For symmetric cipher selection, it is prudent to utilize AES with 256-bit keys for implementations which wish to preserve confidentiality of the data protected well into the foreseeable future.

There are 3 major categories of development in adversaries which make security a constantly moving target:

- Cryptanalysis - algorithmic methodology advances which decrease the effective security of an algorithm.
- Moore's law applied to classical computers - see the brute force timeline below.
- Quantum Advent - the availability of quantum computing circuitry which drastically reduces the time needed to break a cryptographic algorithm.

There are 64 keys which are considered weak for DES. We include the keys which are denoted as 1) components of a semi-weak key pair and 2) the 'possibly weak keys' as it is generally better to insulate this constraint within the key generation function (as opposed to combinatory logic constraint(s) on the key bundle). In other words, we include the four (4) weak keys, six (6) pairs of semi-weak keys, and forty-eight (48) possibly weak keys.

Reject each of the following keys from the key generation function (each line is 64 bits in hexadecimal, which is a 56 bit key along with 8 bits of parity):

01010101 01010101 FEFEFEFE FEFEFEFE E0E0E0E0 F1F1F1F1 1F1F1F1F 0E0E0E0E 011F011F 010E010E 1F011F01 0E010E01 01E001E0 01F101F1 E001E001 F101F101 01FE01FE 01FE01FE FE01FE01 FE01FE01 1FE01FE0 0EF10EF1 E01FE01F F10EF10E 1FFE1FFE 0EFE0EFE FE1FFE1F FE0EFE0E E0FEE0FE F1FEF1FE FEE0FEE0 FEF1FEF1 01011F1F 01010E0E 1F1F0101 0E0E0101 E0E01F1F F1F10E0E 0101E0E0 0101F1F1 1F1FE0E0 0E0EF1F1 E0E0FEFE F1F1FEFE 0101FEFE 0101FEFE 1F1FFEFE 0E0EFEFE E0FE011F F1FE010E 011F1F01 010E0E01 1FE001FE 0EF101FE E0FE1F01 F1FE0E01 011FE0FE 010EF1FE 1FE0E01F 0EF1F10E E0FEFEE0 F1FEFEF1 011FFEE0 010EFEF1 1FE0FE01 0EF1FE01 FE0101FE FE0101FE 01E01FFE 01F10EFE 1FFE01E0 0EFE01F1 FE011FE0 FE010EF1 FE01E01F FE01F10E 1FFEE001 0EFEF101 FE1F01E0 FE0E01F1 01E0E001 01F1F101 1FFEFE1F 0EFEFE0E FE1FE001 FE0EF101 01E0FE1F 01F1FE0E E00101E0 F10101F1 FE1F1FFE FE0E0EFE 01FE1FE0 01FE0EF1 E0011FFE F1010EFE FEE0011F FEF1010E 01FEE01F 01FEF10E E001FE1F F101FE0E FEE01F01 FEF10E01 01FEFE01 01FEFE01 E01F01FE F10E01FE FEE0E0FE FEF1F1FE 1F01011F 0E01010E E01F1FE0 F10E0EF1 FEFE0101 FEFE0101 1F01E0FE 0E01F1FE E01FFE01 F10EFE01 FEFE1F1F FEFE0E0E 1F01FEE0 0E01FEF1 E0E00101 F1F10101 FEFEE0E0 FEFEF1F1

- Single key DES is prohibited.
- Two-key TDEA is prohibited, except for legacy use (as defined in SP 800-131A rev 2).
- Three-key TDEA must use three unique keys (SP 800-67 rev 2 Section 3.1) in the tuple of keys which is called a 'key bundle'.
- Limit of 2^20 (1,048,576) blocks (64 bits/block or 8,388,608 bytes total) for a key bundle (SP 800-67 rev 2 Section 3.4).

**key wrapping**:

- Deprecation Date: ALREADY DEPRECATED
- Sunset Date: 2023-12-31

**key unwrapping**:

- LEGACY USE

**DRBG**) using CTR_DRBG:

- Deprecation Date: ALREADY DEPRECATED
- Sunset Date: 2023-12-31

DES brute force timeline | ||

1976 | Whitfield Diffie, Martin Hellman, and other renowned cryptographers |
Estimated cost of $20,000,000 to build a machine to crack DES |

1998 | EFF ASICs | Under $250,000 was spent to crack a message in 56 hours |

2006 | COPACOBANA in FPGA | $10,000 in hardware breaks DES in 9 days (and further optimized to 6.4 days) on average |

2016 | hashcat on GPU | $1,000 commercial off the shelf (COTS) GPU cracks DES in 15 days on average, thus under $20,000 can recover a DES key in less than a day on average |

References | ||

NIST SP 800-131A Revision 2 | March 2019 | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf |

NIST SP 800-67 Revision 2 | November 2017 | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf |