The DES (Data Encryption Standard) algorithm is the most widely used encryption algorithm in the world. For many years, and among many people, "secret code making" and DES have been synonymous. And despite the recent coup by the Electronic Frontier Foundation in creating a $220,000 machine to crack DES-encrypted messages, DES will live on in government and banking for years to come through a life- extending version called "triple-DES." How does DES work? This article explains the various steps involved in DES-encryption, illustrating each step by means of a simple example. Since the creation of DES, many other algorithms (recipes for changing data) have emerged which are based on design principles similar to DES. Once you understand the basic transformations that take place in DES, you will find it easy to follow the steps involved in these more recent algorithms. But first a bit of history of how DES came about is appropriate, as well as a look toward the future.
## The National Bureau of Standards Coaxes the Genie from the BottleOn May 15, 1973, during the reign of Richard Nixon, the National Bureau of Standards (NBS) published a notice in the Federal Register soliciting proposals for cryptographic algorithms to protect data during transmission and storage. The notice explained why encryption was an important issue.
NBS waited for the responses to come in. It received none until August 6, 1974, three days before Nixon's resignation, when IBM submitted a candidate that it had developed internally under the name LUCIFER. After evaluating the algorithm with the help of the National Security Agency (NSA), the NBS adopted a modification of the LUCIFER algorithm as the new Data Encryption Standard (DES) on July 15, 1977.
DES was quickly adopted for non-digital media, such as
voice-grade public telephone lines. Within a couple of
years, for example, International Flavors and Fragrances was
using DES to protect its valuable formulas transmitted over
the phone ("With Data Encryption, Scents Are Safe at IFF,"
Meanwhile, the banking industry, which is the largest user of encryption outside government, adopted DES as a wholesale banking standard. Standards for the wholesale banking industry are set by the American National Standards Institute (ANSI). ANSI X3.92, adopted in 1980, specified the use of the DES algorithm.
## Some Preliminary Examples of DESDES works on bits, or binary numbers--the 0s and 1s common to digital computers. Each group of four bits makes up a hexadecimal, or base 16, number. Binary "0001" is equal to the hexadecimal number "1", binary "1000" is equal to the hexadecimal number "8", "1001" is equal to the hexadecimal number "9", "1010" is equal to the hexadecimal number "A", and "1111" is equal to the hexadecimal number "F".
DES works by encrypting groups of 64 message bits,
which is the same as 16 hexadecimal numbers. To do the
encryption, DES uses "keys" where are also For example, if we take the plaintext message "8787878787878787", and encrypt it with the DES key "0E329232EA6D0D73", we end up with the ciphertext "0000000000000000". If the ciphertext is decrypted with the same secret DES key "0E329232EA6D0D73", the result is the original plaintext "8787878787878787". This example is neat and orderly because our plaintext was exactly 64 bits long. The same would be true if the plaintext happened to be a multiple of 64 bits. But most messages will not fall into this category. They will not be an exact multiple of 64 bits (that is, an exact multiple of 16 hexadecimal numbers). For example, take the message "Your lips are smoother than vaseline". This plaintext message is 38 bytes (76 hexadecimal digits) long. So this message must be padded with some extra bytes at the tail end for the encryption. Once the encrypted message has been decrypted, these extra bytes are thrown away. There are, of course, different padding schemes--different ways to add extra bytes. Here we will just add 0s at the end, so that the total message is a multiple of 8 bytes (or 16 hexadecimal digits, or 64 bits). The plaintext message "Your lips are smoother than vaseline" is, in hexadecimal, "596F7572206C6970 732061726520736D 6F6F746865722074 68616E2076617365 6C696E650D0A". (Note here that the first 72 hexadecimal digits represent the English message, while "0D" is hexadecimal for Carriage Return, and "0A" is hexadecimal for Line Feed, showing that the message file has terminated.) We then pad this message with some 0s on the end, to get a total of 80 hexadecimal digits: "596F7572206C6970 732061726520736D 6F6F746865722074 68616E2076617365 6C696E650D0A0000". If we then encrypt this plaintext message 64 bits (16 hexadecimal digits) at a time, using the same DES key "0E329232EA6D0D73" as before, we get the ciphertext: "C0999FDDE378D7ED 727DA00BCA5A84EE 47F269A4D6438190 D52F78F5358499 828AC9B453E0E653". This is the secret code that can be transmitted or stored. Decrypting the ciphertext restores the original message "Your lips are smoother than vaseline". (Think how much better off Bill Clinton would be today, if Monica Lewinsky had used encryption on her Pentagon computer!)
