Talk:Data Encryption Standard

From Wikipedia, the free encyclopedia

Featured article star Data Encryption Standard is a featured article; it (or a previous version of it) has been identified as one of the best articles produced by the Wikipedia community. If you can update or improve it, please do.
Main Page trophy Data Encryption Standard appeared on Wikipedia's Main Page as Today's featured article on August 21, 2004.
WikiProject on Cryptography This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography in the Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.
WikiReader Cryptography It is intended that this article be included in WikiReader Cryptography, a WikiReader on the topic of cryptography. Help and comments for improving this article would be especially welcome. A tool for coordinating the editing and review of these articles is the daily article box.
This article is within the scope of WikiProject Telecommunications, an attempt to build a comprehensive and detailed guide to telecommunications on Wikipedia. If you would like to participate, you can edit the article attached to this page, or visit the project page, where you can join the project as a "full time member" and/or contribute to the discussion.


This article has been selected for Version 0.5 and the next release version of Wikipedia. This Engtech article has been rated FA-Class on the assessment scale.


Contents

[edit] Request for external link addition

  • I would like to make a formal request to add http://www.celtickane.com/programming/ to the external links section of this page. It is my own website, so I wouldn't like to add it myself, but I would prefer that someone else review the website, and make the decision to add it. It contains a basic example of DES encryption in C++, which would be useful for someone who is wanting to program a DES encryptor. --Sugarskane 04:00, 20 July 2006 (UTC)
  • Hi, you already did add the link yourself [1] but I think this article should not be a link farm for implementations, since there are dozens to choose from. We do link to Helger Lipmaa's portal-like page about DES [2], which itself links to quite a few DES implementations. You might contact Helger and ask him to add your implementation to his list.

    In general, please take a look at WP:EL, particularly WP:EL#Links_normally_to_be_avoided item 3, since I see you've added your links to quite a few other Wikipedia articles, which could be considered spamming. Phr (talk) 06:11, 20 July 2006 (UTC)

Any of the articles I've added have been removed -- which is why I'm adding a request to the talk page instead. I will contact Helger -- thank you. --Sugarskane 14:27, 20 July 2006 (UTC)
While your computing related articles are well-written, I don't think they are unique or notable enough to merit inclusion on any of the pages that you've added them to. There are thousands of similar articles out there. While you may be able to find examples of programming-related links on Wikipedia that are non-notable, it just means that someone hasn't cleaned them up yet. Because techies rely on the web for quick info on programming topics, programming articles are hot targets for people looking for Google Adword revenue. On one Yahoo! group that I subscribe to, a user kept posting a link J2EE tutorial that he argued was relevant. A little research revealed that he'd simply cut-and-pasted the content from Sun Microsystems's site and threw it up on his site. I realize your material is original, but as I said, I don't think it's particularly notable or unique. OhNoitsJamie Talk 15:20, 20 July 2006 (UTC)

[edit] Hardware speeds

I snipped this for now; chips that run at several Mb/s are no longer particularly impressive, crypto-wise, even for Triple DES.

The DES algorithm lends itself to integrated circuit implementation. By 1984 the Bureau of Standards had certified over 35 LSI- and VLSI-chip implementations of the DES, most on single 40-pin chips, some of which operate at speeds of several million bits per second.

— Matt 13:27, 14 Jul 2004 (UTC)

