e-Liberty "Your Key To Security" / Security

Data Encryption Standard (DES)

DES is a symmetric encryption technique that encrypts and decrypts data 64-bits at a time based on a Secret Key. The key is expressed as a 64-bit number, however the key is actually considered 56-bits in length because the Least Significant Bit of each byte is used for parity checking (every eighth bit). The technique is based on an initial permutation (moving bits), 16 rounds of substitutions and permutations, and a final permutation that ends with an encrypted 64-bit block of data. The technique can then be reversed (for decryption) when the same key is provided. Here is the process:

The initial permutation transposes the bits from the 64-bit input block of plaintext data using the following table:

**Data Permutation**
Bit	0	1	2	3	4	5	6	7
Byte 1	58	50	42	34	26	18	10	2
Byte 2	60	52	44	36	28	20	12	4
Byte 3	62	54	46	38	30	22	14	6
Byte 4	64	56	48	40	32	24	16	8
Byte 5	57	49	41	33	25	17	9	1
Byte 6	59	51	43	35	27	19	11	3
Byte 7	61	53	45	37	29	21	13	5
Byte 8	63	55	47	39	31	23	15	7

Thus, bit 58 from the initial block is moved to the first bit position, bit 60 is moved to the ninth bit position, and so on until all the bits have been transposed and the initial permutation of the plaintext data is completed.

Next the 64-bit Key is reduced to 56-bits by using the following table:

**Key Permutation**
Bit	0	1	2	3	4	5	6	7
Byte 1	57	49	41	33	25	17	19	1
Byte 2	58	50	42	34	26	18	10	2
Byte 3	59	51	43	35	27	19	11	3
Byte 4	60	52	44	36	63	55	47	39
Byte 5	31	23	15	7	62	54	46	38
Byte 6	30	22	14	6	61	53	45	37
Byte 7	29	21	13	5	28	20	12	4
Byte 8	8	16	24	32	40	48	56	64

*Note: Byte 8 is not used in the key. It is used for error checking on the Key.

After the 56-bit Key is derived a different subkey is generated for each of the 16 rounds (labled K₁, K₂, ... to K₁₆). This is done by halving the 56-bit Key and Circularly Shifting the halves Left based on the following table:

**Subkey Generation**
ROUND	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16
# of Bits Shifted	1	1	2	2	2	2	2	2	1	2	2	2	2	2	2	1

There are now 16:56-bit subkeys. However, only 48-bits from each subkey will actually be used in the encryption process. These 48-bits are selected from each of the 16 subkeys using the following table:

**Subkey Bit Selection (Compression)**
Bit	0	1	2	3	4	5	6	7
Byte 1	14	17	11	24	1	5	3	28
Byte 2	15	6	21	10	23	19	12	4
Byte 3	26	8	16	7	27	20	13	2
Byte 4	41	52	31	37	47	55	30	40
Byte 5	51	45	33	48	44	49	39	56
Byte 6	34	53	46	42	50	36	29	32
Byte 7	9	18	22	25	35	38	43	54

*Note: Byte 7 is discarded

Since each of the 16 subkeys is different (because of the Left Circular Shift) a different 48-bit subkey set is selected for each round. Thus, each bit of the original 56-bit Key is used in approximately 14 of the 16 rounds. These 48-bit subkey selections will later be XOR'd against the 32-bit Right Half of the input block of data (R_i). However, the 32-bit Right Half must first be expanded to 48-bits in length for the XOR operation to work correctly. This is done using the following table:

**R_i Expansion to 48-bits (Expansion)**
Bit	0	1	2	3	4	5	6	7
Byte 1	32	1	2	3	4	5	4	5
Byte 2	6	7	8	9	8	9	10	11
Byte 3	12	13	12	13	14	15	16	17
Byte 4	16	17	18	19	20	21	20	21
Byte 5	22	23	24	25	24	25	26	27
Byte 6	28	29	28	29	30	31	32	1

*Note: For each 4-bit input (i.e. bits 1-4, 5-8, etc.) the 1st and 4th bits are used twice (i.e. 1 and 4, 5 and 8), and the 2nd and 3rd bits (i.e. 2 and 3, 6 and 7) are used once.

