|
11 | 12 | The DES (Data Encryption Standard) algorithm is the 13 | most widely used encryption algorithm in the world. For 14 | many years, and among many people, "secret code making" and 15 | DES have been synonymous. And despite the recent coup by 16 | the Electronic Frontier Foundation in creating a $220,000 17 | machine to crack DES-encrypted messages, DES will live on in 18 | government and banking for years to come through a life- 19 | extending version called "triple-DES." 20 | 21 | How does DES work? This article explains the various 22 | steps involved in DES-encryption, illustrating each step by 23 | means of a simple example. Since the creation of DES, many 24 | other algorithms (recipes for changing data) have emerged 25 | which are based on design principles similar to DES. Once 26 | you understand the basic transformations that take place in 27 | DES, you will find it easy to follow the steps involved in 28 | these more recent algorithms. 29 | 30 | But first a bit of history of how DES came about is 31 | appropriate, as well as a look toward the future. 32 | 33 | The National Bureau of Standards Coaxes the Genie from the Bottle34 |35 | On May 15, 1973, during the reign of Richard Nixon, the 36 | National Bureau of Standards (NBS) published a notice in the 37 | Federal Register soliciting proposals for cryptographic 38 | algorithms to protect data during transmission and storage. 39 | The notice explained why encryption was an important issue. 40 | 41 |94 | 95 | NBS waited for the responses to come in. It received 96 | none until August 6, 1974, three days before Nixon's 97 | resignation, when IBM submitted a candidate that it had 98 | developed internally under the name LUCIFER. After 99 | evaluating the algorithm with the help of the National 100 | Security Agency (NSA), the NBS adopted a modification of the 101 | LUCIFER algorithm as the new Data Encryption Standard (DES) 102 | on July 15, 1977. 103 | 104 | DES was quickly adopted for non-digital media, such as 105 | voice-grade public telephone lines. Within a couple of 106 | years, for example, International Flavors and Fragrances was 107 | using DES to protect its valuable formulas transmitted over 108 | the phone ("With Data Encryption, Scents Are Safe at IFF," 109 | Computerworld 14, No. 21, 95 (1980).) 110 | 111 | Meanwhile, the banking industry, which is the largest 112 | user of encryption outside government, adopted DES as a 113 | wholesale banking standard. Standards for the wholesale 114 | banking industry are set by the American National Standards 115 | Institute (ANSI). ANSI X3.92, adopted in 1980, specified 116 | the use of the DES algorithm. 117 | 118 | Some Preliminary Examples of DES119 |120 | DES works on bits, or binary numbers--the 0s and 1s 121 | common to digital computers. Each group of four bits makes 122 | up a hexadecimal, or base 16, number. Binary "0001" is 123 | equal to the hexadecimal number "1", binary "1000" is equal 124 | to the hexadecimal number "8", "1001" is equal to the 125 | hexadecimal number "9", "1010" is equal to the hexadecimal 126 | number "A", and "1111" is equal to the hexadecimal number 127 | "F". 128 | 129 | DES works by encrypting groups of 64 message bits, 130 | which is the same as 16 hexadecimal numbers. To do the 131 | encryption, DES uses "keys" where are also apparently 16 132 | hexadecimal numbers long, or apparently 64 bits long. 133 | However, every 8th key bit is ignored in the DES algorithm, 134 | so that the effective key size is 56 bits. But, in any 135 | case, 64 bits (16 hexadecimal digits) is the round number 136 | upon which DES is organized. 137 | 138 | For example, if we take the plaintext message 139 | "8787878787878787", and encrypt it with the DES key 140 | "0E329232EA6D0D73", we end up with the ciphertext 141 | "0000000000000000". If the ciphertext is decrypted with the 142 | same secret DES key "0E329232EA6D0D73", the result is the 143 | original plaintext "8787878787878787". 