Data Encryption Standard (DES) data is encrypted in 64-bit blocks using a 56-bit key. The DES algorithm takes the input through a series of transformations: initial permutation; a complex function, which involves both permutation and substitution operations and depends on a key input; a simple permutation function that changes the two halves of the data; the function is applied again; and a permutation function takes place which is the inverse of the initial permutation. There are five “modes of operation” that have been defined to apply DES to a variety of applications. They are electronic codebook, cipher block chaining, cipher feedback, output feedback counter, and counter (Cryptography Concepts, 2005).
Triple DES or 3DES involves repeating the DES algorithm three times in the conforming text, using two or three different keys to produce the ciphertext. As stated in the article, DES is dead. Long live … Well, um, what, “First it encrypts, then it decrypts, and finally it encrypts again” (Moskowitz, 1999). Three DES is now used because it is highly resistant to cryptanalysis, and serves as an alternative to add security against DES’s potential vulnerability to brute force attacks. Triple DES has been adopted for use in the ANSI X 9.17 and ISO 8732 key management standards, along with a number of Internet-based applications, such as PGP and S / MIME (AES, Ciphers, and Confidentiality, 2005). The image below shows the triple encryption process, as well as the core part of 3DES as decryption rather than encryption, making it more secure.
A key and nonce distribution center (KDC) shares a secret key or “master” key between each part of a network. The KDC is responsible for generating nonce and keys to be used for a short period of time in a connection between two parties, known as session keys, and for distributing those keys using the master keys to protect the distribution. The following steps occur:
1. A request issues the KDC a session key with B. The message includes the identity of A and B, as well as a unique identifier for the transaction, a nonce, which can include a random number or a counter.
2. The KDC responds with a Ka-encrypted message. Therefore, only A can read the message and it knows that the message originated from the KDC. The message includes:
• The unique session key, Ks, to be used for the session.
• The original request message, including the nonce, to allow A to match this response to the appropriate request.
In addition, the message includes two elements destined for B:
• The unique session key, Ks.
• An identifier of A, IDA.
These are encrypted with the master key that the KDC shares with B. They are sent to B to establish the connection and prove the identity of A.
3. A stores the session key to use in the next session and forwards to B the information that originated in the KDC for B. This information is protected against eavesdropping, because it is encrypted by the master key, Kb. B knows the key session, the identity of A, and that the information originated from the KDC.
4. B then sends a nonce, N2, to A, using a newly minted session key for encryption.
5. Using the session key, A responds with f (N2), where f is a function that performs some transformation on N2 (for example, adding one) (Stallings, 2003 pgs 214-15).
In conclusion, the above explains how DES works, why 3DES is used now, why the core part of 3DES is decryption rather than encryption, and explains a nonce and a key distribution center.
Cited works
Moskowitz, Robert. (1999). DES is dead. Long live … well, um, what? Network Computing, Vol. 10 issue 6. Retrieved on October 22, 2005, from EBSCO Host Research Database at [http://web10.epnet.com]
Stallings, William. (2003). Cryptography and Network Security: Principles and Practice. New Jersey: Pearson Education, Inc.