The time required to crack an encryption algorithm is directly related to
the length of the key used to secure the communication.
Every now and then, our development team comes across someone still using antiquated DES for encryption. If you haven’t made the switch to the Advanced Encryption Standard (AES), let’s take a look at the two standards and see why you should!
Data Encryption Standard (DES):
DES is a symmetric block cipher (shared secret key), with a key length of 56-bits. Published as the Federal Information Processing Standards (FIPS) 46 standard in 1977, DES was officially withdrawn in 2005 [although NIST has approved Triple DES (3DES) through 2030 for sensitive government information].
The federal government originally developed DES encryption over 35 years ago to provide cryptographic security for all government communications. The idea was to ensure government systems all used the same, secure standard to facilitate interconnectivity.
To show that the DES was inadequate and should not be used in important systems anymore, a series of challenges were sponsored to see how long it would take to decrypt a message. Two organizations played key roles in breaking DES: distributed.net and the Electronic Frontier Foundation (EFF).
- The DES I contest (1997) took 84 days to use a brute force attack to break the encrypted message.
- In 1998, there were two DES II challenges issued. The first challenge took just over a month and the decrypted text was “The unknown message is: Many hands make light work”. The second challenge took less than three days, with the plaintext message “It’s time for those 128-, 192-, and 256-bit keys”.
- The final DES III challenge in early 1999 only took 22 hours and 15 minutes. Electronic Frontier Foundation’s Deep Crack computer (built for less than $250,000) and distributed.net’s computing network found the 56-bit DES key, deciphered the message, and they (EFF & distributed.net) won the contest. The decrypted message read “See you in Rome (Second AES Candidate Conference, March 22-23, 1999)”, and was found after checking about 30 percent of the key space…Finally proving that DES belonged to the past.
Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute force attacks (in addition to slowing down the process substantially).
Advanced Encryption Standard (AES):
Published as a FIPS 197 standard in 2001. AES data encryption is a more mathematically efficient and elegant cryptographic algorithm, but its main strength rests in the option for various key lengths. AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES. In terms of structure, DES uses the Feistel network which divides the block into two halves before going through the encryption steps. AES on the other hand, uses permutation-substitution, which involves a series of substitution and permutation steps to create the encrypted block. The original DES designers made a great contribution to data security, but one could say that the aggregate effort of cryptographers for the AES algorithm has been far greater.
One of the original requirements by the National Institute of Standards and Technology (NIST) for the replacement algorithm was that it had to be efficient both in software and hardware implementations (DES was originally practical only in hardware implementations). Java and C reference implementations were used to do performance analysis of the algorithms. AES was chosen through an open competition with 15 candidates from as many research teams around the world, and the total amount of resources allocated to that process was tremendous. Finally, in October 2000, a NIST press release announced the selection of Rijndael as the proposed Advanced Encryption Standard (AES).
Comparing DES and AES
DES | AES | |
Developed | 1977 | 2000 |
Key Length | 56 bits | 128, 192, or 256 bits |
Cipher Type | Symmetric block cipher | Symmetric block cipher |
Block Size | 64 bits | 128 bits |
Security | Proven inadequate | Considered secure |