Home Page

VPN & Cryptography


Email & Spam

Security Terminology


VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


DES tutorial - IPsec VPN Encryption



DES (Data Encryption Standard)

DES encryption algorithm uses a 56 bit key to encrypt data for transit. DES is a symmetric key algorithm, which means it uses one key which computes the encryption and decryption on the same data.

Some claim DES is a 64-bit key algorithm. However out of the 64 bits, 56 bits are actually used for keying material, where the remaining 8 bits are reserved for parity information and to ensure integrity of the remaining 56 bits of data. So in a sense it is correct that DES uses 64 bits, but 8 of those 64 bits are not used to encrypt data. For the keying it actually uses 56 bits, so in other words the encryption strength is 56 bits.

DES is not used anymore as it is an old, weak and broken encryption algorithm, and was replaced by 3DES. AES is the standard and is being used as of today and proves to be safe and a strong symmetric encryption algorithm. However you will still find 3DES is supported with VPN gateways and still commonly used. This is for backward compatibility, as older VPN gateways may only support the 3DES algorithm.


DES and some other encryption algorithm do work in a number of modes of operation. It depends on the situation, in which of the number of modes DES should work in. The most common of them are as detailed below.

Electronic Code Book (ECB)

ECB provides the highest throughput and so is the quickest of the modes. However it is also the weakest form of DES modes to break into. This is because it will always produce the same cipher text when using the same key. ECB mode should only be used on small amounts of data such as key values.

Cipher Block Chaining (CBC)

CBC is more secure than ECB as it simply does not expose a pattern within the encrypted data, unlike ECB. This is because the value of the previous block of text is added to the algorithm as well which is used to produce the next block of text. This process is referred to as chaining, and adds a high degree of randomness to the data. One issue with this mode is if an error occurs it will be propagated to the rest of the blocks, as already mentioned all blocks are encrypted in a chain using the values of the previous block in order to provide randomness, and so all of the blocks are connected. This could cause decryption to fail. You can use CBC to encrypt large amounts of data in 64 bit blocks.

Cipher Feedback (CFB)

CFB works with smaller block sizes of 8 bits rather than 64 bits, and emulates a stream cipher. CFB works similar to CBC in that the value from the previous blocks results in the encrypted data for the next block. CFB is used in situations when the requirement is to encrypt smaller amounts of data at a time.

Output Feedback (OFB)

OFB also emulates a stream cipher; however unlike the two previous modes OFB eliminates the use of chaining, and because the value to encrypt the next block of data comes from the key stream and not from the cipher text, it reduces the chances of errors and therefore becomes a more reliable encryption method.

Counter Mode (CTR)

Counter mode is similar to OFB mode, but uses an IV counter, instead of a random IV value. Also it does not use the process of chaining and so encryption of blocks can occur at the same time making this method faster.

As well as DES and 3DES, some other common symmetric encryption algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and RC.

Further Reading

Wikipedia's guide to DES (Data Encryption Standard)