Secret-Key Encryption

The Data Encryption Standard and Triple-DES Algorithms

The Data Encryption Standard (DES) actually specifies an algorithm called the Data Encryption Algorithm (DEA). However, no one calls the algorithm anything other than DES. The DES algorithm has a long and venerable history; it was originally developed by the National Bureau of Standards (now known as the National Institute of Standards and Technology [NIST]), with a significant amount of help from the National Security Agency. The DES algorithm was approved as a federal standard in 1976, and it has been in widespread use ever since. Banks use DES extensively, as do a large number of sensitive, but unclassified, government systems.

The original DES algorithm used a 64-bit key, of which 8 bits were used for parity, giving DES an effective key length of 56 bits. Because 56-bit keys are now generally considered vulnerable to brute force searches, current practice is to use a variant implementation of DES called triple-DES (3DES). In ordinary DES, a key (K) is used to encrypt plaintext (P), producing ciphertext (C). If the recipient of the data has C and K, he or she can decrypt it. In 3DES, there are three keys: K1, K2, and K3. To encrypt data using 3DES in its most common mode, it s encrypted with K1, decrypted with K2, and encrypted again with K3. This effectively makes the key size of 3DES a respectable 112 bits. Standard DES is no longer approved for government use, which means other security-minded customers aren t using it either. Instead, 3DES is the standard, although it s still commonly called DES. DES/3DES has to be recertified every five years by NIST, and it is likely that in 2004, it will be decertified and replaced by the Advanced Encryption Standard (AES).

The Advanced Encryption Standard

In 1997, NIST announced a competition to find an algorithm to be used as the AES, which will replace DES as the government-certified algorithm of choice for unclassified applications. DES is perceived to be weak (and getting weaker) compared with the advances in computing power and cryptanalysis fielded over the last 10 or 15 years. Accordingly, NIST began hunting for a replacement. In December 2001, NIST released Federal Information Processing Standard (FIPS) 197, which approved the use of AES in place of DES. What we now call AES is more properly known as the Rijndael cipher, developed by Belgian cryptographers Joan Daemen and Vincent Rijmen. NIST has an interesting AES page at http://csrc.nist.gov/CryptoToolkit/aes/ that explains the history and deployment timeline of AES.

As it turns out, AES is now the algorithm of choice for any U.S. government agency that buys products that incorporate cryptography; Microsoft Windows 2000 does not support AES; Windows XP Service Pack 1 and later and Windows Server 2003 do.

The RC n Algorithms

The RC2, RC4, RC5, and RC6 algorithms all spring from the fertile mind of Ron Rivest, a legendary cryptographer and coinventor of the RSA public-key algorithm. All were designed as drop-in replacements for DES, so they can accept key sizes in the same range as DES. RC2 is a block cipher; RC4 is a stream cipher with similar properties to RC2, but optimized for use with streams of data. For a number of years, the RSA Data Security BSAFE toolkit was the only way you could legally use these algorithms, and as a result, it quickly became the most widely used cryptographic library. RC2 and RC4 are still in widespread use; in fact, the default algorithm used by the SSL protocol is RC4. RC5 can be used with IPSec, and RC6 was one of the candidates for the AES competition (although it didn t win).

Other Algorithms

There are several other well-known cryptographic algorithms that you might run into, particularly if you re evaluating virtual private network (VPN) or network security appliances to use in conjunction with Exchange:

• The International Data Encryption Algorithm (IDEA) first came to fame as the symmetric algorithm used in Phil Zimmerman s Pretty Good Privacy (PGP) software. Commercial and freeware versions of PGP still use 128-bit IDEA; however, adoption of IDEA has been relatively slow in the United States, so it s pretty rare outside of PGP installations.

• The CAST-128 algorithm, codeveloped by Carlisle Adams and Stafford Tavares, was widely used as the core of Entrust s line of cryptographic products. As you might guess, CAST-128 has a maximum key size of 128 bits; it can also be dekeyed to use 40- or 56-bit keys. A variant, CAST-256, extends the key size range up to 256 bits, making CAST quite useful for high-security applications. Internet Request for Comments (RFC) 2144 describes the CAST-128 algorithm in detail.

• Blowfish and Twofish, both invented by Bruce Schneier, are fast, free, strong ciphers. Blowfish can use up to a 448-bit key, whereas Twofish (another losing entrant in the AES competition) uses up to 256-bit keys. Blowfish is common; because it s free, it s used in the popular Secure Shell (SSH) package and is one of the supported algorithms for IPSec.

  Note

  Government agencies are only supposed to buy software that meets FIPS standards, so the approval of AES means that when DES is eventually decertified, AES-capable products will be required. Interestingly, even though Windows XP and Windows Server 2003 normally use AES for the Encrypting File System (EFS), if you turn on the Group Policy setting that enforces FIPS compliance, EFS has to fall back to using 3DES instead, because that s what FIPS 140 currently requires.

Key Length and Work Factor

Each type of symmetric cipher accepts a fixed-length block of data as its key; the key size is expressed as a number of bits. Modern cryptographic algorithms support a wide range of key lengths, from the easy-to-break (RC2 with a 40-bit key) to the strong (3DES with a 112-bit key) to the extremely strong (2048-bit RSA or AES/Rijndael with a 256-bit key). Although it s tempting to assume that longer keys mean better security, this is not always necessarily the case. Brute force attacks, which depend on an attacker repetitively trying every possible key, are indeed much easier against shorter keys. Each bit of added key length doubles the number of possible keys, so a 56-bit key has 216 more keyspace than a 40-bit key does.

Key length isn t the only important factor in algorithm choice, however. It s generally more useful to examine the work factor associated with different algorithms: the bigger the work factor, the harder it is to attack the algorithm. Longer key lengths generally give better protection against brute force attacks, but there are many other potential attacks, including some that depend on knowing the plaintext or having large amounts of encrypted data to analyze. Different algorithms have different strengths and weaknesses, so a strong algorithm with a shorter key might be as secure as, or more secure than, a weaker algorithm with a longer key. For example, public-key algorithms that depend on large prime numbers , like RSA and Diffie-Hellman, tend to require keys 10 times as long to give the same work factor as strong symmetric algorithms like DES and IDEA ”in addition to needing about 1000 times more processing time and power! This doesn t mean that one algorithm is better or worse than another, only that each has particular applications for which it is well-suited.