I know this question seems too general, not specific. Our professor asked this question today, and I have no idea how to answer it.
Maybe it's the key size, maybe another thing? Any idea?
$\begingroup$ $\endgroup$
Add a comment |
1 Answer
$\begingroup$ $\endgroup$
5 According to Introduction to Modern Cryptography by Katz and Lindell, in the section titled Security of DES on page 218 in the second edition.
After almost 30 years of intensive study, the best known practical attack on DES is still an exhaustive search through its key space... Unfortunately, the 56-bit key length of DES is short enough that an exhaustive search through all $2^{56}$ possible keys is now feasible.
They go on to say (a few paragraphs down):
The insecurity of DES has nothing to do with its design per se, but rather is due to its short key length... Since DES itself seems not to have significant structural weaknesses, it makes sense to use DES as a building block for constructing block ciphers with longer keys.
So I would say that yes, the main limitation of DES is the key size.
That book goes on to state the secondary cause for concern as the short block length of 64-bits.
- 1$\begingroup$ Incredibly, this seems to be related to a hardware limitation at the time -- and the NSA's desire to fit the key on a single chip: en.wikipedia.org/wiki/… $\endgroup$Dan Esparza– Dan Esparza2018-02-28 17:11:32 +00:00Commented Feb 28, 2018 at 17:11
- 2$\begingroup$ The key length issue can be solved by using 3DES instead (with 168 bit keys), but that won't heal the block size issue. $\endgroup$Paŭlo Ebermann– Paŭlo Ebermann2018-02-28 22:56:28 +00:00Commented Feb 28, 2018 at 22:56
- $\begingroup$ @PaŭloEbermann: Could the block size issue be resolved by using a modified 3DES that performs the first DES operation on a pair of blocks, swaps some data between them, and then performs the second on each block, again swaps some more data between them, and finally does the last DES step on each block? If DES diffuses bits effectively, as seems to be the case, any bit in the original should have an independent 50% chance of affecting any bit in the output. $\endgroup$supercat– supercat2018-02-28 23:45:20 +00:00Commented Feb 28, 2018 at 23:45
- $\begingroup$ @supercat Maybe ... this is basically building a new block cipher out of a smaller one. I don't know how one would analyze the security of that one. Anyways, AES is faster than that and likely at least as secure. $\endgroup$Paŭlo Ebermann– Paŭlo Ebermann2018-03-01 00:15:54 +00:00Commented Mar 1, 2018 at 0:15
- $\begingroup$ all specification are designed around a minimally viable VLSI implementation. DES was no different $\endgroup$b degnan– b degnan2018-03-01 15:23:39 +00:00Commented Mar 1, 2018 at 15:23