iso.org.
2010-12-14. Retrieved 2011-10-21.
21. Bruce Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, Second edition, John Wiley
and Sons, New York (1996) p. 267
22. William E. Burr, "Data Encryption Standard", in NIST's anthology "A Century of Excellence in Measurements,
Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901–2000. HTML (http://nvl.nist.go
v/pub/nistpubs/sp958-lide/html/250-253.html) Archived (https://web.archive.org/web/20090619181704/http://nvl.ni
st.gov/pub/nistpubs/sp958-lide/html/250-253.html) 2009-06-19 at the Wayback Machine PDF (http://nvl.nist.gov/pu
b/nistpubs/sp958-lide/250-253.pdf) Archived (https://web.archive.org/web/20060823131553/http://nvl.nist.gov/pub/
nistpubs/sp958-lide/250-253.pdf) 2006-08-23 at the Wayback Machine
23. "FR Doc 04-16894" (http://edocket.access.gpo.gov/2004/04-16894.htm). Edocket.access.gpo.gov. Retrieved
2009-06-02.
24. S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, A. Rupp, M. Schimmler, "How to Break DES for Euro 8,980". 2nd
Workshop on Special-purpose Hardware for Attacking Cryptographic Systems—SHARCS 2006, Cologne,
Germany, April 3–4, 2006.
25. "8x1080Ti.md" (https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505).
26. "Crack.sh | the World's Fastest DES Cracker" (https://crack.sh).
27. "FIPS 81 - Des Modes of Operation" (http://csrc.nist.gov/publications/fips/fips81/fips81.htm). csrc.nist.gov.
Retrieved 2009-06-02.

12 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

28. "FIPS 74 - Guidelines for Implementing and Using the NBS Data" (https://web.archive.org/web/20140103013152/h
ttp://www.itl.nist.gov/fipspubs/fip74.htm). Itl.nist.gov. Archived from the original (http://www.itl.nist.gov/fipspubs/fip7
4.htm) on 2014-01-03. Retrieved 2009-06-02.
29. Schneier. Applied Cryptography (1st ed.). p. 271.
30. Stallings, W. Cryptography and network security: principles and practice. Prentice Hall, 2006. p. 73
31. "Bruting DES" (http://hamburgsteak.sandwich.net/writ/bruting_des.html).
32. "Getting Started, COPACOBANA — Cost-optimized Parallel Code-Breaker" (http://www.copacobana.org/paper/co
pacobana_gettingstarted.pdf) (PDF). December 12, 2006. Retrieved March 6, 2012.
33. Reinhard Wobst (October 16, 2007). Cryptology Unlocked. John Wiley & Sons.
34. Break DES in less than a single day (http://www.sciengines.com/company/news-a-events/74-des-in-1-day.html)
[Press release of Firm, demonstrated on 2009 Workshop]
35. The World's fastest DES cracker (http://crack.sh)
36. Think Complex Passwords Will Save You?, David Hulton, Ian Foster, BSidesLV 2017
37. Biham, E. & Shamir, A (1993). Differential cryptanalysis of the data encryption standard (https://link.springer.com/9
78-1-4613-9314-6). Shamir, Adi. New York: Springer-Verlag. pp. 487–496. doi:10.1007/978-1-4613-9314-6 (http
s://doi.org/10.1007%2F978-1-4613-9314-6). ISBN 978-0387979304. OCLC 27173465 (https://www.worldcat.org/o
clc/27173465).
38. Matsui, Mitsuru (1993-05-23). Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology —
EUROCRYPT '93. Lecture Notes in Computer Science. 765. Springer, Berlin, Heidelberg. pp. 386–397.
doi:10.1007/3-540-48285-7_33 (https://doi.org/10.1007%2F3-540-48285-7_33). ISBN 978-3540482857.
39. Davies, D. W. (1987). "Investigation of a potential weakness in the DES algorithm, Private communications" (http
s://scholar.google.com/scholar?q=D.%20W.%20Davies%2C%20Investigation%20of%20a%20potential%20weakn
ess%20in%20the%20DES%20algorithm%2C%20Private%20communications%2C%201987.). Private
Communications.
40. Alanazi, Hamdan O.; et al. (2010). "New Comparative Study Between DES, 3DES and AES within Nine Factors".
Journal of Computing. 2 (3). arXiv:1003.4085 (https://arxiv.org/abs/1003.4085). Bibcode:2010arXiv1003.4085A (ht
tps://ui.adsabs.harvard.edu/abs/2010arXiv1003.4085A).
41. Biryukov, Alex; Cannière, Christophe De; Quisquater, Michaël (2004-08-15). On Multiple Linear Approximations.
Advances in Cryptology – CRYPTO 2004. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg.
pp. 1–22. doi:10.1007/978-3-540-28628-8_1 (https://doi.org/10.1007%2F978-3-540-28628-8_1).
ISBN 9783540226680.
42. Knudsen, Lars R.; Mathiassen, John Erik (2000-04-10). A Chosen-Plaintext Linear Attack on DES. Fast Software
Encryption. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg. pp. 262–272.
doi:10.1007/3-540-44706-7_18 (https://doi.org/10.1007%2F3-540-44706-7_18). ISBN 978-3540447061.
43. Junod, Pascal (2001-08-16). On the Complexity of Matsui's Attack. Selected Areas in Cryptography. Lecture
Notes in Computer Science. 2259. Springer, Berlin, Heidelberg. pp. 199–211. doi:10.1007/3-540-45537-X_16 (http
s://doi.org/10.1007%2F3-540-45537-X_16). ISBN 978-3540455370.
44. Biham, Eli; Biryukov, Alex (1997-06-01). "An improvement of Davies' attack on DES". Journal of Cryptology. 10
(3): 195–205. doi:10.1007/s001459900027 (https://doi.org/10.1007%2Fs001459900027). ISSN 0933-2790 (http
s://www.worldcat.org/issn/0933-2790).
45. Langford, Susan K.; Hellman, Martin E. (1994-08-21). Differential-Linear Cryptanalysis. Advances in Cryptology —
CRYPTO '94. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg. pp. 17–25.
doi:10.1007/3-540-48658-5_3 (https://doi.org/10.1007%2F3-540-48658-5_3). ISBN 978-3540486589.
46. Biham, Eli; Dunkelman, Orr; Keller, Nathan (2002-12-01). Enhancing Differential-Linear Cryptanalysis. Advances
in Cryptology — ASIACRYPT 2002. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg.
pp. 254–266. doi:10.1007/3-540-36178-2_16 (https://doi.org/10.1007%2F3-540-36178-2_16).
ISBN 978-3540361787.

