Data Encryption Standard
DES (Data Encryption Standard) - also known as DEA (Data Encryption Algorithm) was one of the most popular forms of encryption and variants, such as Triple DES/3DES are still considered strong and fast and are actively used in banking and commerce. I wrote several pieces of DES software and therefore I have been asked many questions about DES and 3DES, so I created this web page to answer a few of those questions.
Because DES is a 56 bit key. This means that there are 8 characters to the key, each character can only contain 7 bits. This means that you can only have 128 different values to choose from for each key character. ASCII, however, has 256 characters (double the capability of DES). Therefore for every ASCII character selected there is another ASCII character that, if substituted, will generate the same DES Key (i.e. there are always two ASCII characters that are interchangeable).
Because DES only uses 7 bits, but the final bit is ignored.
Looking from a byte point of view:
01010101 is the same as 01010100
11111110 is the same as 11111111
The last bit is simply not used.
So.... in a key A = B and C=D and E=F
AABBEECC is the same as BBAAFFCC
which is also the same thing as:
ABBAEFCD which is also the same as AAAAFFDD
Strength of DES
The strength of DES is actually due to the fact that it would take a long time to guess the key that you used. Therefore, the greater the number of possible keys that COULD have been used, the longer it will take to "crack" the encryption.
If you are thinking in "ASCII" (or ANSII under Microsoft) there are 256 ASCII characters. Remembering that there are 8 individual characters to a standard DES key, we can calculate out the number of key combinations.
2568 = 256 x 256 x 256 x 256 x 256 x 256 x 256 x 256 = 18,446,744,073,709,551,616 (18.5 billion billion) possible combinations.
However, DES only uses 128 characters. This results in:
1288 = 128 x 128 x 128 x 128 x 128 x 128 x 128 x 128 = 72,057,594,037,927,936 (72 thousand billion) possible combinations. Although this value is still huge, it is 256 times smaller than full ASCII.
Incidentally - for those not literate in mathematics, each byte has 8 bits. Each bit can have 2 states, off or on (0 or 1). There are normally 8 bits in a byte, and since we have 8 bytes this makes 64 bits in total. Also, DES only uses 7 bits in the byte. Therefore this makes 56 bits in total. So converting our byte calculations above into bits would result in:
1288 = 256 which is what is meant by DES being a 56 bit encryption.
Assuming that you know the data that is encrypted, and are simply trying to determine the key and that it takes approximately 60 seconds to decrypt 1 million times (each time with a different key) - then it will take 137,096 years to try every possible key.
A problem may come about if you only use a smaller range of the ASCII character set, say "A - Z" (26 characters). In that case there are only 208,827,064,576 unique ASCII combinations. As stated earlier DES uses only 7 bits which means that A=B and B=C so the actual number of characters is reduced to 13. means we only have 815,730,721 different unique keys - which is about 83 million times easier (and faster) to break. Using this type of key it would only take less than 13.5 hours to crack (it would take 13.5 hours to try every possible key). If "A-Z and a-z" are used, which occurs with "normal" passwords, it will take less than 145 days to crack. Add numbers (0 - 9) and you less than 1.6 years. So the rule of thumb is to use the widest range of characters at once, because once your key is cracked the key can be used to decrypt all data encrypted with this key.
Strengthening you Key
Most people will want a key that contains normal characters. Using normal characters makes a key hundreds of thousands times easier to crack. I have therefore added a Hashing step to the key setting process. This turns any key into a new key, that uses all 128 different characters of each DES key character. This turns your basic key into a full strength DES key.
Triple DES (3DES)
Triple DES does not make your encryption 3 times harder to break. It makes it 5 x 10 33 (5 Billion Trillion Trillion) times harder to break. This is because Triple DES means you are performing 3 DES computations with three separate keys. The result is that your key length is effectively increased to 24 characters (168 bit encryption). This means that the number of possible key combinations that are available are:
2168 = 3.7x 10 50 (370 Trillion Trillion Trillion Trillion) different combinations.
Assuming that you can crack the keys at a rate of 1 Million per minute...... you would be working away for the next...... well let's just say that you still be working on the first couple of percent when the earth ends and.... and assuming the universe implodes you still won't have finished computing every different combination.
This is why Triple DES is considered so strong.
One final point. It is much easier for someone to crack your key if it is logical. I have some old figures, and will update them if I find some new ones. It has been said that 25% of all passwords are "password". 10% of system administrator passwords are "God", "Creator", "Zeus", etc. (power complex). 95% of passwords only contain alphabet letters. 80% of all passwords are names or can be found in the dictionary. 60% of passwords that contain numbers are dates of events in the users life, bank pin numbers or club/gym membership numbers. Almost all remaining passwords are a mixture of the above types.
So what you may ask. That makes it easier to crack. There are three main ways of cracking an encryption:
- Finding the password out from the user (through their trash or through stealth/observation).
- Brute force - try all combinations of all possible keys.
- Dictionary/Word attack - try a combination, and variations on, words from a dictionary or words/dates/numbers related to the user.
With Triple DES the only real option are the first and last option unless you have some large computer power. I have performed dictionary/work attacks on my own encryptions. Sure it took 3 days to crack..... but I was able to crack my own key.
The simplest answer I can give.... use weird keys. Try passwords with other ASCII characters in it, like bopple#doop, or ó2LooVe. If the hacker thinks that you have used more than just alphabet letters and more than just simple words they will have to rethink how they are going to get your data. Better still, use a different key for different data. That means that once the hacker has one key they will only get one set of data. They have to try and crack every key that you use to get all of your data.