AES: How to Keep Secure Data Private

DES kept corporate and government data safe for years, but more powerful hardware made it look weak and obsolete. Its replacement, AES, provides better encryption, but you have to know how to keep from weakening your own security.

Though its a hot topic now, the need to encrypt data stored on tapes and hard drives, or transmitted across a network, is far from new.

DES (data encryption standard), the most widely used encryption algorithm in the world, for example, is more than 28 years old.

DES became the bedrock of government cryptology until, in October 2000, it was replaced by the AES (advanced encryption standard), an algorithm much harder to break even with the hardware that advanced enough over the course of nearly three decades, to finally crack DES.

Here well take a look at the migration from DES to AES, especially how DES was supplanted by an algorithm called Rijndael.

DES: The first steps

On May 15, 1973, the NBS (National Bureau of Standards), looking for a cryptographic algorithm strong enough to protect data during transmission and storage, published a notice in the Federal Register asking for proposals from individuals or corporations.

The eventual leader of the ensuing competition was an algorithm developed at IBM that carried the code-name LUCIFER.

After evaluating the algorithm with the "guidance" of the NSA (National Security Agency), the NBS adopted a modification of the LUCIFER algorithm as the new DES on July 15, 1977.

This led to the creation of FIPS 46 (Federal Information Processing Standard) (since updated to FIPS 46-3), which describes the use of DES and the current DES 3 standard.

Not surprisingly, the banking industry became the largest user of encryption outside government.

All of the EFTs (electronic funds transfers) and ATMs (automated teller machines) that use ordinary telephone lines to conduct their business must encrypt the financial data for a semblance of security.

Standards for the wholesale banking industry were set by the ANSI (American National Standards Institute). ANSI X3.92, adopted in 1980, specified the use of the DES algorithm. ATMs use it routinely even today.

How DES works: The gory details

DES works by encrypting groups of 64 message bits, which is the same as 16 hexadecimal numbers. To do the encryption, DES uses "keys" that are notationally 16 hexadecimal numbers long which equals 64 bits.

However, for some reason (possibly due to the "guidance" given to the NBS by NSA) every 8th key bit is ignored in the DES algorithm. This makes the true key size 56 bits.

The resistance to a "forced" or "brute" attack of a encoding system is directly related to its keyspace; or how many possible keys there are to the system.

The more bits used, the more keys are possible. More keys means it takes longer to compute the entire range of possible keys of the keyspace in a forced attack.

Cut eight bits off the top and you reduce the keyspace significantly, making the system easier to crack.

DES is a block cipher, meaning it operates on plain text blocks of a given size (nominally 64 bits) and returns ciphertext blocks of the same size.

So, DES results in a permutation among the 2 to the 64th power possible arrangements of 64 bits, each of which may be either 0 or 1.

Each block of 64 bits is divided into two blocks of 32 bits each, a left half block L and a right half R.

The DES algorithm uses the following steps, which were well-explained by J. Orlin Grabbe in his article The DES Algorithm Illustrated (Laissez Faire City Times, Vol 2, No. 28).

Next page: Heres how it works