144 | 145 | This example is neat and orderly because our plaintext 146 | was exactly 64 bits long. The same would be true if the 147 | plaintext happened to be a multiple of 64 bits. But most 148 | messages will not fall into this category. They will not be 149 | an exact multiple of 64 bits (that is, an exact multiple of 150 | 16 hexadecimal numbers). 151 | 152 | For example, take the message "Your lips are smoother 153 | than vaseline". This plaintext message is 38 bytes (76 154 | hexadecimal digits) long. So this message must be padded 155 | with some extra bytes at the tail end for the encryption. 156 | Once the encrypted message has been decrypted, these extra 157 | bytes are thrown away. There are, of course, different 158 | padding schemes--different ways to add extra bytes. Here we 159 | will just add 0s at the end, so that the total message is a 160 | multiple of 8 bytes (or 16 hexadecimal digits, or 64 bits). 161 | 162 | The plaintext message "Your lips are smoother than 163 | vaseline" is, in hexadecimal, 164 | 165 | "596F7572206C6970 732061726520736D 6F6F746865722074 68616E2076617365 6C696E650D0A". 166 | 167 | (Note here that the first 72 hexadecimal digits represent 168 | the English message, while "0D" is hexadecimal for Carriage 169 | Return, and "0A" is hexadecimal for Line Feed, showing that 170 | the message file has terminated.) We then pad this message 171 | with some 0s on the end, to get a total of 80 hexadecimal 172 | digits: 173 | 174 | "596F7572206C6970 732061726520736D 6F6F746865722074 68616E2076617365 6C696E650D0A0000". 175 | 176 | If we then encrypt this plaintext message 64 bits (16 177 | hexadecimal digits) at a time, using the same DES key 178 | "0E329232EA6D0D73" as before, we get the ciphertext: 179 | 180 | "C0999FDDE378D7ED 727DA00BCA5A84EE 47F269A4D6438190 9DD52F78F5358499 828AC9B453E0E653". 181 | 182 | This is the secret code that can be transmitted or stored. 183 | Decrypting the ciphertext restores the original message 184 | "Your lips are smoother than vaseline". (Think how much 185 | better off Bill Clinton would be today, if Monica Lewinsky 186 | had used encryption on her Pentagon computer!) 187 | 188 | How DES Works in Detail189 |190 | DES is a block cipher--meaning it operates on plaintext 191 | blocks of a given size (64-bits) and returns ciphertext 192 | blocks of the same size. Thus DES results in a permutation 193 | among the 2^64 (read this as: "2 to the 64th power") possible arrangements of 64 bits, each of 194 | which may be either 0 or 1. Each block of 64 bits is divided 195 | into two blocks of 32 bits each, a left half block L and a 196 | right half R. (This division is only used in certain 197 | operations.) 198 | 199 | Example: Let M be the plain text message M = 200 | 0123456789ABCDEF, where M is in hexadecimal (base 16) 201 | format. Rewriting M in binary format, we get the 64-bit 202 | block of text: 203 |
204 | M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 208 | The first bit of M is "0". The last bit is "1". We read 209 | from left to right. 210 | 211 | DES operates on the 64-bit blocks using key sizes of 56- 212 | bits. The keys are actually stored as being 64 bits long, 213 | but every 8th bit in the key is not used (i.e. bits numbered 214 | 8, 16, 24, 32, 40, 48, 56, and 64). However, we will 215 | nevertheless number the bits from 1 to 64, going left to 216 | right, in the following calculations. But, as you will see, 217 | the eight bits just mentioned get eliminated when we create 218 | subkeys. 