## How DES Works in Detail
DES is a
among the 2^64 (read this as: "2 to the 64th power") possible arrangements of 64 bits, each of
which may be either 0 or 1. Each block of 64 bits is divided
into two blocks of 32 bits each, a left half block permutationL and a
right half R. (This division is only used in certain
operations.)
The first bit of
DES operates on the 64-bit blocks using
The DES algorithm uses the following steps:
## Step 1: Create 16 subkeys, each of which is 48-bits long.
The 64-bit key is permuted according to the following
table,
we get the 56-bit permutation
Next, split this key into left and right halves, , where each half has 28 bits.
D_{0}
= 0101010 1011001 1001111 0001111
D_{0}
With defined, we now create sixteen blocks D_{0}
and C_{n}, 1<=D_{n}<=16. Each pair of blocks n and C_{n} is formed
from the previous pair D_{n} and C_{n-1}, respectively, for D_{n-1} =
1, 2, ..., 16, using the following schedule of "left shifts"
of the previous block. To do a left shift, move each bit
one place to the left, except for the first bit, which is
cycled to the end of the block.
n
Iteration Number of Number Left Shifts 1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1
This means, for example, are obtained from D_{3} and
C_{2}, respectively, by two left shifts, and D_{2} and C_{16} are
obtained from D_{16} and C_{15}, respectively, by one left shift.
In all cases, by a single left shift is meant a rotation of
the bits one place to the left, so that after one left shift
the bits in the 28 positions are the bits that were
previously in positions 2, 3,..., 28, 1.
D_{15}
we obtain:
D_{0}
= 0101010101100110011110001111
D_{0}
= 1010101011001100111100011110
D_{1}
= 0101010110011001111000111101
D_{2}
= 0101011001100111100011110101
D_{3}
= 0101100110011110001111010101
D_{4}
= 0110011001111000111101010101
D_{5}
= 1001100111100011110101010101
D_{6}
= 0110011110001111010101010110
D_{7}
= 1001111000111101010101011001
D_{8}
= 0011110001111010101010110011
D_{9}
= 1111000111101010101011001100
D_{10}
= 1100011110101010101100110011
D_{11}
= 0001111010101010110011001111
D_{12}
= 0111101010101011001100111100
D_{13}
= 1110101010101100110011110001
D_{14}
= 1010101010110011001111000111
D_{15}
= 0101010101100110011110001111
D_{16}
We now form the keys <=16, by applying the
following permutation table to each of the concatenated
pairs n. Each pair has 56 bits, but C_{n}D_{n}PC-2 only uses 48 of
these.
Therefore, the first bit of , the
second bit the 17th, and so on, ending with the 48th bit of
C_{n}D_{n} being the 32th bit of K_{n}.
C_{n}D_{n}
which, after we apply the permutation
For the other keys we have
= 010101 011111 110010 001010 010000 101100 111110 011001K_{3} = 011100 101010 110111 010110 110110 110011 010100 011101K_{4} = 011111 001110 110000 000111 111010 110101 001110 101000K_{5} = 011000 111010 010100 111110 010100 000111 101100 101111K_{6} = 111011 001000 010010 110111 111101 100001 100010 111100K_{7} = 111101 111000 101000 111010 110000 010011 101111 111011K_{8} = 111000 001101 101111 101011 111011 011110 011110 000001K_{9} = 101100 011111 001101 000111 101110 100100 011001 001111K_{10} = 001000 010101 111111 010011 110111 101101 001110 000110K_{11} = 011101 010111 000111 110101 100101 000110 011111 101001K_{12} = 100101 111100 010111 010001 111110 101011 101001 000001K_{13} = 010111 110100 001110 110111 111100 101110 011100 111010K_{14} = 101111 111001 000110 001101 001111 010011 111100 001010K_{15} = 110010 110011 110110 001011 000011 100001 011111 110101K_{16}So much for the subkeys. Now we look at the message itself.
