11.3.1 The Data Encryption Standard: DES

Submitted by admin on Thu, 2007-11-15 09:42

11.3.1  The Data Encryption Standard: DES

   The Data Encryption Standard (DES) was used as the encryption standard by the National Bureau of Standards from 1977 to 2001. DES works on a block of 64 input plaintext bits and converts it after a series of steps into a 64-bit ciphertext. The key size is 56 bits. If the plaintext data size is more than 64 bits, it has to be broken into blocks of size 64 bits each. That is why, it and similar algorithms are also called block ciphers. The last block may have to be padded with some known, but redundant bits so that it is 64 bits long as well. The decryption process uses the same key, and the same steps as the encryption process, but in the reverse order.

DES was criticized right from the time of adoption. There were two main reasons why DES was subjected to relentless criticism during its tenure.

    The key size for DES is 56 bits. A lot of practitioners and researchers in cryptography thought that 56 bits is too short for providing adequate security for sensitive data. Such individuals thought that DES could be broken by trying all possibilities for the key, i.e., by brute-force cryptanalysis. Such fears were confirmed in the 1990s. One such attempt that succeeded was carried out co-operatively on the Internet by many thousands of individuals.

    DES performs a large number of bit operations repeatedly on the input data. A repetition, called a round, involves performing computations such as permutations of bits, XORs of the intermediate data bits with bits of the key, and table-based bit transformation. The tables take a few input bits and produce a few output bits. The input bits are used to address a particular column and a particular row of the table to obtain the output. The output bits reside in the addressed cell of the table. The tables play a very crucial role in making a conventional cryptographic algorithm secure.

After DES was designed, the design was submitted to the National Security Agency (NSA) for approval. Not only the NSA reduced the key size from the proposed 128 bits to 56, it also changed all the eight tables used by DES. Also, the design criteria for the tables were classified. As a result, independent researchers cold not perform experiments to verify the claimed strength of DES. These reasons caused consternation in the cryptographic community, some of who believed that there could be weaknesses in DES that may allow DES to be broken so that ciphertext messages could be deciphered without the benefit of the key.

In spite of the potential problems, DES was widely used from 1977 to 2001, when it ruled as the national standard in the US. In 2001, DES was replaced by a cryptographic algorithm called Rijndael as the Advanced Encryption Standard (AES).

The DES algorithm encrypts in blocks of 64 bits. It also takes a key that is 56 bits in size. The input and the key go through 16 rounds of complex bit-based computation. At the end, comes 64 bits of ciphertext. The computation, though complex, is fairly fast. The following program shows how DES can be used.

 Program 11.7

#!/usr/bin/perl
#des1.pl

use Crypt::DES;
use strict;


print "The block size is " . Crypt::DES->blocksize () . "bytes\n";
print "The key size is " . Crypt::DES->keysize () . "bytes\n";

my $key = pack ("H*", "0123456789ABCDEF");
my $cipher = Crypt::DES -> new ($key);
#Will give error if the input is not exactly 8 bytes long
my $plaintext = "J Kalita";
print "plaintext = $plaintext\n";
my $ciphertext = $cipher -> encrypt ($plaintext);
print unpack ("H*", $ciphertext), "\n";
my $decryptedPlaintext = $cipher->decrypt ($ciphertext);
print "decrypted plaintext = $decryptedPlaintext\n";

 

The program prints the plaintext block size and the key size using the methods blocksize and keysize, respectively. The key is normally kept very securely. Here, its value is given in a line of code. The key is simply given as 0123456789ABCDEF. There are 16 hexadecimal digits in the key. Each hexadecimal digit is 4 bits. Thus, the key size given is 64 bits. Of these 64 bits, 8 bits are used as parity bits, leaving 56 bits for the actual key. The Crypt::DES module gives us an error if the input is not exactly 64 bits or 8 bytes. The plaintext in this case is simply J Kalita. It is 8 characters or 64 bits long.

To be able to encrypt or decrypt, we need to first create a new instance of the class Crypt::DES. This is usually called a cipher. The new method takes the DES key as argument. Encryption is performed by calling the encrypt method with the plaintext as argument to the cipher. Encryption is performed using the DES algorithm. Encryption produces the ciphertext.

In communicating programs, the ciphertext would be transmitted over unsecured communication lines such as the Internet by the sender to the receiver, possibly using a program that uses sockets. In the program under discussion, we do not have two communicating programs since we simply want to illustrate how encryption and decryption work. In two real communicating programs, each would know the key before communicating and keep them securely. The key is generated, transmitted, and stored with utmost security. In the illustration program under discussion, the same key is used for both encryption and decryption. Decryption is performed using the decrypt method.

The program prints several messages with various values just to illustrate how the encryption and decryption processes work. The output of the program is given below.

 

The block size is 8bytes

The key size is 8bytes

plaintext = J Kalita

6b51338ca68d303d

decrypted plaintext = J Kalita

 

We clearly see that the decryption of the encrypted plaintext produces the original plaintext.

As we know by now, DES works on a block of plaintext data. The block size is 64 bits or 8 bytes. If the plaintext data to be encrypted is longer than 8 bytes, we have to break into sequential blocks, each of size 8 bytes. The last block may be smaller than 64 bits, and hence a few additional known bits may have to be appended at the end to make it exactly 64 bits long. This is called padding. Once we have a sequence of plaintext blocks, the basic DES algorithm can encrypt each block individually. The blocks of ciphertext can be concatenated to obtain the whole ciphertext. The concatenation can be performed either at the sender’s end or at the receiver after transmission. Usually, simple encoding of each individual plaintext block and subsequent concatenation of ciphertext blocks is avoided to endow the resulting ciphertext with additional security against cryptanalytic (or, breaking) attempts. There are several
techniques for cryptographic algorithms to work on large data, that have been proposed by researchers and practitioners of cryptography as modes of cipher operation. Among them, the following four are popular.

1.  Electronic Codebook (ECB) mode

2.  Cipher Block Chaining (CBC) mode

3.  Cipher Feedback (CFB) mode

4.  Output Feedback (OFB) mode

We discuss the first two only. There are Perl modules for them. These work with DES and other conventional cryptographic algorithms.