13 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

47. Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (1996). Handbook of Applied Cryptography (https://
archive.org/details/handbookofapplie0000mene). CRC Press. p. 257. ISBN 978-0849385230.
48. Campbell and Wiener, 1992 (http://dl.acm.org/citation.cfm?id=705523)
49. "Double DES" (https://www.nku.edu/~christensen/3DES.pdf) (PDF).
50. Sanjay Kumar; Sandeep Srivastava. "Image Encryption using Simplified Data Encryption Standard (S-DES)" (htt
p://research.ijcaonline.org/volume104/number2/pxc3899070.pdf). 2014.
51. Alasdair McAndrew. "Introduction to Cryptography with Open-Source Software" (https://books.google.com/books?i
d=9lTRBQAAQBAJ). 2012. Section "8.8 Simplified DES: sDES". p. 183 to 190.
52. William Stallings. "Appendix G: Simplified DES" (http://mercury.webster.edu/aleshunas/COSC%205130/G-SDES.p
df). 2010.
53. Nalini N; G Raghavendra Rao. "Cryptanalysis of Simplified Data Encryption Standard via Optimisation Heuristics"
(http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.521.9332&rep=rep1&type=pdf). 2006.
54. Minh Van Nguyen. "Simplified DES" (http://doc.sagemath.org/html/en/reference/cryptography/sage/crypto/block_ci
pher/sdes.html). 2009.
55. Dr. Manoj Kumar. "Cryptography and Network Security" (https://books.google.com/books?id=jdo6eUKdrVkC).
Section 3.4: The Simplified Version of DES (S-DES). p. 96.
56. Edward F. Schaefer. "A Simplified Data Encryption Standard Algorithm". doi:10.1080/0161-119691884799 (https://
doi.org/10.1080%2F0161-119691884799) 1996.
57. Lavkush Sharma; Bhupendra Kumar Pathak; and Nidhi Sharma. "Breaking of Simplified Data Encryption Standard
Using Binary Particle Swarm Optimization" (http://ijcsi.org/papers/IJCSI-9-3-1-307-313.pdf). 2012.
58. "Cryptography Research: Devising a Better Way to Teach and Learn the Advanced Encryption Standard" (https://
web.archive.org/web/20110829213229/http://www.scu.edu/cas/research/cryptography.cfm).
59. http://csrc.nist.gov/archive/aes/pre-round1/aes_9701.txt
60. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf November 26, 2001.

