DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; in January, 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are unfeasible to mount in practice. The algorithm is believed to be practically secure in the form of Triple DES, although there are theoretical attacks. In recent years, the cipher has been superseded by the Advanced Encryption Standard (AES).
In some documentation, a distinction is made between DES as a standard and DES the algorithm which is referred to as the DEA (the Data Encryption Algorithm). When spoken, "DES" is either spelled out as an abbreviation or pronounced as a single syllable acronym.
Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique back in the 1970s. This was indeed the case — in 1994, Don Coppersmith published the original design criteria for the S-boxes. According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret. Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it". Shamir himself commented, "I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened."
The other criticism — that the key length was too short — was supported by the fact that the reason given by the NSA for reducing the key length from 64 bits to 56 was that the other 8 bits could serve as parity bits, which seemed somewhat specious. It was widely believed that NSA's decision was motivated by the possibility that they would be able to brute force attack a 56 bit key several years before the rest of the world would.
Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3), the latter prescribing "Triple DES" (see below). On 26 May 2002, DES was finally superseded by AES, the Advanced Encryption Standard, following a public competition (see AES process). On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST has approved Triple DES through the year 2030 for sensitive government information.
Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a brute force attack in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in the article.
The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective about DES,
|15 May||1973||NBS publishes a first request for a standard encryption algorithm|
|27 August||1974||NBS publishes a second request for encryption algorithms|
|17 March||1975||DES is published in the Federal Register for comment|
|August||1976||First workshop on DES|
|September||1976||Second workshop, discussing mathematical foundation of DES|
|November||1976||DES is approved as a standard|
|15 January||1977||DES is published as a FIPS standard FIPS PUB 46|
|1983||DES is reaffirmed for the first time|
|1986||Videocipher II, a TV satellite scrambling system based upon DES begins use by HBO|
|22 January||1988||DES is reaffirmed for the second time as FIPS 46-1, superseding FIPS PUB 46|
|July||1990||Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-round DES-like cryptosystem.|
|1992||Biham and Shamir report the first theoretical attack with less complexity than brute force: differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts.|
|30 December||1993||DES is reaffirmed for the third time as FIPS 46-2|
|1994||The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).|
|June||1997||The DESCHALL Project breaks a message encrypted with DES for the first time in public.|
|July||1998||The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours.|
|January||1999||Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.|
|25 October||1999||DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the preferred use of Triple DES, with single DES permitted only in legacy systems.|
|26 November||2001||The Advanced Encryption Standard is published in FIPS 197|
|26 May||2002||The AES standard becomes effective|
|26 July||2004||The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the Federal Register|
|19 May||2005||NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96)|
|15 March||2007||The FPGA based parallel machine COPACOBANA of the University of Bochum and Kiel, Germany, breaks DES in 6.4 days at $10,000 hardware cost|
DES itself can be adapted and reused in a more secure scheme. Many former DES users now use Triple DES (TDES) which was described and analysed by one of DES's patentees (see FIPS Pub 46-3); it involves applying DES three times with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure, although it is quite slow. A less computationally expensive alternative is DES-X, which increases the key size by XORing extra key material before and after DES. GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.
In 2001, after an international competition, NIST selected a new cipher, the Advanced Encryption Standard (AES), as a replacement. The algorithm which was selected as the AES was submitted by its designers under the name Rijndael. Other finalists in the NIST AES competition included RC6, Serpent, MARS and Twofish.
Like other block ciphers, DES by itself is not a secure means of encryption but must instead be used in a mode of operation. FIPS-81 specifies several modes for use with DES. Further comments on the usage of DES are contained in FIPS-74.
Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes — the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms.
The red ⊕ symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are not swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.
The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "confusion and diffusion" respectively, a concept identified by Claude Shannon in the 1940s as a necessary condition for a secure yet practical cipher.
Figure 3 illustrates the key schedule for encryption — the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-1) — the remaining eight bits are either discarded or used as parity check bits. The 56 bits are then divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits are selected by Permuted Choice 2 (PC-2) — 24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out of the 16 subkeys.