This step is very important for two reasons. First, the input data (R_i) must be expanded for the XOR operation to work with the 48-bit subkey selection that we generated. Second, because 16 of the 32 bits from R_i are used twice (look at the *Note: above), thus 16 input bits (from R_i) affect 32 of the 48 output bits. This is called the Avalanche Effect.

Now the 48-bit subkey selection (the compressed round key, K_i) is XOR'd with the R_i that we just expanded to 48-bits. This will result in a new 48-bit value that will be used in the substitution operation of DES.

The substitution operation of DES will compress the 48-bit result from the XOR operation to 32-bits when it is finished (first we expanded, now we must compress). To do this DES has eight Substitution Boxes (S-Boxes) that will each be given 6-bits as input from the 48-bit XOR result (i.e. S-Box 1 is fed bits 1-6, S-Box 2 is fed bits 7-12, etc.). The S-Boxes will compress the 6-bits they are given into a 4-bit result. Since there are eight S-Boxes and 4 bits are output from each S-Box there will be a 32-bit result when the entire substitution operation has finished.

Now comes the tricky part. We have to compress the 6 input bits into 4 output bits. These are the steps to complete the process:

Bit 1 and Bit 6 (B₁, B₆) are combined to form a 2-bit number (which could be any number between 0 and 3). This number represents a Row in S-Box 1.
Bit 2, Bit 3, Bit 4, and Bit 5 (B₂, B_3,B₄, B₅) are combined to form a 4-bit number (which could be any number between 0 and 15). This number represents a Column in S-Box 1.
The 4-bit number from the specified Row and Column is retrieved from S-Box 1.
Repeat this process for all 6-bit inputs, and their corresponding S-Box (i.e. Bits 7-12 will use S-Box 2, Bits 13-18 will use S-Box 3, etc.).

S-Box 1
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	14	4	13	1	2	15	11	8	3	10	6	12	5	9	0	7
Row 1	0	15	7	4	14	2	13	1	10	6	12	11	9	5	3	8
Row 2	4	1	14	8	13	6	2	11	15	12	9	7	3	10	5	0
Row 3	15	12	8	2	4	9	1	7	5	11	3	14	10	0	6	13

S-Box 2
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	15	1	8	14	6	11	3	4	9	7	2	13	12	0	5	10
Row 1	3	13	4	7	15	2	8	14	12	0	1	10	6	9	11	5
Row 2	0	14	7	11	10	4	13	1	5	8	12	6	9	3	2	15
Row 3	13	8	10	1	3	15	4	2	11	6	7	12	0	5	14	9

S-Box 3
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	10	0	9	14	6	3	15	5	1	13	12	7	11	4	2	8
Row 1	13	7	0	9	3	4	6	10	2	8	5	14	12	11	15	1
Row 2	13	6	4	9	8	15	3	0	11	1	2	12	5	10	14	7
Row 3	1	10	13	0	6	9	8	7	4	15	14	3	11	5	2	12

S-Box 4
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	7	13	14	3	0	6	9	10	1	2	8	5	11	12	4	15
Row 1	13	8	11	5	6	15	0	3	4	7	2	12	1	10	14	9
Row 2	10	6	9	0	12	11	7	13	15	1	3	14	5	2	8	4
Row 3	3	15	0	6	10	1	13	8	9	4	5	11	12	7	2	14

S-Box 5
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	2	12	4	1	7	10	11	6	8	5	3	15	13	0	14	9
Row 1	14	11	2	12	4	7	13	1	5	0	15	10	3	9	8	6
Row 2	4	2	1	11	10	13	7	8	15	9	12	5	6	3	0	14
Row 3	11	8	12	7	1	14	2	13	6	15	0	9	10	4	5	3