219 | 220 | Example: Let K be the hexadecimal key K = 221 | 133457799BBCDFF1. This gives us as the binary key (setting 222 | 1 = 0001, 3 = 0011, etc., and grouping together every eight 223 | bits, of which the last one in each group will be unused): 224 | 225 | K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001 226 | 227 | The DES algorithm uses the following steps: 228 | 229 | Step 1: Create 16 subkeys, each of which is 48-bits long.230 |231 | The 64-bit key is permuted according to the following 232 | table, PC-1. Since the first entry in the table is "57", 233 | this means that the 57th bit of the original key K becomes 234 | the first bit of the permuted key K+. The 49th bit of the 235 | original key becomes the second bit of the permuted key. 236 | The 4th bit of the original key is the last bit of the 237 | permuted key. Note only 56 bits of the original key appear 238 | in the permuted key. 239 | 240 | 241 | PC-1 242 | 243 | 57 49 41 33 25 17 9 244 | 1 58 50 42 34 26 18 245 | 10 2 59 51 43 35 27 246 | 19 11 3 60 52 44 36 247 | 63 55 47 39 31 23 15 248 | 7 62 54 46 38 30 22 249 | 14 6 61 53 45 37 29 250 | 21 13 5 28 20 12 4 251 |252 | 253 | Example: From the original 64-bit key 254 | 255 | K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001 256 | 257 | we get the 56-bit permutation 258 | 259 | K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111 260 | 261 | Next, split this key into left and right halves, C0 and 262 | D0, where each half has 28 bits. 263 | 264 | Example: From the permuted key K+, we get 265 |
266 | C0 = 1111000 0110011 0010101 0101111 269 | With C0 and D0 defined, we now create sixteen blocks Cn 270 | and Dn, 1<=n<=16. Each pair of blocks Cn and Dn is formed 271 | from the previous pair Cn-1 and Dn-1, respectively, for n = 272 | 1, 2, ..., 16, using the following schedule of "left shifts" 273 | of the previous block. To do a left shift, move each bit 274 | one place to the left, except for the first bit, which is 275 | cycled to the end of the block. 276 | 277 | 278 | Iteration Number of 279 | Number Left Shifts 280 | 281 | 1 1 282 | 2 1 283 | 3 2 284 | 4 2 285 | 5 2 286 | 6 2 287 | 7 2 288 | 8 2 289 | 9 1 290 | 10 2 291 | 11 2 292 | 12 2 293 | 13 2 294 | 14 2 295 | 15 2 296 | 16 1 297 |298 | 299 | This means, for example, C3 and D3 are obtained from C2 and 300 | D2, respectively, by two left shifts, and C16 and D16 are 301 | obtained from C15 and D15, respectively, by one left shift. 302 | In all cases, by a single left shift is meant a rotation of 303 | the bits one place to the left, so that after one left shift 304 | the bits in the 28 positions are the bits that were 305 | previously in positions 2, 3,..., 28, 1. 306 | 307 | Example: From original pair pair C0 and D0 we obtain: 308 |
309 | C0 = 1111000011001100101010101111
312 | C1 = 1110000110011001010101011111
315 | C2 = 1100001100110010101010111111
318 | C3 = 0000110011001010101011111111
321 | C4 = 0011001100101010101111111100
324 | C5 = 1100110010101010111111110000
327 | C6 = 0011001010101011111111000011
330 | C7 = 1100101010101111111100001100
333 | C8 = 0010101010111111110000110011
336 | C9 = 0101010101111111100001100110
339 | C10 = 0101010111111110000110011001
342 | C11 = 0101011111111000011001100101
345 | C12 = 0101111111100001100110010101
348 | C13 = 0111111110000110011001010101
351 | C14 = 1111111000011001100101010101
354 | C15 = 1111100001100110010101010111
357 | C16 = 1111000011001100101010101111 360 | We now form the keys Kn, for 1<=n<=16, by applying the 361 | following permutation table to each of the concatenated 362 | pairs CnDn. Each pair has 56 bits, but PC-2 only uses 48 of 363 | these. 364 | 365 | 366 | PC-2 367 | 368 | 14 17 11 24 1 5 369 | 3 28 15 6 21 10 370 | 23 19 12 4 26 8 371 | 16 7 27 20 13 2 372 | 41 52 31 37 47 55 373 | 30 40 51 45 33 48 374 | 44 49 39 56 34 53 375 | 46 42 50 36 29 32 376 |377 | 378 | Therefore, the first bit of Kn is the 14th bit of CnDn, the 379 | second bit the 17th, and so on, ending with the 48th bit of 380 | Kn being the 32th bit of CnDn. 381 | 382 | Example: For the first key we have 383 | 384 | C1D1 = 1110000 1100110 0101010 1011111 1010101 0110011 0011110 0011110 385 | 386 | which, after we apply the permutation PC-2, becomes 387 | 388 | K1 = 000110 110000 001011 101111 111111 000111 000001 110010 389 | 390 | For the other keys we have 391 |
