4
Computers & Security, 11 (1992) 703-706 Re-examining The Data Encryption Standard Belden Menkus Post OJice Box 129, Hillsboro TN 3 7342, USA The so-called U.S. Data Encryp- tion Standard (DES) appears to be the most widely used crypto- graphic mechanism in the world. The structure, performance, and practical use of the DES deserve more thorough consideration f?om information system security spe- cialists than it generally has received.This is especially urgent as the need for widespread encryp- tion use in the internationally interconnected computing envi- ronment grows rapidly. Its Growing Use The DES is already used widely in what might be termed its pure form as well as in variants such as the so-called message authentica- tion code employed in numerous electronic funds transfer arrange- ments. Also, the DES is used as what might be termed the encryp- tion and decryption engine in some of its purported competitors -- the so-called public key encryp- tion mechanisms. The DES is the first publicly available crypto- graphic process that has been 0 1992, Belden Menkus. All Rights Reserved. endorsed by the U.S. Government. There is nothing comparable to its acceptance and use by the world computing community This algorithm was originally cer- tified in 1977 by what is now the U.S. National Institute for Stand- ards and Technology. It was intended for use by most non-rnili- tary Federal Government agencies and by organizations in the so- called private sector. (U.S. Defense Department agencies largely are prohibited from using the DES. And the intelligence organizations of several countries have aggress- ively discouraged its use by their nation’s business entities. However, the actual importation into any of these countries of the DES has not been prohibited formally.) The continued viability and applica- bility of the DES currently is being reviewed every five years. Its con- tinued use is expected to be certiged by the Institute in January 1993 . The Institute’s most comprehensive statement about the form, operation, and use of the DES is The Data Encryption Standard: Past and Present by Miles Smid and Dennis Branstad in The Proceedings of the IEE [the U.S. Institute of Electrical and Electronic Engineers], 76 (5) May 1988. Background The DES is one of a class of so- called symmetric cryptographic processes. It uses the same key to encrypt and decrypt the contents ofa message and is intended largely to protect the movement of sensi- tive data between two points. By contrast, a so-called public key en- cryption process essentially uses a different key for encryption and decryption and is especially suit- able for the movement of sensitive data between a central point and any number of other points. Both processes, despite their structural differences, are susceptible to the use of what are termed weak keys - those that are especially vulner- able to cryptographic attack. Thus, in both instances, the effective use of the cryptographic process re- quires careful key management. This involves the selection of suit- able keys and the coordination of their frequent change. Both the DES and public key en- cryption, as they are currently realized (even though they have been modified for use in the cur- rent distributed microtechnology computing environment), essen- tially reflect the state of computing 0167-4046/92/$5.00 0 1992 Elsevier Science Publishers Ltd 703

Re-examining the Data Encryption Standard

Embed Size (px)

Citation preview

Page 1: Re-examining the Data Encryption Standard

Computers & Security, 11 (1992) 703-706

Re-examining The Data Encryption Standard Belden Menkus Post OJice Box 129, Hillsboro TN 3 7342, USA

The so-called U.S. Data Encryp- tion Standard (DES) appears to be the most widely used crypto- graphic mechanism in the world. The structure, performance, and practical use of the DES deserve more thorough consideration f?om information system security spe- cialists than it generally has received.This is especially urgent as the need for widespread encryp- tion use in the internationally interconnected computing envi- ronment grows rapidly.

Its Growing Use

The DES is already used widely in what might be termed its pure form as well as in variants such as the so-called message authentica- tion code employed in numerous electronic funds transfer arrange- ments. Also, the DES is used as what might be termed the encryp- tion and decryption engine in some of its purported competitors -- the so-called public key encryp- tion mechanisms. The DES is the first publicly available crypto- graphic process that has been

0 1992, Belden Menkus. All Rights Reserved.

endorsed by the U.S. Government. There is nothing comparable to its acceptance and use by the world computing community

This algorithm was originally cer- tified in 1977 by what is now the U.S. National Institute for Stand- ards and Technology. It was intended for use by most non-rnili- tary Federal Government agencies and by organizations in the so- called private sector. (U.S. Defense Department agencies largely are prohibited from using the DES. And the intelligence organizations of several countries have aggress- ively discouraged its use by their nation’s business entities. However, the actual importation into any of these countries of the DES has not been prohibited formally.) The continued viability and applica- bility of the DES currently is being reviewed every five years. Its con- tinued use is expected to be certiged by the Institute in January 1993 .

