Data Encryption Standard: Difference between revisions

| cryptanalysis = DES has been considered unsecure right from the start because of the feasibility of [[brute-force attack]]s.<ref name="dh-exh"/> Such attacks have been demonstrated in practice (see [[EFF DES cracker]]) and are now available on the market as a service. As of 2008, the best analytical attack is [[linear cryptanalysis]], which requires 2⁴³ [[known plaintext]]s and has a time complexity of 2^39–43 (Junod, 2001).}}

Developed in the early 1970s at [[IBM]] and based on an earlier design by [[Horst Feistel]], the algorithm was submitted to the [[National Bureau of Standards]] (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with the [[National Security Agency]] (NSA), the NBS selected a slightly modified version (strengthened against [[differential cryptanalysis]], but weakened against [[brute-force attack]]s), which was published as an official [[Federal Information Processing Standard]] (FIPS) for the United States in 1977.<ref name=":3" />

The publication of an NSA-approved encryption standard led to its quick international adoption and widespread academic scrutiny. Controversies arose from [[classified information|classified]] design elements, a relatively short [[key length]] of the [[symmetric-key algorithm|symmetric-key]] [[block cipher]] design, and the involvement of the NSA, raising suspicions about a [[backdoor (computing)|backdoor]].  The [[S-box]]es that had prompted those suspicions were designed by the NSA to address a vulnerability they secretly knew ([[differential cryptanalysis]]). However, the NSA also ensured that the key size was drastically reduced so that they could break the cipher by brute force attack.<ref name=":3">{{cite web |url=https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html |website=www.schneier.com |date=October 6, 2004 |title=The Legacy of DES - Schneier on Security}}</ref>{{fv|date=September 2024|reason=Schneier doesn't seem to claim, explicitly or otherwise, that the NSA's tweaks weakened the cipher enough so that they could brute force it at the time.}} The intense academic scrutiny the algorithm received over time led to the modern understanding of block ciphers and their [[cryptanalysis]].

DES is insecure due to the relatively short [[56-bit encryption|56-bit key size]]. In January 1999, [[distributed.net]] and the [[Electronic Frontier Foundation]] collaborated to publicly break a DES key in 22 hours and 15 minutes (see {{Section link|2=Chronology|nopage=y}}). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible in practice{{citation needed|date=April 2025}}. DES has been withdrawn as a standard by the [[National Institute of Standards and Technology|NIST]].<ref name="Lazo" /> Later, the variant [[Triple DES]] was developed to increase the security level, but it is considered insecure today as well. DES has been superseded by the [[Advanced Encryption Standard]] (AES).

The origins of DES date to 1972, when a [[National Bureau of Standards]] study of US government [[computer security]] identified a need for a government-wide standard for encrypting unclassified, sensitive information.<ref>{{cite conference|author=Walter Tuchman|title=A brief history of the data encryption standard|book-title=Internet besieged: countering cyberspace scofflaws|publisher=ACM Press/Addison-Wesley Publishing Co. New York, NY, USA|pages=275–280|year=1997}}</ref>

On 17 March 1975, the proposed DES was published in the ''[[Federal Register]]''. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was criticism received from [[public-key cryptography]] pioneers [[Martin Hellman]] and [[Whitfield Diffie]],<ref name="dh-exh">{{cite journal

|last1=Diffie  

  |first1=Whitfield  

  |last2=Hellman  

  |first2=Martin E.  

  |date=June 1977  

  |title=Exhaustive Cryptanalysis of the NBS Data Encryption Standard  

|journal=Computer  

|volume=10  

|issue=6  

|pages=74–84  

|doi=10.1109/C-M.1977.217750  

|s2cid=2412454  

|url=http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pdf  

|url-status=dead  

|archive-url=https://web.archive.org/web/20140226205104/http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pdf  

|archive-date=2014-02-26  

}}</ref> citing a shortened [[key length]] and the mysterious "[[Substitution box|S-boxes]]" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they—but no one else—could easily read encrypted messages.<ref>{{cite web

|url=http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/has-des-been-broken.htm

|url-status=dead

|archive-url=https://web.archive.org/web/20160517015519/http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/has-des-been-broken.htm

|archive-date=2016-05-17  

|title=Has DES been broken?|author=RSA Laboratories|access-date=2009-11-08}}</ref> Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different."<ref>{{Cite book|last=Schneier|title=Applied Cryptography|edition=2nd|page=280}}</ref> The [[United States Senate Select Committee on Intelligence]] reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:

{{blockquote|In the development of DES, NSA convinced [[IBM]] that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.<ref>{{Cite book|first=D.W.|last=Davies|author2=W.L. Price|title=Security for computer networks, 2nd ed.|publisher=John Wiley & Sons|year=1989}}</ref>}}

{{blockquote|NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.<ref>{{Cite journal|editor=Robert Sugarman |title=On foiling computer crime|journal=IEEE Spectrum|date=July 1979}}</ref>}}

| The Open Source password cracking software [https://hashcat.net/hashcat/ hashcat] added in DES brute force searching on general purpose GPUs. Benchmarking shows a single off the shelf Nvidia [[GeForce 10 series|GeForce GTX 1080 Ti]] GPU costing US$1000 recovers a key in an average of 15 days (full exhaustive search taking 30 days). Systems have been built with eight GTX 1080 Ti GPUs which can recover a key in an average of under 2 days.<ref>{{Cite web | url=https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505 | title=8x1080Ti.md}}</ref>

| A [[chosen-plaintext attack]] utilizing a [[rainbow table]] can recover the DES key for a single specific chosen plaintext ''1122334455667788'' in 25 seconds. A new rainbow table has to be calculated per plaintext. A limited set of rainbow tables have been made available for download.<ref>{{Cite web | url=https://crack.sh | title=Crack.sh &#124; the World's Fastest DES Cracker}}</ref>

For any [[cipher]], the most basic method of attack is [[brute-force attack|brute force]]—trying every possible key in turn. The [[key length|length of the key]] determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised about the adequacy of its key size early on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement [[algorithm]]. As a result of discussions involving external consultants including the NSA, the key size was reduced from 256 bits to 56 bits to fit on a single chip.<ref name="stallings-2006">Stallings, W. ''Cryptography and network security: principles and practice''. Prentice Hall, 2006. p. 73</ref>

In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day.<ref name="dh-exh"/><ref>{{Cite web | url=http://hamburgsteak.sandwich.net/writ/bruting_des.html | title=Bruting DES}}</ref> By 1993, Wiener had proposed a key-search machine costing US$1 million which would find a key within 7 hours. However, none of these early proposals were ever implemented—or, at least, no implementations were publicly acknowledged. The vulnerability of DES was practically demonstrated in the late 1990s.<ref>{{Citation|last1=van Oorschot|first1=Paul C.|title=A Known-Plaintext Attack on Two-Key Triple Encryption|date=1991|work=Advances in Cryptology – EUROCRYPT ’90|volume=473|pages=318–325|editor-last=Damgård|editor-first=Ivan Bjerre|place=Berlin, Heidelberg|publisher=Springer Berlin Heidelberg|doi=10.1007/3-540-46877-3_29|isbn=978-3-540-53587-4|last2=Wiener|first2=Michael J.|doi-access=free}}</ref> In 1997, [[RSA Security]] sponsored a series of contests, offering a $10,000 prize to the first team that broke a message encrypted with DES for the contest. That contest was won by the [[DESCHALL Project]], led by Rocke Verser, [[Matt Curtin]], and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the [[Electronic Frontier Foundation]] (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000 (see [[EFF DES cracker]]). Their motivation was to show that DES was breakable in practice as well as in theory: "''There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES.''" The machine brute-forced a key in a little more than 2 days' worth of searching.