Matt, The certification program is itself significant if rather ineffectual given Moore's Law.
Sure, I'll try and work in a mention of the certification program; giving details of specs is probably a bit redundant now, though, I'm guessing. — Matt 19:52, 14 Jul 2004 (UTC)
On another point, I seem to recall that Feistel was not a formal member of the team led by Tuchman. Consulting from another project and all... This from my memory of an account by Tuchman.
I took at least some of the names from a list given by Coppersmith (the "Coppersmith, 1994" reference) as people who'd been on the team developing crypto at IBM; I tried to word it to avoid any suggestion that it was the "DES design team", as, as you point out, it's not really clear whether, e.g. Feistel, was part. — Matt 19:52, 14 Jul 2004 (UTC)
Great work on this, by the way. I think the infobox is a great idea for presenting the 'executive summary' information. Very nice. The chronology is superb also. But I predict there will be sniping from those parsimonious of words in articles. I've only a few wording nits that I'll get around to sometime. ww 19:02, 14 Jul 2004 (UTC)
Thanks, glad you like it; can you think of any other "data field" that might be worth including on the InfoBox? Also, where do you think it might get too wordy? — Matt 19:52, 14 Jul 2004 (UTC)
Matt, I'm not likely to be one of those complaining of too many words; I'm nearly alwasy on the other end of such tussles. As for the infobox, the one thing that strikes me as worth adding (at least now) is an evaluation of status. Not merely such and such an attack has progressed thus and so far, but whether that attack makes the algorithm insecure against that attack and so insecure. One thing Joe User will find useful (even if the details escape) is that evaluation -- if I see this algorithm being claimed to be swell in some ad, I shouldn't take it seriously as the algorithm has been broken. ww 18:58, 19 Jul 2004 (UTC)

[edit] Why 56 bits

I just added a note making it a bit more explicit why 56 bits was an appropriate choice of key length, and not an attempt by the NSA to weaken the cipher. I'm a bit surprised all the material about differential cryptanalysis made it in without anyone explaining that it disproved the conspiracy theories. Metamatic 14:42, 21 Aug 2004 (UTC)

Your note was:

In fact, 56 bits was exactly the minimum length of key required to ensure that cracking the key by brute force would always be tougher than using differential cryptanalysis. In other words, the NSA had made the key as long as it needed to be in order not to be the weakest link, but no longer.

Hmm...well, I misread this at first, but it's not quite accurate: 1) The 56-bit key length did indeed prove to be the weakest link in the encryption. A brute force attack on the key remains the only practical way of breaking DES. 2) Out of the two original worries (S-box tampering and key-length shortening), there is evidence for vindicating the NSA on the S-box front, but it's still widely believed that they interfered with they key size. "NSA convinced IBM that a reduced key size was sufficient", and all that. 3) You're saying that the NSA chose 56 bits in order to make brute force search more expensive than differential cryptanalysis (complexity around about 247)? Despite being a strange design strategy (DC is a certificational weakness), do you have evidence that this was NSA's reasoning? — Matt 08:58, 22 Aug 2004 (UTC)
Also, why did the NSA send back modified S-Boxes if the technique of differential cryptanalysis was already known to IBM? --80.132.223.175 00:49, 13 February 2006 (UTC)

[edit] table

you can get rid of all those smalls with a style="font-size:85%" or something, can't you? - Omegatron 01:04, Mar 16, 2005 (UTC)

Yes, you can, thanks for the tip! — Matt Crypto 12:38, 16 Mar 2005 (UTC)

[edit] Brute Force

Hi. A nicely written page. This might sound a bit pedantic but could I question the wording of "DES is now considered insecure because a brute force attack is possible..."

As I understand it a brute force attack is always possible on virtually all encryption algorithms (exception of one time key pads) merely that with a useable algorithm it is not practical within the useful timelife of the data. Thus 56-bit DES became unuseful because it is now crackable whilst the data is still sensitive.

Any thoughts? --Grapeswrath 03:00, 20 September 2005 (UTC)

Yeah, I don't mind replacing "possible". I'm unsure about an unqualified "practical", though, because it's still quite an effort to do brute force over 56 bits, even in 2005. — Matt Crypto 11:36, 20 September 2005 (UTC)
How about something like "feasible with todays hardware". bit wordy....--Grapeswrath 12:54, 20 September 2005 (UTC)
Or just "possible within 24 hours"....--Grapeswrath 13:11, 20 September 2005 (UTC)

I am glad someone caught this. An ex-NSA man once told me that a cipher is considered "secure" as long as there is not an attack _other_ than a brute force. I believe this line, "DES is now considered insecure because a brute force attack is possible...", should be changed to "DES is now considered insecure because improved attacks over the efficiency of a brute force are possible." Sorry for my anonymitity, I just did not bother to make an account for something this small. crysys -at- gmail.com

[edit] Should include DES modes

DES modes are important. Not going to accept casual deletions from Matt Crypto.

Think of it this way: should we include a section on modes of operation in each and every article on a block cipher? Clearly not. The sensible solution is deal with it in a separate page. — Matt Crypto 01:20, 30 October 2005 (UTC)


Think of this this way, you don't have to give a detailed discussion, but the modes should be mentioned and referenced in detail in another page. The level of discussion I added is appropriate. Reference the other page for details. BTW: I'm not a fan for debating memes like "clearly not" (clearly your opinion) as that is normally a way people tend to short circuit discussions. It it was clear, I would not have added critical info :-) When I read this page, the first thing that jumped out was - oh! what a pedantic discussion with no operational context - must of been by PhD or MS level students who don't actually implement cryto in the real world in network or data protocols. DES was made to actually do work, not to just be debated from an academic perspective and crytoanalysis view. Hence, I found the discussion on DES, pedantic and academic, and think it needs a bit of actually operational knowledge. The 3DES discussion is fully of errors, BTW, and the modes were not even described correctly and the representation of the modes were inaccurate.

You haven't really answered the question. Would you have us include a section on all the modes in each and every block cipher article? The issue is where it is best to include a lengthy discussion on general-purpose block cipher modes. ECB, OFB, CBC, CFB and CTR modes can be used by any block cipher, not just DES. General stuff on modes is best put in the block cipher modes of operation article. If we include any information on modes here, it should be specific details concerning DES and modes that aren't more widely applicable to block ciphers in general. — Matt Crypto 02:03, 30 October 2005 (UTC)

I did not create an lengthy discussion, I created a summary one. Using your logic, one can argue that most of the details in any entry is more appropriate on another page. I have many texts on security and cryto, and all of them have discussion of DES modes in the DES chapter. Get over it. When I read the discussion as you want to revert, it is seriously lacking and it pedantic v. useful to readers who actually use DES. As far as "all block ciphers" and when to discuss modes, please ask a more specific question, not a sweeping generalization. The reason we discuss modes in DES is that all the major texts do because of the status of DES in the history of ciphers.

While your "many tests on security and cryto" do sound impressive, I'm afraid your argument is not particularly convincing. We do already say that "Like other block ciphers, DES must be used in a mode of operation if applied to a message longer than 64 bits. FIPS-81 specifies several modes for use with DES, including one for authentication [2]. Further comments on the usage of DES are contained in FIPS-74". Now, I would be very happy to see additional specific details about DES and modes (such as what modes are specified in the FIPS publications and so forth), but to go into detail about basic general principles of block cipher usage is overkill in this article. Moreover, I'm afraid your explanation is confusing and incorrect in parts, particularly the ECB paragraph, which confuses the action of the mode with the operation of the DES primitive itself. — Matt Crypto 02:22, 30 October 2005 (UTC)

If the discussion is confusing, you can correct it (if you can). However, I have three textbooks in front of me and about 15 years of operational experience with DES and the discussion matches. Are you the "bully of crypto" ? I think so. All textbooks I have discuss the modes of DES in the DES discussion and do not discuss the modes in other block cipher chapters. I guess you are just going to bully your way, is that right? There is only your opinion and all the textbooks are wrong too?