392 | K2 = 011110 011010 111011 011001 110110 111100 100111 100101 408 | So much for the subkeys. Now we look at the message itself. 409 | 410 | Step 2: Encode each 64-bit block of data.411 |412 | There is an initial permutation IP of the 64 bits of 413 | the message data M. This rearranges the bits according to 414 | the following table, where the entries in the table show the 415 | new arrangement of the bits from their initial order. The 416 | 58th bit of M becomes the first bit of IP. The 50th bit of 417 | M becomes the second bit of IP. The 7th bit of M is the 418 | last bit of IP. 419 | 420 | 421 | IP 422 | 423 | 58 50 42 34 26 18 10 2 424 | 60 52 44 36 28 20 12 4 425 | 62 54 46 38 30 22 14 6 426 | 64 56 48 40 32 24 16 8 427 | 57 49 41 33 25 17 9 1 428 | 59 51 43 35 27 19 11 3 429 | 61 53 45 37 29 21 13 5 430 | 63 55 47 39 31 23 15 7 431 |432 | 433 | Example: Applying the initial permutation to the block 434 | of text M, given previously, we get 435 |
436 | M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 439 | Here the 58th bit of M is "1", which becomes the first bit 440 | of IP. The 50th bit of M is "1", which becomes the second 441 | bit of IP. The 7th bit of M is "0", which becomes the last 442 | bit of IP. 443 | 444 | Next divide the permuted block IP into a left half L0 445 | of 32 bits, and a right half R0 of 32 bits. 446 | 447 | Example: From IP, we get L0 and R0 448 |
449 | L0 = 1100 1100 0000 0000 1100 1100 1111 1111 452 | We now proceed through 16 iterations, for 1<=n<=16, using 453 | a function f which operates on two blocks--a data block of 454 | 32 bits and a key Kn of 48 bits--to produce a block of 32 455 | bits. Let + denote XOR addition, (bit-by-bit addition 456 | modulo 2). Then for n going from 1 to 16 we calculate 457 | 458 | 459 | Ln = Rn-1462 | 463 | This results in a final block, for n = 16, of L16R16. That 464 | is, in each iteration, we take the right 32 bits of the 465 | previous result and make them the left 32 bits of the 466 | current step. For the right 32 bits in the current step, we 467 | XOR the left 32 bits of the previous step with the 468 | calculation f . 469 | 470 | Example: For n = 1, we have 471 |
472 | K1 = 000110 110000 001011 101111 111111 000111 000001 110010 476 | It remains to explain how the function f works. To 477 | calculate f, we first expand each block Rn-1 from 32 bits to 478 | 48 bits. This is done by using a selection table that 479 | repeats some of the bits in Rn-1 . We'll call the use of 480 | this selection table the function E. Thus E(Rn-1) has a 32 481 | bit input block, and a 48 bit output block. 482 | 483 | Let E be such that the 48 bits of its output, written 484 | as 8 blocks of 6 bits each, are obtained by selecting the 485 | bits in its inputs in order according to the following 486 | table: 487 | 488 | 489 | E BIT-SELECTION TABLE 490 | 491 | 32 1 2 3 4 5 492 | 4 5 6 7 8 9 493 | 8 9 10 11 12 13 494 | 12 13 14 15 16 17 495 | 16 17 18 19 20 21 496 | 20 21 22 23 24 25 497 | 24 25 26 27 28 29 498 | 28 29 30 31 32 1 499 |500 | 501 | Thus the first three bits of E(Rn-1) are the bits in 502 | positions 32, 1 and 2 of Rn-1 while the last 2 bits of E(Rn-1) are the bits in positions 32 and 1. 503 | 504 | Example: We calculate E(R0) from R0 as follows: 505 |
506 | R0 = 1111 0000 1010 1010 1111 0000 1010 1010 509 | (Note that each block of 4 original bits has been 510 | expanded to a block of 6 output bits.) 511 | 512 | Next in the f calculation, we XOR the output 513 | E(Rn-1) with the key Kn: 514 | 517 | Example: For K1 , E(R0), we have 518 |
519 | K1 = 000110 110000 001011 101111 111111 000111 000001 110010 523 | We have not yet finished calculating the function f . 524 | To this point we have expanded Rn-1 from 32 bits to 48 525 | bits, using the selection table, and XORed the result with 526 | the key Kn . We now have 48 bits, or eight groups of six 527 | bits. We now do something strange with each group of six 528 | bits: we use them as addresses in tables called "S boxes". 