S-Box 6
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	12	1	10	15	9	2	6	8	0	13	3	4	14	7	5	11
Row 1	10	15	4	2	7	12	9	5	6	1	13	14	0	11	3	8
Row 2	9	14	15	5	2	8	12	3	7	0	4	10	1	13	11	6
Row 3	4	3	2	12	9	5	15	10	11	14	1	7	6	0	8	13

S-Box 7
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	4	11	2	14	15	0	8	13	3	12	9	7	5	10	6	1
Row 1	13	0	11	7	4	9	1	10	14	3	5	12	2	15	8	6
Row 2	1	4	11	13	12	3	7	14	10	15	6	8	0	5	9	2
Row 3	6	11	13	8	1	4	10	7	9	5	0	15	14	2	3	12

S-Box 8
Column	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Row 0	13	2	8	4	6	15	11	1	10	9	3	14	5	0	12	7
Row 1	1	15	13	8	10	3	7	4	12	5	6	11	0	14	9	2
Row 2	7	11	4	1	9	12	14	2	0	6	10	13	15	3	5	8
Row 3	2	1	14	7	4	10	8	13	15	12	9	0	3	5	6	11

Obviously when DES is implemented in software it makes more sense to represent the S-Boxes as 64 number Arrays. However, this should be done carefully because this is the confusion step of the technique and it is non-linear (the other steps are linear and can easily be broken with Linear Cryptanalysis), which is what gives DES its security.

The next step in the round requires another permutation that is exercised on the 32-bit result from the S-Boxes. This permutation does not expand or compress, making it a straight permutation. This permutation is done using the following Permutation Box (P-Box).

**P-Box**
Bit	0	1	2	3
R_i of Byte 1	16	7	20	21
R_i of Byte 2	29	12	28	17
R_i of Byte 3	1	15	23	26
R_i of Byte 4	5	18	31	10
R_i of Byte 5	2	8	24	14
R_i of Byte 6	32	27	3	9
R_i of Byte 7	19	13	30	6
R_i of Byte 8	22	11	4	25

The result from the P-Box is then XOR'd with the 32-bit Left Half (L_{i - 1}, which has been untouched thus far in the round) resulting in the fully encrypted, new R_i. The initial Right Half of the input R_{i - 1} is then moved to L_i and the next round is processed with the next subkey. This process continues until all 16 subkeys have been used.

L_i = R_{i - 1}
R_i = L_{i - 1} XOR f(R_{i - 1}, K_i). In which 'f' is the cryptographic Feistel function performed on R_{i - 1} with K_i.
*Note: i equals the round and R₀, L₀ are the Left and Right halves of the original Plaintext. Thus when Round 1 has fininshed R₀ becomes L₁ and R₁ = L₀ XOR f(R₀, K₁).

When the final subkey is processed a final permutation is exectued (to reverse the initial permutation). This final permutation is processed using the following table:

**Final Data Permutation**
Bit	0	1	2	3	4	5	6	7
Byte 1	40	8	48	16	56	24	64	32
Byte 2	39	7	47	15	55	23	63	31
Byte 3	38	6	46	14	54	22	62	30
Byte 4	37	5	45	13	53	21	61	29
Byte 5	36	4	44	12	52	20	60	28
Byte 6	35	3	43	1	51	19	59	27
Byte 7	34	2	42	10	50	18	58	26
Byte 8	33	1	41	9	49	17	57	25

*Note: L₁₆ and R₁₆ are not rotated in the last round, so the Final Permutation looks a little different from the Initial Permutation.

To decrypt DES the same encryption process is used, however, the subkeys are used in reverse order. Thus, K₁₆ is used first and K₁ is used last.

Since 1998 DES has been considered insecure because a machine was built specifically to brute force DES into submission. However, because DES is not a group it can be implemented in multiple encryption, the most prevalent today of which is called Triple DES.

To brute force Triple DES 2¹¹² attempts are needed. Triple DES uses three different keys and does what is known as Encrypt-Decrypt-Encrypt (EDE). Basically:

Ciphertext = E_K1(D_K2(E_K3(Message)))
Message = D_K1(E_K2(D_K3(Ciphertext)))

Triple DES is considered secure for now, but AES has replaced it as the NIST standard.