” The Institute’s most comprehensive statement about the form, operation, and use of the DES is The Data Encryption Standard: Past and Present by Miles Smid and Dennis Branstad in The Proceedings of the IEE [the U.S. Institute of Electrical and Electronic Engineers], 76 (5) May 1988.

Background

The DES is one of a class of so- called symmetric cryptographic processes. It uses the same key to encrypt and decrypt the contents ofa message and is intended largely to protect the movement of sensi- tive data between two points. By contrast, a so-called public key en- cryption process essentially uses a different key for encryption and decryption and is especially suit- able for the movement of sensitive data between a central point and any number of other points. Both processes, despite their structural differences, are susceptible to the use of what are termed weak keys - those that are especially vulner- able to cryptographic attack. Thus, in both instances, the effective use of the cryptographic process re- quires careful key management. This involves the selection of suit- able keys and the coordination of their frequent change.

Both the DES and public key en- cryption, as they are currently realized (even though they have been modified for use in the cur- rent distributed microtechnology computing environment), essen- tially reflect the state of computing

0167-4046/92/$5.00 0 1992 Elsevier Science Publishers Ltd 703

Page 2: Re-examining the Data Encryption Standard

Be/den Menkus

as of about 1968. At that time, the present wide dispersion of crypto- graphic knowledge was not envisioned. Neither was the wide distribution of compact and ex- tremely powerful microcomputer technology. The current gener- ation of lap-top devices possesses far greater computing power than a so-called midrange system did in the late 1960s.

Unresolved Issues

The operational reliability of the DES largely seems to have been taken as a matter of faith. Those looking for what might be termed a quick fix to the possible com- promise of data in transit essentially have endorsed its use without any sort of serious independent exam- ination of the construction and performance of the algorithm being used. Others have contended that somehow it is subversive not to accept at face value something that has been2endorsed by the U.S. Government . The practical effect of this sort of blind acceptance of the DES is that neither it nor the public key encryption algorithm that has been identified as its prime competitor have been subjected to the sort of intensive independent third party analysis that has become

” Most of the major concerns that have been raised about various construction features ofthe DES algorithm typically have been dismissed out of hand by its proponents in and out of the U.S. Government. Fundamental to their position is a contention that no one has demonstrated publicly any weakness in the underlying algorithm. Unfortunately, those who are most likely to have discerned any inherent vulnerability in it typically have no interest in demonstrating publicly what they have discovered.

common in the data processing in- dustry.

This sort of analysis is extremely expensive and time-consuming to undertake. Undertaking it becomes more complex when one accepts without question the phil- osophical categories and terminology used by its propo- nents. For example, t

3 e DES does

not have a 64 bit key . (Even if it did, that would be only 8 bytes.) Actually the algorithm draws a 48 bit key f?om a 56/55 bit key pool. And, strictly speaking, the kernel key segment really is a 24 bit key drawn from half that pool. (That really is only 3 bytes.) It is this kernel, essentially, that is the target for anyone attempting to derive the actual key in use by some form of brute force cryptoanalysis.

How Many Possible Keys?

Most discussions of DES vulnera- bilities assume - as they do for its competitors - a consistent worst case in a blind (so-called brute force) key extraction attempt. Such a discussion assumes that the cor- rect key will be the last one tried when all of the key possibilities have been exhausted. There is no

‘. Lucifer, the cryptographic mechanism from which the DES was created, had a key of 128 bits. (Given the present state of electronic technology, a key length exceeding 200 bits probably is advisable.) The key length of Lucifer’s algorithm was reduced at the insistence of the U.S. National Security Agency, whose role in the development of the DES originally was concealed. Lucifer was developed for mainframe to mainfiame transfers of large databases within IBM. As soon as DES began to evolve, IBM abandoned this internal use of Lucifer.

real philosophical warrant for this presumption. It really is a conten- tion based on its convenience. The calculation required to support such a position is easy to do. This computation multiplies the time required to try a single key by the number of possible keys that might be in use. The result of this, how- ever, is nothing more than the time required to try all possible keys, not the time required to find the un- known key.