The next confirmed DES cracker was the COPACOBANA machine built in 2006 by teams of the [[Ruhr University|Universities of Bochum]] and [[University of Kiel|Kiel]], both in [[Germany]]. Unlike the EFF machine, COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of these [[field-programmable gate array]]s (FPGAs) of type XILINX Spartan-3 1000 run in parallel. They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable hardware makes the machine applicable to other code breaking tasks as well.<ref>{{cite web

| title = Getting Started, COPACOBANA — Cost-optimized Parallel Code-Breaker

| url = http://www.copacobana.org/paper/copacobana_gettingstarted.pdf

| date = December 12, 2006

| access-date = March 6, 2012

}}</ref> One of the more interesting aspects of COPACOBANA is its cost factor. One machine can be built for approximately $10,000.<ref>{{cite book

| author = Reinhard Wobst

| title = Cryptology Unlocked

| url = https://archive.org/details/Cryptology_Unlocked

| date = October 16, 2007

| publisher = John Wiley & Sons

| isbn = 9780470060643

}}</ref> The cost decrease by roughly a factor of 25 over the EFF machine is an example of the continuous improvement of [[digital hardware]]—see [[Moore's law]]. Adjusting for inflation over 8 years yields an even higher improvement of about 30x. Since 2007, [[SciEngines GmbH]], a spin-off company of the two project partners of COPACOBANA has enhanced and developed successors of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to break DES to less than one day, using 128 Spartan-3 5000's. SciEngines RIVYERA held the record in brute-force breaking DES, having utilized 128 Spartan-3 5000 FPGAs.<ref>[http://www.sciengines.com/company/news-a-events/74-des-in-1-day.html Break DES in less than a single day] {{Webarchive|url=https://web.archive.org/web/20170828035212/http://www.sciengines.com/company/news-a-events/74-des-in-1-day.html |date=2017-08-28 }} [Press release of Firm, demonstrated on 2009 Workshop]</ref> Their 256 Spartan-6 LX150 model has further lowered this time.

In 2012, David Hulton and [[Moxie Marlinspike]] announced a system with 48 Xilinx Virtex-6 LX240T FPGAs, each FPGA containing 40 fully pipelined DES cores running at 400&nbsp;MHz, for a total capacity of 768 gigakeys/sec. The system can exhaustively search the entire 56-bit DES key space in about 26 hours and this service is offered for a fee online.<ref>{{cite web| url = http://crack.sh| title = The World's fastest DES cracker}}</ref><ref>''Think Complex Passwords Will Save You?,'' David Hulton, Ian Foster, BSidesLV 2017</ref> However, the service has been offline since the year 2024, supposedly for maintenance but probably permanently switched off. <ref>{{cite web| url =https://crack.sh/get-cracking/| title = DES Cracker is currently down for maintenance}}</ref>

There are three attacks known that can break the full 16 rounds of DES with less complexity than a brute-force search: [[differential cryptanalysis]] (DC),<ref name=":0" /> [[linear cryptanalysis]] (LC),<ref name=":1" /> and [[Davies' attack]].<ref name=":2" /> However, the attacks are theoretical and are generally considered infeasible to mount in practice;<ref>{{Cite journal|last=Alanazi|first=Hamdan O.|display-authors=et al|date=2010|title=New Comparative Study Between DES, 3DES and AES within Nine Factors|arxiv=1003.4085|journal=Journal of Computing|volume=2|issue=3|bibcode=2010arXiv1003.4085A}}</ref> these types of attack are sometimes termed certificational weaknesses.