529 | Each group of six bits will give us an address in a 530 | different S box. Located at that address will be a 4 bit 531 | number. This 4 bit number will replace the original 6 bits. 532 | The net result is that the eight groups of 6 bits are 533 | transformed into eight groups of 4 bits (the 4-bit outputs 534 | from the S boxes) for 32 bits total. 535 | 536 | Write the previous result, which is 48 bits, in 537 | the form: 538 | 541 | where each Bi is a group of six bits. We now calculate 542 | 545 | 546 | where Si(Bi) referres to the output of the i-th S 547 | box. 548 | 549 | To repeat, each of the functions S1, S2,..., S8, takes 550 | a 6-bit block as input and yields a 4-bit block as output. 551 | The table to determine S1 is shown and explained below: 552 | 553 | 554 | 555 | S1 556 | 557 | Column Number 558 | Row 559 | No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 560 | 561 | 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 562 | 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 563 | 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 564 | 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 565 |566 | 567 | If S1 is the function defined in this table and B is a block 568 | of 6 bits, then S1(B) is determined as follows: The first 569 | and last bits of B represent in base 2 a number in the 570 | decimal range 0 to 3 (or binary 00 to 11). Let that number 571 | be i. The middle 4 bits of B represent in base 2 a number 572 | in the decimal range 0 to 15 (binary 0000 to 1111). Let 573 | that number be j. Look up in the table the number in the i-th row and j-th column. It is a number in the range 0 to 15 574 | and is uniquely represented by a 4 bit block. That block is 575 | the output S1(B) of S1 for the input B. For example, for 576 | input block B = 011011 the first bit is "0" and the last bit 577 | "1" giving 01 as the row. This is row 1. The middle four 578 | bits are "1101". This is the binary equivalent of decimal 579 | 13, so the column is column number 13. In row 1, column 13 580 | appears 5. This determines the output; 5 is binary 0101, so 581 | that the output is 0101. Hence S1(011011) = 0101. 582 | 583 | The tables defining the functions S1,...,S8 are 584 | the following: 585 | 586 | 587 | S1 588 | 589 | 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 590 | 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 591 | 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 592 | 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 593 | 594 | S2 595 | 596 | 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 597 | 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 598 | 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 599 | 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 600 | 601 | S3 602 | 603 | 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 604 | 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 605 | 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 606 | 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 607 | 608 | S4 609 | 610 | 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 611 | 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 612 | 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 613 | 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 614 | 615 | S5 616 | 617 | 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 618 | 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 619 | 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 620 | 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3 621 | 622 | S6 623 | 624 | 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 625 | 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 626 | 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 627 | 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 628 | 629 | S7 630 | 631 | 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 632 | 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 633 | 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 634 | 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 635 | 636 | S8 637 | 638 | 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 639 | 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 640 | 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 641 | 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 642 |643 | 644 | Example: For the first round, we obtain as the 645 | output of the eight S boxes: 646 | 647 | K1 + E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111. 