E.3 DES, Triple-DES, and AES

This appendix does not detail the block ciphers DES, Triple-DES, and AES. The reader can find information on these subjects in the cryptographic literature [5] and in the AES draft [3]. This presentation discusses the shortcomings of DES, its evolution to Triple-DES, and finally their replacement by the AES. Furthermore, the use of DES and Triple-DES algorithms for symmetric encryption is presented in the ECB and CBC mode, as it is actually used for the EMV ¢ implementations [2].

DES is the most used block cipher and is, in fact, the de facto standard for symmetric encryption worldwide. Despite many years of research, no method has been published that breaks a DES encrypted message substantially faster than exhaustive key search, which consists of trying all the 2 ⁵⁶ different keys on a pair plaintext block and ciphertext block that is known to the attacker. Theoretical attacks were proposed that break DES using a significantly smaller number of encryption operations than 2 ⁵⁶ , but these required supplementary conditions that are not realizable in practice. For example, the differential cryptanalysis attack requires that the legitimate entity perform a huge number of operations for the attacker, providing 2 ⁴³ pairs of plaintext/ciphertext. In the majority of applications, however, DES keys would not be used for such an intensive operation during their entire lifetime. This theoretical threat is the motivation why the design of payment systems recommends the use of session keys, which are operated only a few times during one single session.

Nevertheless, nowadays the DES is not considered to be sufficiently secure. In 1997 a DES key was successfully retrieved by a network of computers cooperating over the Internet after a search of approximately 4 months. However, using special purpose hardware, like the machine built in 1998 for a price of $130,000, the expected searching time decreases to 112 hours [6].

Using multiple encryption can counter the threat of brute force attacks on the 56-bit key of DES. The practice of encrypting twice under different DES keys was not resistant to a man-in-the-middle attack. This fact established the encryption-decryption-encryption (E-D-E) Triple-DES with double-length key, simply referred to as Triple-DES, as the effective modality for increasing the resistance against the exhaustive key searching from 2 ⁵⁶ to 2 ¹¹² . In this case the key K consists of two (single-length) DES keys, often called the left key K _L and the right key K _R , such that K = K _L K _R . The cryptogram is computed as C _i = DES( K _L )[DES ^{ˆ’ 1} ( K _R ) [DES( K _L )[ P _i ]]]. The plaintext block is computed from the ciphertext block as P _i = DES ^{ˆ’ 1} ( K _L )[DES( K _R ) [DES ^{ˆ’ 1} ( K _L )[ C _i ]]]. It is not known, however, whether there are some weaknesses using Triple-DES, which leads security experts to the conclusion that it is better to have a block cipher that is designed from the beginning with the goal of larger keys.

With both DES and Triple-DES the block size remains 64 bits. As it was explained in Section E.2, this means that in the CBC mode, after 2 ³² DES operations, one can find with a good probability two identical cryptograms, which can lead to plaintext leakage.

The AES block cipher [3] corrects both the problem of larger key sizes and block sizes at a reasonable level of performance compared to Triple-DES. Thus, with a key of 128 bits, which is the smallest accepted by the cipher, the number of operations that have to be performed for exhaustive key search amounts to the astronomical figure of 2 ¹²⁸ , which is foreseen to be protective at least for the next 20 years. The block size was adjusted to 128 bits, which increases to 2 ⁶⁴ the number of CBC operations after which two cryptograms match, which is again considered highly secure. It is expected that systems relying on Triple-DES for symmetric encryption will gradually migrate to AES.

For the purpose of this book, however, only the DES and Triple-DES will be considered, since the majority of the standards describing payment systems, like EMV ¢ , CEPS, and SET, have not yet updated to AES.

The specific use of DES and Triple-DES in the ECB and CBC modes will be considered according to the EMV ¢ standard [2]. Thus, the encryption algorithm E is either DES or Triple-DES.

The padding is performed according to the following rules:

If the initial message M has a byte-length that is not a multiple of 8 bytes (64 bits), perform padding. Add in the rightmost position of M the byte 80h, followed by the smallest number of bytes 00h such that the length of the padded message M ² = M 80 00 00 is a multiple of 8 bytes.
If the initial message M has a byte-length that is a multiple of 8 bytes, two cases can be distinguished, depending on predefined rules adopted in the design. It can be that the padding is not performed and the message M ² equals the initial message M . It can be that the message M is padded with a block of 8 bytes, 80 00 00, in the rightmost position in order to obtain M ² .

After the padding is performed, the message M ² is divided in t blocks, P _i , i = 1, , t , which can be submitted to the cryptogram computation algorithm. This algorithm uses a session key K _S of 8 bytes (see Section E.5) if E is DES, or a key K _S = K _SL K _SR of 16 bytes if E is Triple-DES.

In the ECB mode, each plaintext block P _i of 8 bytes is encrypted independently of the other blocks that form a message in a cryptogram of 8 bytes, C _i = E ( K _S )[ P _i ], i = 1, , t . The decryption is also carried out independently and is described by the relation P _i = E ^{ˆ’ 1} ( K _S )[ C _i ], i = 1, , t .

In the CBC mode, each ciphertext block of 8 bytes is computed as C _i = E ( K _S )[ P _i XOR C _{i ˆ’ 1} ], i = 1, , t . The initial vector IV is equal to C = ˜00 ˜00 ˜00 ˜00 ˜00 ˜00 ˜00 ˜00 . The decryption process is described by the formula P _i = E ^{ˆ’ 1} ( K _S )[ C _i ] XOR C _{i ˆ’ 1} , i = 1, , t , where the initial vector IV is equal to C = ˜00 ˜00 ˜00 ˜00 ˜00 ˜00 ˜00 ˜00 .