The key schedule for decryption is similar — the subkeys are in reverse order compared to encryption. Apart from that change, the process is the same as for encryption.
In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day. By 1993, Wiener had proposed a key-search machine costing US$1 million which would find a key within 7 hours. However, none of these early proposals were ever implemented—or, at least, no implementations were publicly acknowledged. The vulnerability of DES was practically demonstrated in the late 1990s. In 1997, RSA Security sponsored a series of contests, offering a $10,000 prize to the first team that broke a message encrypted with DES for the contest. That contest was won by the DESCHALL Project, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000 (see EFF DES cracker). Their motivation was to show that DES was breakable in practice as well as in theory: "There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES." The machine brute-forced a key in a little more than 2 days' search; at about the same time at least one attorney from the US Justice Department was announcing that DES was unbreakable.
The only other confirmed DES cracker was the COPACOBANA machine (abbreviation of cost-optimized parallel code breaker) built more recently by teams of the Universities of Bochum and Kiel, both in Germany. Unlike the EFF machine, COPACOBANA consist of commercially available, reconfigurable integrated circuits. 120 of these FPGAs of type XILINX Spartan3-1000 run in parallel. They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable hardware makes the machine applicable to other code breaking tasks as well. The figure shows a full-sized COPACOBANA. One of the more interesting aspects of COPACOBANA is its cost factor. One machine can be built for approximately $10,000. The cost decrease by roughly a factor of 25 over the EFF machine is an impressive example for the continuous improvement of digital hardware. Adjusting for inflation over 8 years yields an even higher improvement of about 30x. Interestingly Moore's law predicts an improvement of about 32, since about 8 years have passed between the design of the two machines, which allows for about five doublings of computer power (or 5 reductions by 50% of the cost for doing the same computation).
There have also been attacks proposed against reduced-round versions of the cipher, i.e. versions of DES with fewer than sixteen rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains. Differential-linear cryptanalysis was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single attack. An enhanced version of the attack can break 9-round DES with 215.8 known plaintexts and has a 229.2 time complexity (Biham et al, 2002).
DES has also been proved not to be a group, or more precisely, the set (for all possible keys ) under functional composition is not a group, nor "close" to being a group (Campbell and Wiener, 1992). This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security.
It is known that the maximum cryptographic security of DES is limited to about 64 bits, even when independently choosing all round subkeys instead of deriving them from a key, which would otherwise permit a security of 768 bits.
Wipo Publishes Patent of Wincor Nixdorf International, Volker Krummel, Bernd Redecker and Michael Nolte for "Device for Handling Paper Money And/ or Coins and Method for Initializing and Operating Such a Device" (German Inventors)
May 03, 2013; GENEVA, May 3 -- Publication No. WO/2013/060789 was published on May 2.Title of the invention: "DEVICE FOR HANDLING PAPER MONEY...
US Patent Issued to Nice-Systems on Sept. 3 for "Method and System for Secure Data Collection and Distribution" (Israeli Inventors)
Sep 03, 2013; ALEXANDRIA, Va., Sept. 3 -- United States Patent no. 8,526,620, issued on Sept. 3, was assigned to Nice-Systems Ltd. (Ra'anana,...
US Patent Issued to EMC on Aug. 30 for "Techniques for Protecting Data Using an Electronic Encryption Endpoint Device" (Massachusetts Inventors)
Sep 01, 2011; ALEXANDRIA, Va., Sept. 1 -- United States Patent no. 8,010,810, issued on Aug. 30, was assigned to EMC Corp. (Hopkinton, Mass...
US Patent Issued to Oracle International on July 10 for "Method and Apparatus for Generating Random Data-Encryption Keys" (California Inventors)
Jul 12, 2012; ALEXANDRIA, Va., July 12 -- United States Patent no. 8,218,761, issued on July 10, was assigned to Oracle International Corp....
US Patent Issued to STMicroelectronics on Dec. 11 for "Message Transmission Method, Preferably for an Energy Distribution Network" (Italian Inventor)
Dec 13, 2012; ALEXANDRIA, Va., Dec. 13 -- United States Patent no. 8,331,565, issued on Dec. 11, was assigned to STMicroelectronics S.r.l....