2020-02-05
Author: Adam F. Glynn
Topic: 3DESDEADESTDEATDES

Quantitative Guidance for DES and variants (if you must use them)

For symmetric cipher selection, it is prudent to utilize AES with 256-bit keys for implementations which wish to preserve confidentiality of the data protected well into the foreseeable future.

There are 3 major categories of development in adversaries which make security a constantly moving target:

  • Cryptanalysis - algorithmic methodology advances which decrease the effective security of an algorithm.
  • Moore's law applied to classical computers - see the brute force timeline below.
  • Quantum Advent - the availability of quantum computing circuitry which drastically reduces the time needed to break a cryptographic algorithm.

There are 64 keys which are considered weak for DES. We include the keys which are denoted as 1) components of a semi-weak key pair and 2) the 'possibly weak keys' as it is generally better to insulate this constraint within the key generation function (as opposed to combinatory logic constraint(s) on the key bundle). In other words, we include the four (4) weak keys, six (6) pairs of semi-weak keys, and forty-eight (48) possibly weak keys.

Reject each of the following keys from the key generation function (each line is 64 bits in hexadecimal, which is a 56 bit key along with 8 bits of parity):

01010101 01010101
FEFEFEFE FEFEFEFE
E0E0E0E0 F1F1F1F1
1F1F1F1F 0E0E0E0E
011F011F 010E010E
1F011F01 0E010E01
01E001E0 01F101F1
E001E001 F101F101
01FE01FE 01FE01FE
FE01FE01 FE01FE01
1FE01FE0 0EF10EF1
E01FE01F F10EF10E
1FFE1FFE 0EFE0EFE
FE1FFE1F FE0EFE0E
E0FEE0FE F1FEF1FE
FEE0FEE0 FEF1FEF1
01011F1F 01010E0E
1F1F0101 0E0E0101
E0E01F1F F1F10E0E
0101E0E0 0101F1F1
1F1FE0E0 0E0EF1F1
E0E0FEFE F1F1FEFE
0101FEFE 0101FEFE
1F1FFEFE 0E0EFEFE
E0FE011F F1FE010E
011F1F01 010E0E01
1FE001FE 0EF101FE
E0FE1F01 F1FE0E01
011FE0FE 010EF1FE
1FE0E01F 0EF1F10E
E0FEFEE0 F1FEFEF1
011FFEE0 010EFEF1
1FE0FE01 0EF1FE01
FE0101FE FE0101FE
01E01FFE 01F10EFE
1FFE01E0 0EFE01F1
FE011FE0 FE010EF1
FE01E01F FE01F10E
1FFEE001 0EFEF101
FE1F01E0 FE0E01F1
01E0E001 01F1F101
1FFEFE1F 0EFEFE0E
FE1FE001 FE0EF101
01E0FE1F 01F1FE0E
E00101E0 F10101F1
FE1F1FFE FE0E0EFE
01FE1FE0 01FE0EF1
E0011FFE F1010EFE
FEE0011F FEF1010E
01FEE01F 01FEF10E
E001FE1F F101FE0E
FEE01F01 FEF10E01
01FEFE01 01FEFE01
E01F01FE F10E01FE
FEE0E0FE FEF1F1FE
1F01011F 0E01010E
E01F1FE0 F10E0EF1
FEFE0101 FEFE0101
1F01E0FE 0E01F1FE
E01FFE01 F10EFE01
FEFE1F1F FEFE0E0E
1F01FEE0 0E01FEF1
E0E00101 F1F10101
FEFEE0E0 FEFEF1F1
  • Single key DES is prohibited.
  • Two-key TDEA is prohibited, except for legacy use (as defined in SP 800-131A rev 2).
  • Three-key TDEA must use three unique keys (SP 800-67 rev 2 Section 3.1) in the tuple of keys which is called a 'key bundle'.
  • Limit of 2^20 (1,048,576) blocks (64 bits/block or 8,388,608 bytes total) for a key bundle (SP 800-67 rev 2 Section 3.4).
For three-key TDEA key wrapping:
  • Deprecation Date: ALREADY DEPRECATED
  • Sunset Date: 2023-12-31
For three-key TDEA key unwrapping:
  • LEGACY USE
For three-key TDEA Deterministic Random Bit Generation (DRBG) using CTR_DRBG:
  • Deprecation Date: ALREADY DEPRECATED
  • Sunset Date: 2023-12-31

DES brute force timeline
1976 Whitfield Diffie,
Martin Hellman,
and other renowned cryptographers
Estimated cost of $20,000,000 to build a machine to crack DES
1998 EFF ASICs Under $250,000 was spent to crack a message in 56 hours
2006 COPACOBANA in FPGA $10,000 in hardware breaks DES in 9 days (and further optimized to 6.4 days) on average
2016 hashcat on GPU $1,000 commercial off the shelf (COTS) GPU cracks DES in 15 days on average, thus under $20,000 can recover a DES key in less than a day on average


References
NIST SP 800-131A Revision 2March 2019https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
NIST SP 800-67 Revision 2November 2017https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf

Topics

© 2021 PriVerify Corp. All Rights Reserved.