## Step 2: Encode each 64-bit block of data.
There is an
Here the 58th bit of
Next divide the permuted block of 32 bits.
R_{0}
R_{0}
= 1111 0000 1010 1010 1111 0000 1010 1010
R_{0}
We now proceed through 16 iterations, for 1<= which operates on two blocks--a data block of
32 bits and a key f of 48 bits--to produce a block of 32
bits. K_{n}Let + denote XOR addition, (bit-by-bit addition
modulo 2). Then for n going from 1 to 16 we calculate
This results in a final block, for . That
is, in each iteration, we take the right 32 bits of the
previous result and make them the left 32 bits of the
current step. For the right 32 bits in the current step, we
XOR the left 32 bits of the previous step with the
calculation L_{16}R_{16} .
f
= L_{1} = 1111 0000 1010 1010 1111 0000 1010 1010 R_{0} = R_{1} + L_{0}(f,R_{0})
K_{1}
It remains to explain how the function , we first expand each block f from 32 bits to
48 bits. This is done by using a selection table that
repeats some of the bits in R_{n-1} . We'll call the use of
this selection table the function R_{n-1}E. Thus E() has a 32
bit input block, and a 48 bit output block.
R_{n-1}
Let
Thus the first three bits of while the last 2 bits of R_{n-1}E() are the bits in positions 32 and 1.
R_{n-1}
as follows:
R_{0}
E() = 011110 100001 010101 010101 011110 100001 010101 010101
R_{0}(Note that each block of 4 original bits has been expanded to a block of 6 output bits.)
Next in the E() with the key R_{n-1}:
K_{n} + K_{n}E().
R_{n-1}
E(), we have
R_{0}
E() = 011110 100001 010101 010101 011110 100001 010101 010101 R_{0}+K_{1}E() = 011000 010001 011110 111010 100001 100110 010100 100111.
R_{0}
We have not yet finished calculating the function from 32 bits to 48
bits, using the selection table, and XORed the result with
the key R_{n-1} . We now have 48 bits, or eight groups of six
bits. We now do something strange with each group of six
bits: we use them as addresses in tables called "K_{n}S boxes".
Each group of six bits will give us an address in a
different S box. Located at that address will be a 4 bit
number. This 4 bit number will replace the original 6 bits.
The net result is that the eight groups of 6 bits are
transformed into eight groups of 4 bits (the 4-bit outputs
from the S boxes) for 32 bits total.
Write the previous result, which is 48 bits, in the form: + K_{n}E() =R_{n-1},
B_{1}B_{2}B_{3}B_{4}B_{5}B_{6}B_{7}B_{8}
where each S_{1}(B_{1})S_{2}(B_{2})S_{3}(B_{3})S_{4}(B_{4})S_{5}(B_{5})S_{6}(B_{6})S_{7}(B_{7})S_{8}(B_{8})
where -th iS
box.
To repeat, each of the functions is shown and explained below:
S_{1}
If is a block
of 6 bits, then B is determined as follows: The first
and last bits of S_{1}(B) represent in base 2 a number in the
decimal range 0 to 3 (or binary 00 to 11). Let that number
be B. The middle 4 bits of i represent in base 2 a number
in the decimal range 0 to 15 (binary 0000 to 1111). Let
that number be B. Look up in the table the number in the j-th row and i-th column. It is a number in the range 0 to 15
and is uniquely represented by a 4 bit block. That block is
the output j of S_{1}(B) for the input S_{1}. For example, for
input block B = 011011 the first bit is "0" and the last bit
"1" giving 01 as the row. This is row 1. The middle four
bits are "1101". This is the binary equivalent of decimal
13, so the column is column number 13. In row 1, column 13
appears 5. This determines the output; 5 is binary 0101, so
that the output is 0101. Hence B(011011) = 0101.
S_{1}
The tables defining the functions
E() = 011000 010001 011110 111010 100001 100110 010100 100111.