* [[Differential cryptanalysis]] was rediscovered in the late 1980s by [[Eli Biham]] and [[Adi Shamir]]; it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 2⁴⁷ [[chosen plaintext]]s.<ref name=":0">{{Cite book|url=https://link.springer.com/978-1-4613-9314-6|title=Differential cryptanalysis of the data encryption standard|last=Biham, E. & Shamir, A|date=1993|publisher=Springer-Verlag|others=Shamir, Adi.|isbn=978-0387979304|location=New York|pages=487–496|doi=10.1007/978-1-4613-9314-6|s2cid=6361693|oclc=27173465}}</ref> DES was designed to be resistant to DC.{{Citation needed|reason=Need a source that will help the reader find how DES was designed to be DC-resistant|date=August 2022}}

* [[Linear cryptanalysis]] was discovered by [[Mitsuru Matsui]], and needs 2⁴³ [[known plaintext]]s (Matsui, 1993);<ref name=":1">{{Cite book|last=Matsui|first=Mitsuru|title=Advances in Cryptology — EUROCRYPT '93 |chapter=Linear Cryptanalysis Method for DES Cipher |date=1993-05-23|volume=765|series=Lecture Notes in Computer Science|language=en|publisher=Springer, Berlin, Heidelberg|pages=386–397|doi=10.1007/3-540-48285-7_33|isbn=978-3540482857|doi-access=free}}</ref> the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack. A generalization of LC—''multiple linear cryptanalysis''—was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov and others. (2004); their analysis suggests that multiple linear approximations could be used to reduce the data requirements of the attack by at least a factor of 4 (that is, 2⁴¹ instead of 2⁴³).<ref>{{Cite book|last1=Biryukov|first1=Alex|last2=Cannière|first2=Christophe De|last3=Quisquater|first3=Michaël|title=Advances in Cryptology – CRYPTO 2004 |chapter=On Multiple Linear Approximations |date=2004-08-15|series=Lecture Notes in Computer Science|volume=3152 |language=en|publisher=Springer, Berlin, Heidelberg|pages=1–22|doi=10.1007/978-3-540-28628-8_1|isbn=9783540226680}}</ref> A similar reduction in data complexity can be obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000).<ref>{{Cite book|last1=Knudsen|first1=Lars R.|last2=Mathiassen|first2=John Erik|title=Fast Software Encryption |chapter=A Chosen-Plaintext Linear Attack on DES |date=2000-04-10|series=Lecture Notes in Computer Science|volume=1978 |language=en|publisher=Springer, Berlin, Heidelberg|pages=262–272|doi=10.1007/3-540-44706-7_18|isbn=978-3540447061}}</ref> Junod (2001) performed several experiments to determine the actual time complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to 2³⁹–2⁴¹ DES evaluations.<ref>{{Cite book|last=Junod|first=Pascal|title=Selected Areas in Cryptography |chapter=On the Complexity of Matsui's Attack |date=2001-08-16|volume=2259|series=Lecture Notes in Computer Science|language=en|publisher=Springer, Berlin, Heidelberg|pages=199–211|doi=10.1007/3-540-45537-X_16|isbn=978-3540455370}}</ref>

* ''Improved Davies' attack'': while linear and differential cryptanalysis are general techniques and can be applied to a number of schemes, Davies' attack is a specialized technique for DES, first suggested by [[Donald Davies]] in the eighties,<ref name=":2">{{Cite journal|last=Davies|first=D. W.|date=1987|title=Investigation of a potential weakness in the DES algorithm, Private communications|url=https://scholar.google.com/scholar?q=D.%20W.%20Davies%2C%20Investigation%20of%20a%20potential%20weakness%20in%20the%20DES%20algorithm%2C%20Private%20communications%2C%201987.|journal=Private Communications}}</ref> and improved by Biham and [[Alex Biryukov|Biryukov]] (1997).<ref>{{Cite journal|last1=Biham|first1=Eli|last2=Biryukov|first2=Alex|date=1997-06-01|title=An improvement of Davies' attack on DES|journal=Journal of Cryptology|language=en|volume=10|issue=3|pages=195–205|doi=10.1007/s001459900027|s2cid=4070446|issn=0933-2790|doi-access=free}}</ref> The most powerful form of the attack requires 2⁵⁰ [[known plaintext]]s, has a computational complexity of 2⁵⁰, and has a 51% success rate.

There have also been attacks proposed against reduced-round versions of the cipher, that is, versions of DES with fewer than 16 rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains.

