4

In what cases can we use a weak block cipher like DES ?

More precisely, Are there specific situation in which a weaken block cipher can still be used, for instance for certain types of plaintext ?

Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181
Dingo13
  • 2,867
  • 3
  • 27
  • 46
  • I edited your quesiton and tried to make it more concrete. I hope I didn't lose the original intent of the question. If so, feel free to revert back to your original question. Hopefully this more concrete question (if still what you were looking for) will make the question better. – mikeazo Jun 04 '13 at 15:32
  • Is there a specific mode of operation you are interested in? – mikeazo Jun 04 '13 at 15:36
  • In fact the intent of the question has changed a little... I reffered to 64-bit block ciphers thinking about weak block-cipher. If most of the 64-bit block cipher are still secure, I would prefer to talk about DES. – Dingo13 Jun 05 '13 at 07:45
  • would you like to edit the question to include this? – mikeazo Jun 05 '13 at 11:35
  • I've edited it for a more general question... – Dingo13 Jun 05 '13 at 12:30

2 Answers2

12

We can still safely use 64-bit-block ciphers when used in an otherwise sound protocol, and all of the following three conditions are met:

  • The effective key size is made big enough; that disqualifies DES (55-bit), but not Blowfish (up to 448 bits), TEA (128 bits), 3DES (167 bits), and to some degree 2-keys-3DES (111 bits). Note: I computed the effective key size of DES and variants accounting for unused low-order bits of keys, and the complementation property. Theoretical attacks allowing better-than-brute-force key search for 2-key-3DES are not a practical concern for the time being (except from demonstration of security and certification standpoints).
  • The number $n$ of blocks that could be used with the same key (legitimately or by an attacker abusing a legitimate device) is low enough to guard against a birthday attack. If we want the maximum odds of the adversary to succeed in this way to be bounded by $2^{-k}$ for some $k>0$, we are safe if we limit $n$ to about $2^{(65-k)/2}$. E.g. if we accept only a one in a million chance than an adversary succeeds by birthday attack, $k\approx 20$, thus we should limit to $2^{22.5}$ blocks; that's only about 45MiB in an encryption application.
  • The implementations are suitably protected from various side-channel attacks. When the adversary has physical access to the device implementing the block cipher, this often requires further lowering the number of uses of a given key. 3DES is well analyzed in this regard, Blowfish much less so.

A common example of safe use of 3DES is as session keys (for integrity or confidentiality protection) in Smart Card applications, with the amount of data in the session limited, as in this European Regulation (search CSM_021 thru CSM_031 for a description, CSP_301 and CSM_013 for the limitation of the number of blocks).

Update: A small block size worsen some insecure encryption protocols/modes, such as ECB, especially when used with low entropy in the plaintext. Solution is: use secure encryption protocols/modes; there's then no worry about entropy in the plaintext.

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • I thought that all 64-bit block cipher were deprecated. This is interesting.Thank you very much. – Dingo13 Jun 05 '13 at 07:52
  • 3
    @user7060: 64-bit block ciphers are deprecated for new applications, but still very much in use in some fields, including mine (Smart Cards). French recommendations recommend 128-bit block ciphers, but allow 64-bit block ciphers (for introduction) till 2020, provided they are used within rules. – fgrieu Jun 05 '13 at 08:27
  • The Wikipedia page on those DES numbers mention that it only has a 55-bit strength under specific chosen-plaintext conditions. – forest Apr 02 '18 at 06:29
  • @forest: 55-bit is the strength of (single) DES under chosen plaintext. Indeed that's weak. The answer acknowledges that in the first bullet. – fgrieu Apr 02 '18 at 17:30
2

Another way of stating what you're asking is "if I encrypt a random number, how will an attacker know if he's correctly decrypted it?" The answer is "because the attacker may someday learn some of your output."

Consider what would happen if you used the algorithm to encrypt a thousand random numbers, but then you encrypted a message beginning with "Dear Sir". I could break that message and recover the key, then use the recovered key to decrypt all your other messages. I could do the same if I ever learned just one output of your random number generator.

This is a very risky idea. To manage that risk, you need to be able to trust your encryption will secure the plaintext regardless of the attributes of the plaintext. DES is no longer capable of providing that assurance.

There is really no reason to attempt to drag plain old DES into the 21st century. Cryptography isn't like a junkyard, where you save money by picking up a broken algorithm for cheap. If you're designing a new system, it is your duty to select an algorithm that hasn't been broken. If you must use DES for some external reason (and if I were you I would strongly question the validity of such an assertion), at least consider configuring your system to instead use 3DES, with three unique keys.

John Deters
  • 3,728
  • 15
  • 29
  • I read the question as about 64-bit block width, not 64-bit key width. This answer seems about the later, and I thus disagree. – fgrieu Jun 04 '13 at 16:36
  • 2
    @fgrieu, I answered the original question, which Mike has since edited. He completely changed the intent which was "can I use an old weak cipher like DES to encrypt a random number?". Go back and reread it, and you'll see the issue of it being a 64-bit-block cipher was not even germane to the original question. – John Deters Jun 04 '13 at 17:54
  • Indeed the question changed; yet the original was "about 64-bit block ciphers", and the reference to Blowfish makes it clear enough that 64-bit is intended as the block size. – fgrieu Jun 04 '13 at 18:45
  • 1
    @John Deters, you have understood well my question, and what about the use of DES on random data (for instance, for the encryption of generated keys) ? But subsequently we don't encrypt a message like "Dear Sir..." what about the security of DES in this case ? Thank you. – Dingo13 Jun 05 '13 at 07:49
  • @user7060: When you encipher a generated key with a master key, an adversary will typically be able to check a guess of the master key, by deciphering the encrypted generated key then testing the resulting candidate generated key in whatever context generated keys are used. Hence you need a wide enough master key to resist brute force. This rules out DES, but not many other 64-bit ciphers (see first point in my answer). To some degree, ECB is undesirable if the generated key is wider than 64-bit, as it often should be. – fgrieu Jun 05 '13 at 09:37
  • Thank you fgrieu. So, what about the use of a mode of operation (other than ECB) on small size block-cipher ? – Dingo13 Jun 05 '13 at 12:32
  • @user7060: all common operating modes except ECB are safe (from the standpoint of insuring confidentiality of the message) including with small-block cipher and low-entropy plaintext, subject to the conditions I state in my answer. Further, CTR and to a degree OFB allow to go over the bound stated for the number of blocks in my second point in some cases, including when a key is only used with a single message. – fgrieu Jun 05 '13 at 13:18
  • @user7060, it's a mistake to assume the encrypted data is unguessable. Let's say you're encrypting a random key to be used to encrypt another secret. What if the attacker tests the output of DES, trying each output as a key against your other secret? Always assume the adversary understands everything you're doing, and just doesn't know your secret key. It's best to not try to make a case for using DES, and to simply migrate to a more secure algorithm. – John Deters Jun 05 '13 at 15:04