MFT Resource Center

DES

The Data Encryption Standard (DES), published in 1977, has all but disappeared from the world of data security. For years, it was replaced by 3DES, which tripled the encryption algorithm, but today, even 3DES is considered out of date and is being replaced by the widely used Advanced Encryption Standard (AES). However, learning about this protocol can be useful for understanding subsequent security protocols, including AES.

Overview

DES is a symmetric key algorithm used to encrypt electronic data. Its short key length of 56 bits renders DES too insecure to protect most modern applications that rely on encryption.

How DES Encrypts Data

DES utilizes block cipher technology to transform fixed-length bitstrings into equal-sized, encrypted bitstrings. While the standard DES block size is 64 bits, the algorithm can only utilize 56 of these bits to encrypt data. The other 8 bits are used to ensure parity.

Over the course of 16 rounds, the block is split into two 32-bit halves that are processed in a criss-cross fashion known as the Feistel function. This means each block is processed alternately. This simple process alleviates the need for separate encryption and decryption algorithms — e.g. DES uses symmetric encryption.

The Feistel function (F-function) takes place over four main steps:

  1. Expansion permutation, or initial permutation (IP) first takes place, where the 32-bit halves are expanded to 48 bits by duplicating half the bits. The output consists of four corresponding input bits plus copies of the adjacent bits from every input piece.
  2. Key mixing takes place according to the “key schedule," an algorithm that calculates the round keys.
  3. Substitution occurs. This step is at the heart of DES security, transforming the cipher from a linear structure to a more secure non-linear structure. During substitution, the block is divided into eight 6-bit pieces that are processed by substitution boxes (S-boxes). Each S-box replaces its input bits with output bits derived from a lookup table.
  4. Final permutation (FP) occurs when the 32 S-box outputs are rearranged according to a fixed permutation (the P-box). This spreads the bits across four different S-boxes in the next round.

In essence, the IP undoes the action of the FP, and the FP undoes the action of the IP. The actual processing happens in steps 2 and 3.

While the DES encryption process may seem rudimentary by today's standards, the so-called “confusion and diffusion" concept created through the substitution and permutation alterations was central to early cipher security.

DES decryption utilizes the same key structure as encryption, but in reverse order.

DES Vulnerabilities

By the early 2000s, DES encryption was considered outdated. Much has been published about the various ways the algorithm could be compromised. Studying DES weaknesses can offer a simplified look at how modern algorithms have evolved to address these vulnerabilities.

Brute force attacks are the most common when it comes to breaking DES. Brute force attacks try every possible key combination until they find the right one. Then, that key is used to break the cipher and read the underlying plaintext. Since the bit key size determines the number of possibilities, the small 64-bit block structure used by DES can be broken by a personal computer in just a few days.

As computers have become more powerful, DES has become increasingly outdated as a viable option for data security. More advanced cryptanalysis processes can potentially break DES security even faster than a brute force attack.

DES vs. AES

The US National Institute of Standards and Technology established AES in 2001 to effectively replace DES. AES is an all-around better solution for encrypting data, whether it is stored locally or transmitted across networks. It is a faster, more secure process.

Symmetric block cipher techniques are used for both DES and AES, but the two processes result in different outcomes.

The main difference between DES and AES is that the entire block is processed to obtain ciphertext with AES. Remember that DES plaintext blocks are divided into two halves before the processing steps.

While DES is limited to 56 bytes, AES can utilize a 128, 192, or 256-bit secret key, resulting in an exponential output increase that even modern supercomputers cannot overcome.

DES and Legacy Products and Services

While AES is considered the gold standard when it comes to data security, the reality is that a good number of companies continue to rely on legacy products that utilize DES. The expense and hassle of upgrading to newer, more secure applications can be especially prohibitive for smaller companies.

In these cases, IT departments can sometimes reduce, but not eliminate, the vulnerabilities inherent to DES by improving overall network security.