R_{0}
The final stage in the calculation of P of the S-box output to obtain the final value
of :
f = fP()
S_{1}(B_{1})S_{2}(B_{2})...S_{8}(B_{8})
The permutation
= 0101 1100 1000 0010 1011 0101 1001 0111
_{1}(B_{1})S_{2}(B_{2})S_{3}(B_{3})S_{4}(B_{4})S_{5}(B_{5})S_{6}(B_{6})S_{7}(B_{7})S_{8}(B_{8})we get = 0010 0011 0100 1010 1010 1001 1011 1011
f
+ L_{0}(f , R_{0} )K_{1}= 1100 1100 0000 0000 1100 1100 1111 1111
In the next round, we will have , which is the
block we just calculated, and then we must calculate R_{1} =R_{2}, and so on for 16 rounds. At the end of the
sixteenth round we have the blocks L_{1} + f(R_{1}, K_{2}) and L_{16}. We then
R_{16} the order of the two blocks into the 64-bit block
reverseR_{16}L_{16}
and apply a final permutation
That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.
= 0000 1010 0100 1100 1101 1001 1001 0101
R_{16}We reverse the order of these two blocks and apply the final permutation to
which in hexadecimal format is 85E813540F0AB405.
This is the encrypted form of Decryption is simply the inverse of encryption, follwing the same steps as above, but reversing the order in which the subkeys are applied.
## DES Modes of Operation
The DES algorithm turns a 64-bit message block (CBC) and
Chain Block Coding (CFB), which make each cipher block
dependent on all the previous messages blocks through an
initial XOR operation.
Cipher Feedback
## Cracking DESBefore DES was adopted as a national standard, during the period NBS was soliciting comments on the proposed algorithm, the creators of public key cryptography, Martin Hellman and Whitfield Diffie, registered some objections to the use of DES as an encryption algorithm. Hellman wrote: "Whit Diffie and I have become concerned that the proposed data encryption standard, while probably secure against commercial assault, may be extremely vulnerable to attack by an intelligence organization" (letter to NBS, October 22, 1975). Diffie and Hellman then outlined a "brute force" attack on DES. (By "brute force" is meant that you try as many of the 2^56 possible keys as you have to before decrypting the ciphertext into a sensible plaintext message.) They proposed a special purpose "parallel computer using one million chips to try one million keys each" per second, and estimated the cost of such a machine at $20 million. Fast forward to 1998. Under the direction of John Gilmore of the EFF, a team spent $220,000 and built a machine that can go through the entire 56-bit DES key space in an average of 4.5 days. On July 17, 1998, they announced they had cracked a 56-bit key in 56 hours. The computer, called Deep Crack, uses 27 boards each containing 64 chips, and is capable of testing 90 billion keys a second. Despite this, as recently as June 8, 1998, Robert Litt, principal associate deputy attorney general at the Department of Justice, denied it was possible for the FBI to crack DES: "Let me put the technical problem in context: It took 14,000 Pentium computers working for four months to decrypt a single message . . . . We are not just talking FBI and NSA [needing massive computing power], we are talking about every police department."
Responded cryptograpy expert Bruce Schneier: " . . .
the FBI is either incompetent or lying, or both." Schneier
went on to say: "The only solution here is to pick an
algorithm with a longer key; there isn't enough silicon in
the galaxy or enough time before the sun burns out to brute-
force triple-DES" (
## Triple-DESTriple-DES is just DES with two 56-bit keys applied. Given a plaintext message, the first key is used to DES- encrypt the message. The second key is used to DES-decrypt the encrypted message. (Since the second key is not the right key, this decryption just scrambles the data further.) The twice-scrambled message is then encrypted again with the first key to yield the final ciphertext. This three-step procedure is called triple-DES. Triple-DES is just DES done three times with two keys used in a particular order. (Triple-DES can also be done with three separate keys instead of only two. In either case the resultant key space is about 2^112.)
General References
"Cryptographic Algorithms for Protection of Computer Data
During Transmission and Dormant Storage,"
Carl H. Meyer and Stephen M. Matyas,
Dorthy Elizabeth Robling Denning,
D.W. Davies and W.L. Price,
Miles E. Smid and Dennis K. Branstad, "The Data Encryption
Standard: Past and Future," in Gustavus J. Simmons, ed.,
Douglas R. Stinson,
Bruce Schneier,
Alfred J. Menezes, Paul C. van Oorschot, and Scott A.
Vanstone,
This article appeared in Laissez Faire City Times, Vol 2, No. 28.
Homepage: http://www.aci.net/kalliste/ |