Data Encryption Standard (DES) data are encrypted in 64-bit blocks using a 56-bit key. The DES algorithm takes the input through a series of transformations: initial permutation; a complex function, which involves both permutation and substitution operations and depends on a key input; a simple permutation function that switches the two halves of the data; the function is applied again; and a permutation function that is the inverse of the initial permutation takes place. There are five “modes of operation” that have been defined in order to apply DES to a variety of applications. They are Electronic Codebook, Cipher Block Chaining, Cipher Feedback, Output Feedback Counter, and Counter (Cryptography Concepts, 2005).
Triple DES or 3DES involves repeating the DES algorithm three times on the plaintext, using two or three different keys to produce the ciphertext. As stated in the article DES is dead. Long live…Well, um, What, “First it encrypts, then it decrypts and finally it encrypts again” (Moskowitz, 1999). Three DES is now used because it is very resistant to cryptanalysis, serving as an alternative to add security against the potential vulnerability of DES to brute-force attack. Triple DES has been adopted for use in the key management standards ANSI X 9.17 and ISO 8732, along with a number of Internet-based applications, such as PGP and S/MIME (AES, Ciphers, and Confidentiality, 2005). The picture below shows the triple encryption process, as well as show the middle portion of 3DES as a decryption rather than an encryption making it more secure.
A nonce and key distribution center (KDC) shares a secret key or “master” key between each party on a network. The KDC is responsible for generating nonce and keys to be used for a short time over a connection between two parties, known as session keys, and for distributing those keys using the master keys to protect the distribution. The following steps occur:
1. A issues request to the KDC for a session key with B. The message includes the identity of A and B, as well as a unique identifier for the transaction, a nonce, which may include a random number or a counter.
2. The KDC replies with a message encrypted using Ka. Thus, only A can read the message and knows the message originated at the KDC. The message includes:
• The one-time session key, Ks, to be used for the session.
• The original request message, including the nonce, to enable A to match this response with the appropriate request.
In addition, the message includes two items intended for B:
• The one-time session key, Ks.
• An identifier of A, IDA.
These are encrypted with the master key that the KDC shares with B. They are sent to B to establish connection and prove A’s identity.
3. A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B. This information is protected from eavesdropping, because it is encrypted by the master key, Kb. B knows the session key, A’s identity, and that the information originated at the KDC.
4. B then sends a nonce, N2, to A, using a newly minted session key for encryption.
5. Using the session key, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one) (Stallings, 2003 pgs 214-15).
In conclusion, the above explained how DES works, why 3DES is now used, why the middle portion of 3DES is a decryption rather than an encryption, and explain a nonce and a key distribution center.
Moskowitz, Robert. (1999). DES is dead. Long Live… well, um, what? Network Computing, vol. 10 issue 6. Retrieved October 22, 2005, from, EBSCO Host Research Databas
Stallings, William. (2003). Cryptography and Network Security: Principles and Practice. New Jersey: Pearson Education, Inc.
Joshua Maluchnik, M.I.T., MCP/MCTS
Tranztec Solutions, Inc.