Estudiante vs alumnos:

The Data Encryption Standard (DES) was developed in the early 1970s by cryptographers at IBM, it is a Feistel cipher based on Lucifer. The National Bureau of Standards (renamed to the National Institute of Standards and Technology (NIST) in 1988) identified a need for an encryption standard to protect unclassified but sensitive government information. After consulting the NSA they solicited proposals for a cipher on 15th May 1973, none of the algorithms were suitable, IBM made their submission after the second request was issued on 27th August 1974. DES uses a 56- bit key and works on 64-bit blocks of data [32].

3.4.2 Structure of DES

As DES is a Feistel cipher the structure is very much like that shown in Figure 3-2, the only difference is there is an initial permutation that re-orders the bits and a final permutation that performs the inverse.

The round function for DES is shown in Figure 3-8. The first stage is the expansion operation that converts the 32-bit half block into 48 bits. This is achieved by duplicating some bits, each 4-bit block of the input provides the middle 4 bits in a 6-bit block of the output, the 2 remaining bits at the edge of the block come from the bits at the edge of the adjacent 4 bit input blocks. This is shown in detail in Table 3-1. The expanded data is then mixed with the key and divided into 8 6-bit blocks which are each put through a different s-box with 4-bit outputs. The 8 4-bit blocks are then re-arranged by a fixed permutation, as shown in Table 3-2. There are a total of 16 rounds in DES

Figure 3-8: The overall structure of DES and its round function.

The 56-bit key is expanded into 16 48-bit blocks, a total of 768 bits. This is achieved by separating the initial 56 bits into two halves, each 28-bit half is then rotated left by either 1 or 2 bits depending on the round, 24 bits are then selected from each half by a fixed permutation. The process is repeated for each round.

Output Bit Input Bit Output Input Output Input Output Input

0 31 12 7 24 15 36 23 1 0 13 8 25 16 37 24 2 1 14 9 26 17 38 25 3 2 15 10 27 18 39 26 4 3 16 11 28 19 40 27 5 4 17 12 29 20 41 28 6 3 18 11 30 19 42 27 7 4 19 12 31 20 43 28 8 5 20 13 32 21 44 29 9 6 21 14 33 22 45 30 10 7 22 15 34 23 46 31 11 8 23 16 35 24 47 1

The inverse of the cipher is very similar, the final permutation is applied first, after that the algorithm is exactly the same except the round keys are provided in the reverse order, finally the initial permutation is applied to the data [33].

Output Bit Input Bit Output Input Output Input Output Input

0 15 8 0 16 1 24 18 1 6 9 14 17 7 25 12 2 19 10 22 18 23 26 29 3 20 11 25 19 13 27 5 4 28 12 4 20 31 28 21 5 11 13 17 21 26 29 10 6 27 14 30 22 2 30 3 7 16 15 9 23 8 31 24

Table 3-2: The DES Permutation function.

3.4.3 Security of DES

There have been a few attacks that can reduce the complexity of attacking full round DES to lower than that of a brute force attack, although generally not by much, and often they involve collecting large numbers of known or chosen plaintexts. These attacks are discussed briefly in section 3.4.3.1. DES is no longer considered secure as the key length is not long enough to make brute force attacks infeasible with current levels of processing power available.

3.4.3.1 Theoretical Attacks

There have been several attacks published on DES. Differential cryptanalysis is a chosen plaintext attack that uses differentials, pairs of plaintexts related by a constant difference, to detect patterns in statistical distribution. It was known to IBM in 1974 and resistance to this type of attack was one of the design goals of the algorithm [34]. When applied to DES differential cryptanalysis requires 247 chosen plaintexts.

Linear cryptanalysis was developed by Matsui in 1992 [16]. It involves generating linear approximations to sections of the cipher that have either a high or low probability of being correct. If bits were chosen at random there would be an

expected probability of ½. It is the deviation from this that provides the cryptanalyst with information. To attack DES using a linear cryptanalysis approach requires 243 known plaintexts [17].

The Davies attack is a statistical attack designed specifically for DES, it was developed by Davies in 1987 [27]. It is a known plaintext attack that exploits the fact that each adjacent s-box shares two input bits that are XORed with different key bits. After collecting enough known plaintext / ciphertext pairs some bits of the key can be calculated. This reduces the complexity of a brute force attack. There is a trade-off between the number of plaintexts, the number of key bits recovered and the probability of success. With 252 plaintexts 24 key bits can be recovered 53% of the time.

3.4.3.2 Brute Force Attacks

DES only uses a 56-bit key; this gives 7.2*1016 possible combinations. In the 1970s this was adequate for brute force to be infeasible. Computers are currently fast enough for this to no longer be true. To highlight this fact RSA Security created a series of contests called the DES Challenges. The first one was in 1997 and was solved by the DESCHALL Project in 96 days, a distributed computing project designed to crack DES. DES Challenge II-1 was solved in 41 days in 1998 by distributed.net, a worldwide distributed computing project that uses the idle time of lots of machines to solve large, computationally intensive problems. DES Challenge II-2 was solved in just 56 hours using Deep Crack, a custom built machine made by the Electronic Frontier Foundation. DES Challenge III was solved as a joint effort between Deep Crack and distributed.net in 22 hours and 15 minutes [29]. Additionally in 2006 the universities of Bochum and Kiel developed COPACOBANA, this retrieves DES keys in an average of 7.2 days and all keys can be tested in 14.4 days [28]. The aim was to get the best cost to performance ratio, as such it is built entirely from off the shelf components. It uses 120 FPGAs (Xilinx Spartan3-1000) and can be built for less than $10,000 [18].

Clearly DES does not provide adequate security against brute force attacks by modern computers and DES is no longer considered secure. In order to increase the security against brute force attacks without having to change to a completely different algorithm a variant of DES was developed called Triple DES, which is discussed in

section 3.5. In 1997 NIST announced the development of a new standard. It was published in 2002 and is called the Advanced Encryption Standard; it is discussed in section 3.6.

3.4.3.3 Conclusion

Even though they have a lower theoretical complexity than a brute for attack, the three attacks discussed in section 3.4.3.1 all require a large number of known plaintexts. Linear cryptanalysis requires 243, differential cryptanalysis requires 247, and the Davies attack requires 252 just to retrieve 24 key bits 53% of the time, these numbers of plaintexts are not realistic for a real attacker. However, in the strictest sense the algorithm can be described as being broken. Also, the relatively small size of the key compared to the availability of modern processing power enables brute force attacks to be successful in an average of 2 weeks. DES can therefore no longer be considered secure.

3.5 Triple DES