References
Biham, Eli and Shamir, Adi (1991). "Differential Cryptanalysis of DES-like Cryptosystems". Journal of Cryptology.
4 (1): 3–72. doi:10.1007/BF00630563 (https://doi.org/10.1007%2FBF00630563). (preprint (http://nfotemple.free.fr/
site_cryptokg/site_roy/differential%20cryptanalysis%20of%20des-like%20cryptosystems.pdf))
Biham, Eli and Shamir, Adi, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993.
ISBN 0-387-97930-1, ISBN 3-540-97930-1.
Biham, Eli and Alex Biryukov: An Improvement of Davies' Attack on DES. J. Cryptology 10(3): 195–206 (1997)
Biham, Eli, Orr Dunkelman, Nathan Keller: Enhancing Differential-Linear Cryptanalysis. ASIACRYPT 2002:
pp254–266
Biham, Eli: A Fast New DES Implementation in Software
Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design (https://archive.org/details/crac
kingdessecre00elec), Electronic Frontier Foundation
Biryukov, A, C. De Canniere and M. Quisquater (2004). Franklin, Matt (ed.). On Multiple Linear Approximations (ht
tp://www.springerlink.com/content/16udaqwwl9ffrtxt/). Lecture Notes in Computer Science. 3152. pp. 1–22.
doi:10.1007/b99099 (https://doi.org/10.1007%2Fb99099). ISBN 978-3-540-22668-0. (preprint (https://web.archive.
org/web/20070615132907/http://www.research.ibm.com/journal/rd/383/coppersmith.pdf)).
Campbell, Keith W., Michael J. Wiener: DES is not a Group. CRYPTO 1992: pp512–520
Coppersmith, Don. (1994). The data encryption standard (DES) and its strength against attacks (https://web.archiv
e.org/web/20070615132907/http://www.research.ibm.com/journal/rd/383/coppersmith.pdf) at the Wayback
Machine (archived June 15, 2007). IBM Journal of Research and Development, 38(3), 243–250.

14 de 15 13/10/2019 21:30
Data Encryption Standard - Wikipedia https://en.wikipedia.org/wiki/Data_Encryption_Standard

Diffie, Whitfield and Martin Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE
Computer 10(6), June 1977, pp74–84
Ehrsam and others., Product Block Cipher System for Data Security, U.S. Patent 3,962,539 (https://www.google.c
om/patents/US3962539), Filed February 24, 1975
Gilmore, John, "Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design", 1998, O'Reilly,
ISBN 1-56592-520-3.
Junod, Pascal. "On the Complexity of Matsui's Attack." (https://web.archive.org/web/20090527065754/http://crypt
o.junod.info/sac01.html) Selected Areas in Cryptography, 2001, pp199–211.
Kaliski, Burton S., Matt Robshaw: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39
Knudsen, Lars, John Erik Mathiassen: A Chosen-Plaintext Linear Attack on DES. Fast Software Encryption - FSE
2000: pp262–272
Langford, Susan K., Martin E. Hellman: Differential-Linear Cryptanalysis. CRYPTO 1994: 17–25
Levy, Steven, Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age, 2001,
ISBN 0-14-024432-8.
Matsui, Mitsuru (1994). Helleseth, Tor (ed.). Linear Cryptanalysis Method for DES Cipher (http://www.springerlink.c
om/content/92509p5l4ravyn62/). Lecture Notes in Computer Science. 765. pp. 386–397.
CiteSeerX 10.1.1.50.8472 (https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.50.8472).
doi:10.1007/3-540-48285-7 (https://doi.org/10.1007%2F3-540-48285-7). ISBN 978-3-540-57600-6.
Matsui, Mitsuru (1994). "The First Experimental Cryptanalysis of the Data Encryption Standard" (http://www.spring
erlink.com/content/vrteugmt7erqqbw1/). Advances in Cryptology — CRYPTO '94. Lecture Notes in Computer
Science. 839. pp. 1–11. doi:10.1007/3-540-48658-5_1 (https://doi.org/10.1007%2F3-540-48658-5_1).
ISBN 978-3-540-58333-2.
National Bureau of Standards, Data Encryption Standard, FIPS-Pub.46. National Bureau of Standards, U.S.
Department of Commerce, Washington D.C., January 1977.
Christof Paar, Jan Pelzl, "The Data Encryption Standard (DES) and Alternatives" (http://wiki.crypto.rub.de/Buch/en
/movies.php#3), free online lectures on Chapter 3 of "Understanding Cryptography, A Textbook for Students and
Practitioners". Springer, 2009.

External links
FIPS 46-3: The official document describing the DES standard (http://csrc.nist.gov/publications/fips/fips46-3/fips46
-3.pdf) (PDF)
COPACOBANA, a $10,000 DES cracker based on FPGAs by the Universities of Bochum and Kiel (http://www.scie
ngines.com/copacobana)
DES step-by-step presentation and reliable message encoding application (https://web.archive.org/web/20080411
130511/http://dhost.info/pasjagor/des/)
A Fast New DES Implementation in Software - Biham (https://web.archive.org/web/20050312043710/http://www.c
s.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0891.ps)
On Multiple Linear Approximations (http://eprint.iacr.org/2004/057.ps.gz)
RFC4772 : Security Implications of Using the Data Encryption Standard (DES) (http://www.rfc-editor.org/rfc/rfc477
2.txt)

15 de 15 13/10/2019 21:30