The philosophical weakness of this approach was identified by William Friedman and other crypto- graphers during World War 1. Ifthe key selection process is at all less than absolutely random there is a very high probability that the key being sought would be discovered within the first 30 percent to 50 percent of the possibilities when they are attacked in any sort of order. (This percentage drops dra- matically in instances where an obvious or other so-called weak key has been selected. It drops firr- ther when the key in use is not changed frequently.)

What About Microchip Design?

Continued increases in microchip operating speeds have masked the essential weakness of any attempt to translate an algorithm into a physical representation of it. In microelectronic design the speed of the device is traded off against its capacity, breadth ofcapabilities, and cost to fabricate4. Thus, it is hard to believe that there have not been some undisclosed compromises of the DES algorithm since micro- chip versions of it were developed. (This issue also affects many of the

704

Page 3: Re-examining the Data Encryption Standard

Computers & Security, Vol. I I, No. 8

microchip realizations of the so- called public key encryption, since in many of these the algorithm essentially sits in fi-ont of some ver- sion of the DES algorithm.)

Microchip design experts have suggested that such adjustments would be required in making the comparatively unconstrained DES algorithm operate effectively in the relatively constrained microchip environment. (The DES algorithm has neither dimensions or arbitrar- ily imposed limits in the environment in which it is assumed to function.) Once the algorithm is transformed from a concept into a microchip it assumes very precise physical properties. Each element of what results has very specific dimensions and operational char- acteristics.

Among the design compromises that may occur in this process are the imposition of constraints upon the length and randomness of the pseudorandom number generator and the number and essential ran- domness of the data paths available through the S-box elements of the DES algorithm. The existence of such compromises appears to be supported by the fact that, in some instances, a DES microchip that will be perform satisfactorily in one computing environment will not do so when it is moved to another one.

4’ While the delivered cost per microchip has continued to decrease in general, this decline has been achieved by increasing both the chip yield and the volume ofchips fabricated. The comparatively small size of the apparent market for data encryption microchips seems to explain the reluctance of major device fabricators to create such products.

What About The Microchip are not being revealed by the Test? Institute.

U.S. National Institute ofStandards and Technology Special Publica- tion 500-20 Validating The Correctness Of Har ware Zmplementa- tions Of The NB 8 Data Encryption Standard suggests that undetected DES algorithm compromises may have occurred in the fabrication of the microchip versions ofit. Special Publication 500-20 expresses re- peatedly a concern that a DES microchip presented for validation may have been designed and built only to satisfy the tests described in the document. The possibility that this may occur is made more likely by the fact that:

d. The microchip testing pro- cess being carried out by the Institute does not appear to examine internal microchip design conformity with the algorithm disclosed in U.S. Federal Information Pro- cessing Standard 46. The Institute’s testing process seems only to test for the presence of a limited num- ber of external evidences of whatever is going on within the device.

Thus, there does not appear to be any reason to:

a.

b.

C.

The adequacy and reliability of the design and oper- ational performance of the Institute’s DES microchip test bed itself has never been validated by inde- pendent outsiders.

All that the Institute’s certi- fication of a DES microchip indicates is that the perfor- mance of a microchip which supposedly is part 06f a production lot sample meets the requirements of its testing process.

Details of the test results are not disclosed publicly by the Institute. And, the nature - that is the exact design - of individual DES microchip realizations are being treated, quite under- standably, trade secrets and

5. National Bureau of Standards, the name of the Institute at the time that the Report was issued.

1. Believe that any of the DES microchips are identical in all details with the algorithm disclosed in Federal Infor- mation Processing Standard 46.

