1
00:00:01,070 --> 00:00:08,390
Let's start first with a brief history lesson with a data encryption standard D.S. is a symmetric block

2
00:00:08,390 --> 00:00:10,910
cipher developed by IBM in the 70s.

3
00:00:11,860 --> 00:00:19,580
At that time IBM was an an champion worldwide leader IBM Research would set the trends for all other

4
00:00:19,580 --> 00:00:21,120
competitors in the field.

5
00:00:24,380 --> 00:00:30,470
Did encryption standard encrypt 64 bit blocks of data with eight letters in the ASCII code and a parity

6
00:00:30,470 --> 00:00:33,170
bit using a 56 bit key.

7
00:00:35,120 --> 00:00:44,440
How is this possible after all you probably remember that it was claimed that D.S. used 64 bits.

8
00:00:44,450 --> 00:00:49,160
That's actually true but the remaining 16 bits is an earlier checksum.

9
00:00:51,630 --> 00:00:55,750
The true entropy is 56 bits in this case.

10
00:00:55,890 --> 00:01:00,300
If the key is truly random it has at best fifty six bits of randomness.

11
00:01:01,870 --> 00:01:04,570
56 bits doesn't have quite the same ring to it.

12
00:01:06,220 --> 00:01:10,410
It's always better to claim that you use a longer key.

13
00:01:10,490 --> 00:01:14,000
This is the source of the misconception that it's still popular today.

14
00:01:15,060 --> 00:01:18,690
The data encryption standard never used 64 bit keys.

15
00:01:22,930 --> 00:01:26,090
The encryption process is made of 26 Feistel rounds.

16
00:01:27,350 --> 00:01:28,810
The rounds we mentioned before

17
00:01:31,910 --> 00:01:35,300
and two permutations called the initial and final permutations

18
00:01:37,970 --> 00:01:43,640
the initial and final permutations don't contribute in any way to overall ciphertext security or their

19
00:01:43,640 --> 00:01:46,140
contribution is small and insignificant.

20
00:01:48,530 --> 00:01:51,390
It's unclear why they were brought in in the first place.

21
00:01:52,170 --> 00:01:57,260
It's usually assumed that they were introduced to make the encryption and decryption hardware implemented

22
00:01:59,510 --> 00:02:05,270
the two permutations are cost intensive to an extent hardware is able to go through them at a much faster

23
00:02:05,270 --> 00:02:12,200
rate than software their implementation can be explained simply as a consequence of hardware manufacturers

24
00:02:12,220 --> 00:02:13,790
lobbying.

25
00:02:13,840 --> 00:02:17,790
The permutations don't add to the security of a ciphertext in any way.

26
00:02:22,870 --> 00:02:30,230
In each round a half of the round key 32 bits is expanded to 48 bits.

27
00:02:30,280 --> 00:02:38,070
The result is two pieces 48 bits each one piece is encrypted using the function f and the result of

28
00:02:38,070 --> 00:02:47,280
this operation is combined using the exclusive disjunction DXO our operation with the other half the

29
00:02:47,280 --> 00:02:51,560
function f is above all a substitution permutation box.

30
00:02:52,600 --> 00:02:57,520
This is the S-box you saw earlier one of the eight X-boxes.

31
00:02:57,640 --> 00:03:04,940
Each time a different one is selected to use in a permutation Why are the S-box is structured in this

32
00:03:04,940 --> 00:03:06,980
exact way.

33
00:03:07,030 --> 00:03:11,900
What is the basis and source for the values located in the intersections of individual columns.

34
00:03:13,780 --> 00:03:20,710
Well this is also one of the greatest enigmas of the 20th century cryptography the data encryption standard

35
00:03:20,710 --> 00:03:27,470
was developed in the US where IBM has established some people believe that the specific structure of

36
00:03:27,470 --> 00:03:33,560
the X-boxes has made it possible from the onset for U.S. government agencies to reverse the whole process

37
00:03:33,590 --> 00:03:36,770
at a small cost.

38
00:03:36,770 --> 00:03:43,220
This has been either proved or disproved and still no one knows on what principle the S-box were selected.

39
00:03:48,500 --> 00:03:57,450
Our S-box is a 4 by 16 table the values it contains range from zero to 15 to be able to transpose some

40
00:03:57,460 --> 00:03:58,920
data.

41
00:03:59,000 --> 00:04:01,550
You only need to locate appropriate table cells.

42
00:04:03,640 --> 00:04:07,960
The first and last bits of the encrypted parts of the data are used as row numbers.

43
00:04:08,050 --> 00:04:14,650
The remaining bits are used as column numbers find the coordinates and look up the content of the S-box

44
00:04:16,180 --> 00:04:24,040
and completing all Feistel rounds you have to perform a final permutation just like in the initial permutation.

45
00:04:24,200 --> 00:04:27,770
This permutation does not enhance the security of the ciphertext.

46
00:04:33,110 --> 00:04:38,050
In retrospect it seems that the block used by the D.S. algorithm is too short.

47
00:04:39,250 --> 00:04:44,080
While block length does not always correspond to the ciphertext security blocks that are too short can

48
00:04:44,080 --> 00:04:45,490
prove problematic.

49
00:04:47,230 --> 00:04:52,060
64 bits are not really sufficient.

50
00:04:52,060 --> 00:04:56,420
The key meanwhile is definitely too short we'll discuss later.

51
00:04:56,420 --> 00:05:04,580
The reason why the practical security of a system amounts in fact to have the keys size D.S. was correct.

52
00:05:04,580 --> 00:05:07,010
Using the brute force attack in 1999.

53
00:05:07,040 --> 00:05:16,780
In less than 24 hours this attack was proved and deployed by Electronic Frontier Foundation to build

54
00:05:16,780 --> 00:05:20,110
a machine capable of mounting a successful attack.

55
00:05:20,110 --> 00:05:23,260
The organization made use of distributed member computers

56
00:05:25,930 --> 00:05:34,900
a large Geo cluster was built each note was provided with a share of keyspace is to test together the

57
00:05:34,900 --> 00:05:38,750
cluster was able to crack the D.S. cipher in 22 hours.

58
00:05:42,460 --> 00:05:47,430
D.S. is vulnerable for purely cryptographic reasons.

59
00:05:47,480 --> 00:05:52,720
The first point is that a significant dependence can be observed between round keys and cipher keys.

60
00:05:54,160 --> 00:06:06,020
This relationship is evident especially if zero is the key round keys in that case are also zero.

61
00:06:06,080 --> 00:06:12,500
Another problem the standard exhibit's is the complement to nation property which refers to some relationships

62
00:06:12,500 --> 00:06:16,940
existing between the key the plaintext and the ciphertext itself.

63
00:06:18,090 --> 00:06:23,640
If you encrypt all big complements using key complements the output is the ciphertext complement

64
00:06:29,500 --> 00:06:29,990
today.

65
00:06:30,010 --> 00:06:34,480
The DNS server text can be cracked in a matter of minutes.

66
00:06:34,480 --> 00:06:43,210
In 2004 the nest Institute withdrew the recommendation for the algorithm the image depicts Copacabana.

67
00:06:43,340 --> 00:06:47,510
One of the many internet available devices for cracking D.S. in real time.