648 | 649 | S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) 650 | = 0101 1100 1000 0010 1011 0101 1001 0111 651 | 652 | The final stage in the calculation of f is to do a 653 | permutation P of the S-box output to obtain the final value 654 | of f: 655 | 658 | The permutation P is defined in the following table. P 659 | yields a 32-bit output from a 32-bit input by permuting the 660 | bits of the input block. 661 | 662 | 663 | P 664 | 665 | 16 7 20 21 666 | 29 12 28 17 667 | 1 15 23 26 668 | 5 18 31 10 669 | 2 8 24 14 670 | 32 27 3 9 671 | 19 13 30 6 672 | 22 11 4 25 673 |674 | 675 | Example: From the output of the eight S boxes: 676 | 679 | we get 680 |
683 | R1 = L0 + f(R0 , K1 ) 685 | = 1100 1100 0000 0000 1100 1100 1111 1111689 | 690 | In the next round, we will have L2 = R1, which is the 691 | block we just calculated, and then we must calculate R2 =L1 + f(R1, K2), and so on for 16 rounds. At the end of the 692 | sixteenth round we have the blocks L16 and R16. We then 693 | reverse the order of the two blocks into the 64-bit block 694 | 697 | and apply a final permutation IP-1 as defined by 698 | the following table: 699 | 700 | 701 | IP-1 702 | 703 | 40 8 48 16 56 24 64 32 704 | 39 7 47 15 55 23 63 31 705 | 38 6 46 14 54 22 62 30 706 | 37 5 45 13 53 21 61 29 707 | 36 4 44 12 52 20 60 28 708 | 35 3 43 11 51 19 59 27 709 | 34 2 42 10 50 18 58 26 710 | 33 1 41 9 49 17 57 25 711 |712 | 713 | That is, the output of the algorithm has bit 40 of the 714 | preoutput block as its first bit, bit 8 as its second bit, 715 | and so on, until bit 25 of the preoutput block is the last 716 | bit of the output. 717 | 718 | Example: If we process all 16 blocks using the method 719 | defined previously, we get, on the 16th round, 720 |
721 | L16 = 0100 0011 0100 0010 0011 0010 0011 0100 724 | We reverse the order of these two blocks and apply 725 | the final permutation to 726 | 727 | R16L16 = 00001010 01001100 11011001 10010101 01000011 01000010 00110010 00110100 728 | 729 | IP-1 = 10000101 11101000 00010011 01010100 00001111 00001010 10110100 00000101 730 | 731 | which in hexadecimal format is 732 | 733 | 85E813540F0AB405. 734 | 735 | This is the encrypted form of M = 0123456789ABCDEF: namely, 736 | C = 85E813540F0AB405. 737 | 738 | Decryption is simply the inverse of encryption, 739 | follwing the same steps as above, but reversing the order in 740 | which the subkeys are applied. 741 | 742 | DES Modes of Operation743 |744 | The DES algorithm turns a 64-bit message block M into a 745 | 64-bit cipher block C. If each 64-bit block is encrypted 746 | individually, then the mode of encryption is called 747 | Electronic Code Book (ECB) mode. There are two other modes 748 | of DES encryption, namely Chain Block Coding (CBC) and 749 | Cipher Feedback (CFB), which make each cipher block 750 | dependent on all the previous messages blocks through an 751 | initial XOR operation. 752 | 753 | Cracking DES754 |755 | Before DES was adopted as a national standard, during 756 | the period NBS was soliciting comments on the proposed 757 | algorithm, the creators of public key cryptography, Martin 758 | Hellman and Whitfield Diffie, registered some objections to 759 | the use of DES as an encryption algorithm. Hellman wrote: 760 | "Whit Diffie and I have become concerned that the proposed 761 | data encryption standard, while probably secure against 762 | commercial assault, may be extremely vulnerable to attack by 763 | an intelligence organization" (letter to NBS, October 22, 764 | 1975). 