Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

 

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

DES tutorial - VPN Encryption explained

 

 

DES (Data Encryption Standard)

DES encryption algorithm uses a 56 bit key to encrypt data for transit. DES is a symmetric key algorithm, and so uses one key which does the encryption and decryption on the same data.

Some claim DES is a 64-bit key algorithm. However out of the 64 bits, 56 bits are actually used for keying material, where the remaining 8 bits are reserved for parity information and to ensure integrity of the remaining 56 bits of data. So in a sense it is correct that DES uses 64 bits, but 8 of those 64 bits are not used to encrypt data. For the keying it actually uses 56 bits, so in other words the encryption strength is 56 bits.

DES is not used anymore as it is an old, weak and broken encryption algorithm, and was replaced by 3DES. AES is the standard and is being used as of today and proves to be safe and a strong symmetric encryption algorithm. However you will still find 3DES is supported with VPN gateways. This is for backward compatibility, as older VPN gateways may only support the 3DES algorithm.

 

DES and some other encryption algorithm do work in a number of modes of operation. It depends on the situation, in which of the number of modes DES should work in. The most common of them are as below;

Electronic Code Book (ECB)

ECB provides the highest throughput and so is the quickest of the modes. However it is also the weakest form of DES modes to break into. This is because it will always produce the same cipher text when using the same key. ECB mode should only be used on small amounts of data such as key values.

Cipher Block Chaining (CBC)

CBC is more secure than ECB as it simply does not expose a pattern within the encrypted data, unlike ECB. This is because the value of the previous block of text is added to the algorithm as well which produced the next block of text. This process is referred to as chaining, and adds a high degree of randomness to the data. One issue with this mode is if an error occurs it will be propagated to the rest of the blocks, as already mentioned all blocks are encrypted in a chain like method using the values of the previous block to provide randomness, and so connected. This could cause decryption to fail. You can use CBC to encrypt large amounts of data in 64 bit blocks.

Cipher Feedback (CFB)

CFB works with smaller block sizes of 8 bits rather than 64 bits, and emulates a stream cipher. CFB works similar to CBC in that the value from the previous blocks results in the encrypted data for the next block. CFB is used in situations when needing to encrypt smaller amounts of data at a time.

Output Feedback (OFB)

OFB also emulates a stream cipher; however unlike the two previous modes OFB eliminates the use of chaining. Because the value to encrypt the next block of data comes from the key stream and not from the cipher text, it reduces the chances of errors and so becomes a more reliable encryption method.

Counter Mode (CTR)

Counter mode is similar to OFB mode, but instead uses an IV counter, instead of a random IV value. Also it does not use the process of chaining and so encryption of blocks can occur at the same time make this method faster.

As well as DES and 3DES, some other common symmetric encryption algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and RC.

Further Reading

Wikipedia's guide to DES (Data Encryption Standard)