2. Be confident in the ability of any of the DES microchips to withstand cryptoanalyti-

6’ The Institute apparently relies on the microchip fabricator’s reptesentation as to its source. It does not verify independently that the device in question is a true production lot sample. It should be noted:

l There is little economic justiification for

a microchip manufacturer to create a

production process for a device which has

not been certified, and thus may not be

marketable in the form that is submitted

by certification testing.

l The U.S. National Security Agency also

relies, as reported in the September 1991

EDPACS, on manufacturer represent- ations in its in its certification of device

compliance with its Tempest standards for

electromagnetic signal radiation security,

705

Page 4: Re-examining the Data Encryption Standard

Be/den Menkus

cal attack in the manner - and to the degree - which the underlying algorithm is assumed to be able to with- stand such an attack.

What About Its Perform- ance In Telecommuni- cation Links?

Almost all discussions of the use of both the DES and public key en- cryption algorithms assume that encrypted data will pass through a telecommunication network

l that is secured completely against physical or logical attack by in- truders7’ and

” Including so-called computer hackers as well as highly competent and well-equipped business intelligence collectors.

l the links and switches in this net- work will pass data in whatever form it may be without content distortion and with a clear indi- cation of any possible error that may have been introduced into it.

Most public discussions of data en- cryption and decryption treat the telecommunications environment as though it were a maze of un- flawed stainless steel tubing through which data is pumped, en- crypted or not, in something like a thick glop. However, the actual state of the real world environment in which data communication oc- curs is something entirely different. Whether it is encrypted or not, a datastream moving through this setting is subject to all sorts of at- mospheric and operational disturbances - usually described as a some form of noise. These disruptions tend to occur on an

essential random basis and are more likely to exist in a multilink multi- mode transmission environment.

When data transmission is taking place at, say, 9200 bits per second, a one millisecond occurrence of this noise can distort nine bits. An oc- currence lasting, say, five milliseconds could distort 45 bits. Unless any error that results fi-om this sort of distortion involves a shift outside of the numeric seg- ment of the character set, it will essentially be undetectable after decryption, since cryptographic error detection largely relies upon discerning an obvious deviation from the message content context. Neither the DES nor public key encryption processes allow even for the existence of errors in data content, let alone for error detec- tion.

706


Proxy Re-Encryption Scheme Supporting a Selection of ... · traceability of the proxy so that Alice can detect if it has leaked some re-encryption keys. Keywords: proxy re-encryption,

Proxy Re-Encryption Scheme Supporting a Selection of ... · traceability of the proxy so that Alice can detect if it has leaked some re-encryption keys. Keywords: proxy re-encryption,

Documents
Re-Examining Crowdfunding Success: How the Crowdfunding

Re-Examining Crowdfunding Success: How the Crowdfunding

Documents
Chapter 2 - Re-examining the Street

Chapter 2 - Re-examining the Street

Documents
Re-examining Galileo’s Theory of Tides - Pitt

Re-examining Galileo’s Theory of Tides - Pitt

Documents
Re-examining Austin’s Command Theory

Re-examining Austin’s Command Theory

Documents
Securely Obfuscating Re-encryption

Securely Obfuscating Re-encryption

Documents
Re-examining Decays in QCD factorization approach

Re-examining Decays in QCD factorization approach

Documents
Re-examining Listening Comprehension, JoAnn Miller ...efltasks.org/public/files/768faf2eead04ad5f067e98635d163a1.pdf · 3 Re-examining Listening Comprehension, JoAnn Miller New American

Re-examining Listening Comprehension, JoAnn Miller ...efltasks.org/public/files/768faf2eead04ad5f067e98635d163a1.pdf · 3 Re-examining Listening Comprehension, JoAnn Miller New American

Documents
Re examining the compulsory conflict resolution mechanisms

Re examining the compulsory conflict resolution mechanisms

Documents
Re-Examining the Matching Hypothesis

Re-Examining the Matching Hypothesis

Documents
Vitruvian Mesh: Re-examining the 3D Modelling Process

Vitruvian Mesh: Re-examining the 3D Modelling Process

Documents
Re-Examining Remittances

Re-Examining Remittances

Documents
RE-EXAMINING ACCOUNTING CONSERVATISM: THE IMPORTANCE OF ...arts.uwaterloo.ca/~aghuang/research/conservatism_fixedeffects.pdf · RE-EXAMINING ACCOUNTING CONSERVATISM: THE IMPORTANCE