765 | 766 | Diffie and Hellman then outlined a "brute force" attack 767 | on DES. (By "brute force" is meant that you try as many of 768 | the 2^56 possible keys as you have to before decrypting the 769 | ciphertext into a sensible plaintext message.) They 770 | proposed a special purpose "parallel computer using one 771 | million chips to try one million keys each" per second, and 772 | estimated the cost of such a machine at $20 million. 773 | 774 | Fast forward to 1998. Under the direction of John 775 | Gilmore of the EFF, a team spent $220,000 and built a 776 | machine that can go through the entire 56-bit DES key space 777 | in an average of 4.5 days. On July 17, 1998, they announced 778 | they had cracked a 56-bit key in 56 hours. The computer, 779 | called Deep Crack, uses 27 boards each containing 64 chips, 780 | and is capable of testing 90 billion keys a second. 781 | 782 | Despite this, as recently as June 8, 1998, Robert Litt, 783 | principal associate deputy attorney general at the 784 | Department of Justice, denied it was possible for the FBI to 785 | crack DES: "Let me put the technical problem in context: 786 | It took 14,000 Pentium computers working for four months to 787 | decrypt a single message . . . . We are not just talking 788 | FBI and NSA [needing massive computing power], we are 789 | talking about every police department." 790 | 791 | Responded cryptograpy expert Bruce Schneier: " . . . 792 | the FBI is either incompetent or lying, or both." Schneier 793 | went on to say: "The only solution here is to pick an 794 | algorithm with a longer key; there isn't enough silicon in 795 | the galaxy or enough time before the sun burns out to brute- 796 | force triple-DES" (Crypto-Gram, Counterpane Systems, August 797 | 15, 1998). 798 | 799 | Triple-DES800 |801 | Triple-DES is just DES with two 56-bit keys applied. 802 | Given a plaintext message, the first key is used to DES- 803 | encrypt the message. The second key is used to DES-decrypt 804 | the encrypted message. (Since the second key is not the 805 | right key, this decryption just scrambles the data further.) 806 | The twice-scrambled message is then encrypted again with the 807 | first key to yield the final ciphertext. This three-step 808 | procedure is called triple-DES. 809 | 810 | Triple-DES is just DES done three times with two keys 811 | used in a particular order. (Triple-DES can also be done 812 | with three separate keys instead of only two. In either 813 | case the resultant key space is about 2^112.) 814 | 817 | "Cryptographic Algorithms for Protection of Computer Data 818 | During Transmission and Dormant Storage," Federal Register 819 | 38, No. 93 (May 15, 1973). 820 | 821 | Data Encryption Standard, Federal Information Processing 822 | Standard (FIPS) Publication 46, National Bureau of 823 | Standards, U.S. Department of Commerce, Washington D.C. 824 | (January 1977). 825 | 826 | Carl H. Meyer and Stephen M. Matyas, Cryptography: A New 827 | Dimension in Computer Data Security, John Wiley & Sons, New 828 | York, 1982. 829 | 830 | Dorthy Elizabeth Robling Denning, Cryptography and Data 831 | Security, Addison-Wesley Publishing Company, Reading, 832 | Massachusetts, 1982. 833 | 834 | D.W. Davies and W.L. Price, Security for Computer Networks: 835 | An Introduction to Data Security in Teleprocessing and 836 | Electronics Funds Transfer, Second Edition, John Wiley & 837 | Sons, New York, 1984, 1989. 838 | 839 | Miles E. Smid and Dennis K. Branstad, "The Data Encryption 840 | Standard: Past and Future," in Gustavus J. Simmons, ed., 841 | Contemporary Cryptography: The Science of Information 842 | Integrity, IEEE Press, 1992. 843 | 844 | Douglas R. Stinson, Cryptography: Theory and Practice, CRC 845 | Press, Boca Raton, 1995. 846 | 847 | Bruce Schneier, Applied Cryptography, Second Edition, John 848 | Wiley & Sons, New York, 1996. 849 | 850 | Alfred J. Menezes, Paul C. van Oorschot, and Scott A. 851 | Vanstone, Handbook of Applied Cryptography, CRC Press, Boca 852 | Raton, 1997. 853 | 854 | 856 | 857 | This article appeared in Laissez Faire 858 | City Times, Vol 2, No. 28. 859 |
860 | Homepage: http://orlingrabbe.com/ |