[[Differential-linear cryptanalysis]] was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single attack.<ref>{{Cite book|last1=Langford|first1=Susan K.|last2=Hellman|first2=Martin E.|title=Advances in Cryptology — CRYPTO '94 |chapter=Differential-Linear Cryptanalysis |date=1994-08-21|series=Lecture Notes in Computer Science|volume=839 |language=en|publisher=Springer, Berlin, Heidelberg|pages=17–25|doi=10.1007/3-540-48658-5_3|isbn=978-3540486589}}</ref> An enhanced version of the attack can break 9-round DES with 2^15.8 chosen plaintexts and has a 2^29.2 time complexity (Biham and others, 2002).<ref>{{Cite book|last1=Biham|first1=Eli|last2=Dunkelman|first2=Orr|last3=Keller|first3=Nathan|title=Advances in Cryptology — ASIACRYPT 2002 |chapter=Enhancing Differential-Linear Cryptanalysis |date=2002-12-01|series=Lecture Notes in Computer Science|volume=2501 |language=en|publisher=Springer, Berlin, Heidelberg|pages=254–266|doi=10.1007/3-540-36178-2_16|isbn=978-3540361787}}</ref>

Some people feel that learning SDES gives insight into DES and other block ciphers, and insight into various cryptanalytic attacks against them.<ref>Sanjay Kumar; Sandeep Srivastava.

[http://research.ijcaonline.org/volume104/number2/pxc3899070.pdf "Image Encryption using Simplified Data Encryption Standard (S-DES)"] {{Webarchive|url=https://web.archive.org/web/20151222123315/http://research.ijcaonline.org/volume104/number2/pxc3899070.pdf |date=2015-12-22 }}.

[https://books.google.com/books?id=9lTRBQAAQBAJ "Introduction to Cryptography with Open-Source Software"].

[http://mercury.webster.edu/aleshunas/COSC%205130/G-SDES.pdf "Appendix G: Simplified DES"].

</ref><ref>

[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.521.9332&rep=rep1&type=pdf "Cryptanalysis of Simplified Data Encryption Standard via Optimisation Heuristics"].

Edward F. Schaefer.

"A Simplified Data Encryption Standard Algorithm".

{{doi|10.1080/0161-119691884799}}

</ref><ref>

Lavkush Sharma; Bhupendra Kumar Pathak; and Nidhi Sharma.

[http://ijcsi.org/papers/IJCSI-9-3-1-307-313.pdf "Breaking of Simplified Data Encryption Standard Using Binary Particle Swarm Optimization"].

[https://web.archive.org/web/20110829213229/http://www.scu.edu/cas/research/cryptography.cfm "Cryptography Research: Devising a Better Way to Teach and Learn the Advanced Encryption Standard"].

</ref>

DES itself can be adapted and reused in a more secure scheme. Many former DES users now use [[Triple DES]] (TDES) which was described and analysed by one of DES's patentees (see [[Federal Information Processing Standard|FIPS]] Pub 46–3); it involves applying DES three times with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure, although it is quite slow. A less computationally expensive alternative is [[DES-X]], which increases the key size by XORing extra key material before and after DES. [[GDES]] was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.

On January 2, 1997, NIST announced that they wished to choose a successor to DES.<ref>{{Cite web|url=http://csrc.nist.gov/archive/aes/pre-round1/aes_9701.txt|title = Announcing Development of FIPS for Advanced Encryption Standard &#124; CSRC|date = 10 January 2017}}</ref> In 2001, after an international competition, NIST selected a new cipher, the [[Advanced Encryption Standard]] (AES), as a replacement.<ref>http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf November 26, 2001.</ref> The algorithm which was selected as the AES was submitted by its designers under the name [[Rijndael]]. Other finalists in the NIST [[AES competition]] included [[RC6]], [[Serpent (cipher)|Serpent]], [[MARS (cryptography)|MARS]], and [[Twofish]].

== Notes ==

*[http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf FIPS 46-3: The official document describing the DES standard] (PDF)