RE-EXAMINING ACCOUNTING CONSERVATISM: THE IMPORTANCE OF ...arts.uwaterloo.ca/~aghuang/research/conservatism_fixedeffects.pdf · RE-EXAMINING ACCOUNTING CONSERVATISM: THE IMPORTANCE

Documents
Technology and Social Change: Re-Examining Key Assumptions

Technology and Social Change: Re-Examining Key Assumptions

Technology
Ancient Egyptian Mathematics: Re-examining Problems …artsonline.monash.edu.au/eras/files/2017/10/Volume-19.1-Chandlee.pdf · Ancient Egyptian Mathematics: Re-examining Problems

Ancient Egyptian Mathematics: Re-examining Problems …artsonline.monash.edu.au/eras/files/2017/10/Volume-19.1-Chandlee.pdf · Ancient Egyptian Mathematics: Re-examining Problems

Documents
Re Examining Politeness

Re Examining Politeness

Documents
Re examining the philippine values system

Re examining the philippine values system

Technology
Re-examining Galileo's Theory of Tides

Re-examining Galileo's Theory of Tides

Documents
Bernoulli Regression Models: Re-examining Statistical ...ageconsearch.umn.edu/bitstream/19282/1/sp05be08.pdf · 2 Bernoulli Regression Models: Re-examining Statistical Models with

Bernoulli Regression Models: Re-examining Statistical ...ageconsearch.umn.edu/bitstream/19282/1/sp05be08.pdf · 2 Bernoulli Regression Models: Re-examining Statistical Models with

Documents
THE GREAT AMERICAN HOUSING BUBBLE: RE-EXAMINING …

THE GREAT AMERICAN HOUSING BUBBLE: RE-EXAMINING …

Documents
Re-examining Galileo’s Theory of Tidespap7/Re-examining Galileos Theory of Tides.pdfRe-examining Galileo’s Theory of Tides 225 to my question. As we shall see, Galileo might possibly

Re-examining Galileo’s Theory of Tidespap7/Re-examining Galileos Theory of Tides.pdfRe-examining Galileo’s Theory of Tides 225 to my question. As we shall see, Galileo might possibly

Documents
Re-examining listening comprehension

Re-examining listening comprehension

Education
A New Outsourcing Conditional Proxy Re-Encryption …spacl.kennesaw.edu/donghyun.kim/papers/2016CPE.pdfinvasion by the cloud operator is high. The conditional proxy re-encryption (CPRE)

A New Outsourcing Conditional Proxy Re-Encryption …spacl.kennesaw.edu/donghyun.kim/papers/2016CPE.pdfinvasion by the cloud operator is high. The conditional proxy re-encryption (CPRE)

Documents
Fully-Anonymous Functional Proxy-Re-Encryption · Proxy-re-encryption (PRE) is an interesting extension of traditional public key encryption (PKE). ... An anonymous F-PRE scheme should

Fully-Anonymous Functional Proxy-Re-Encryption · Proxy-re-encryption (PRE) is an interesting extension of traditional public key encryption (PKE). ... An anonymous F-PRE scheme should

Documents
CONNECT: Re-Examining Conventional Wisdom …mpapamic/research/fpga2012_papamichael.pdfCONNECT: Re-Examining Conventional Wisdom for ... able infrastructural element to support emerging

CONNECT: Re-Examining Conventional Wisdom …mpapamic/research/fpga2012_papamichael.pdfCONNECT: Re-Examining Conventional Wisdom for ... able infrastructural element to support emerging

Documents
Re-examining the battle of Ganjgal

Re-examining the battle of Ganjgal

Documents
Re examining the e in tesol

Re examining the e in tesol

Education
Re-examining Mead

Re-examining Mead

Documents
RSA-TBOS Signcryption with Proxy Re-encryption

RSA-TBOS Signcryption with Proxy Re-encryption

Documents
Improved Proxy Re-Encryption Schemes with Applications to ...spar.isi.jhu.edu/~mgreen/proxy.pdf · Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage

Improved Proxy Re-Encryption Schemes with Applications to ...spar.isi.jhu.edu/~mgreen/proxy.pdf · Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage

Documents