*Sigh* I'll come back to this tomorrow, if I have time. It's discouraging that you've stopped presenting any arguments and started with comments about "bullying" and boasting about how experienced you are with DES and how many textbooks you have. Good, but make use of your experience and read your textbooks. You've quite clearly not explained the ECB mode correctly at all, confusingly adding a fudged explanation of the main DES algorithm itself. You wrote that, "ECB is applied to 64-bit blocks of plaintext to provide 64-bits of ciphertext. The 64-bit input vector is divided into two 32-bit blocks called the Right Block and the Left Block, and then recopied to form two 48-bit blocks. Each of these two 48-bit blocks are XORed with a 48-bit encryption key. Because ECB does not use chaining, patterns in the ciphertext can be detected; hence, ECB is not used to encrypt large blocks of data. — Matt Crypto 02:44, 30 October 2005 (UTC)
Matt is right, these explanations are totally inappropriate and are redundant for this article. You have ceased addressing his point and have started engaging in some kind of strange book-based pissing contest. I'm just going to remove them and keep them out, I'm assuming everyone else will revert along with me, there's no point in wasting energy arguing this further. Nathan J. Yoder 17:34, 1 November 2005 (UTC)

[edit] Disambig

Please see Talk:DES for a discussion related to this article. Peyna 16:16, 3 December 2005 (UTC)

[edit] NSA speculation

There is some discussion over on usenet:sci.crypt over whether to remove the speculation about the NSA. Some of it is unsourced and probably false.

I removed these two sentences:

Off the record, NSA has characterized DES as one of their biggest mistakes. If they knew the details would be released so that people could write software, they would never have agreed to it.

These are just improbable rumors, and there is no source in the NSA or even anyone who claims to have talked to anyone in the NSA about the matter. There is no date for the NSA opinion. It is unclear what the mistake was or who made the mistake. There is circumstantial evidence that NSA did not consider DES to be a mistake, although different opinions may exist in the NSA. DES was a National Bureau of Standards project, so the NSA probably did know that the details would be released.

There is a lot of wacky speculation about the NSA on the internet. This article should stick to verifiable facts. Roger 17:11, 14 July 2006 (UTC)

I originally added those sentences a couple of years ago, but I agree with you. Of course, Wikipedia articles can and should report on significant rumours, and there's been a lot of published material speculating about the nature of the NSA's involvement in the design of DES. I think the article is OK at present, although it could do with citing sources for the quotes. — Matt Crypto 20:00, 31 July 2006 (UTC)
I see you asked for a citation on the rumors about why NSA wanted DES to have a 56-bit key. I think that it is true that "it was widely believed that NSA's decision was motivated by the possibility that they would be able to brute force attack a 56 bit key several years before the rest of the world". But it should probably be noted that NSA seemed to know the true strength of DES better than anyone else, and NSA may have simply thought that the key length should match the true strength.

[edit] Inline references

I left a note asking Cyde to run his conversion bot to turn the inline references to footnotes. I hope no one minds. All featured articles are supposed to use footnotes now, I think. Phr (talk) 08:12, 14 July 2006 (UTC)

[edit] Applications

Where was DES used and where is it used now? In mobile phones, pay per view, police radios?

Velle 10:45, 22 August 2006 (UTC)

[edit] When was NSA able to brute force attack the system?

In "History of DES - NSA's involvement in the design" it says

It was widely believed that NSA's decision was motivated by the possibility that they would be able to brute force attack a 56 bit key several years before the rest of the world would[citation needed].

And in "Security and Cryptanalysis - Brute force attack" it says

(...) this is often taken as an indication that the NSA possessed enough computer power to break keys of this length even in the mid-1970s.

The last one does not say much, except that some people take it as an "indication".

However, I read that some organizations brute forced it in 1999, but I have no notion of the computer power in the NSA, was it realistic for them to break it in the 70's and how difficult is it for them now?

Velle 11:03, 22 August 2006 (UTC)

[edit] Comparing DES with Rijndael Algorithm

DES uses 64 bit blocks with 56 bit key whereas Rijndael Algorithm uses 128 bit block with 128 or 192 or 256 keys

DES uses 16 rounds whereas Rijndael uses 10 rounds

While comparing the performance, Rijndael is better than DES in terms of speed, Complexity of operation and security —The preceding unsigned comment was added by 220.227.28.18 (talkcontribs).