You may remember that when the Data Encryption Standard was first presented, there was a great deal of controversy. Since then, much of the dust has settled.
We know now for sure that the key was much too short. (Since that was written, we learned that it was really much too short, thanks to this project.)
But we also know that enciphering whole messages by means of public-key systems is not a reasonable alternative. Instead, just encrypt the key that way, and use a conventional cryptosystem, but a better one than just plain DES, for the message.
It's clear that the secret the NSA asked IBM not to reveal was the method of differential cryptanalysis. Since the S-boxes were not optimized against linear cryptanalysis, this proves that IBM didn't know about that attack back then. Although the fact that the NSA did certify the design as secure might suggest that the NSA didn't have that technique either, the inference is not really warranted: the NSA is, after all, an agency noted for its reticence.
And there is also a result showing that DES with all sixteen subkeys specified independently is not much stronger than a cipher with a 65-bit key.
DES is designed for implementation in hardware, and even includes some steps which do not appear to strengthen the cipher at all but which are hard to perform in software. If, however, DES had been a secret algorithm, these extra steps would have helped to make it harder to determine the algorithm by analysis.
As it is a Frequently Asked Question, I think I really can't skip giving the algorithm here, although it appears in many other sources; the official standard is even available from the NIST web server.
DES closely resembles LUCIFER, since it is also a cipher based on sixteen Feistel rounds.
Skip to Next Chapter
Table of Contents