THE DATA ENCRYPTION STANDARD:  AN UPDATE
This CSL Bulletin provides updated information on the Data
Encryption Standard (DES) which was revised in 1993 and issued as
Federal Information Processing Standard (FIPS) 46-2.  

Background
NIST (formerly the National Bureau of Standards) issued the Data
Encryption Standard (DES) in 1977 to provide an encryption
algorithm for use in protecting federal unclassified information
from unauthorized disclosure or undetected modification during
transmission or while in storage.  The standard required NIST to
conduct a review every five years to determine whether the
cryptographic algorithm specified by the standard should be
affirmed, revised or withdrawn.  The first review resulted in the
reaffirmation of the standard in 1983; the standard was again
reaffirmed in 1988 following a second review; the third review
was completed in 1993.  

FIPS 46-2, which was issued following the third review, reaffirms
the DES until 1998.  The DES is based on work of the
International Business Machines Corporation and has been adopted
as American National Standard X3.92-1981/R1987.

Technical Overview 
The DES is a publicly known cryptographic algorithm that converts
plaintext to ciphertext using a 56-bit key.  The same algorithm
is used with the same key to convert ciphertext back to
plaintext, a process called decryption.  The DES consists of 16
"rounds" of operations that mix the data and key together in a
prescribed manner using the fundamental operations of permutation
and substitution.  The goal is to completely scramble the data
and key so that every bit of the ciphertext depends on every bit
of the data plus every bit of the key (a 56-bit quantity for
DES).  

Authorized users of encrypted computer data must have the key
that was used to encrypt the data in order to decrypt it.  The
unique key chosen for use in a particular application makes the
results of encrypting data using the algorithm unique.  Using a
different key causes different results.  The cryptographic
security of the data depends on the security provided for the key
used to encrypt and decrypt the data.  FIPS 171, Key Management
Using ANSI X9.17, provides approved methods for managing the keys
used by the DES.

Security Provided by the DES 
The security provided by a cryptographic system depends on the
mathematical soundness of the algorithm, length of the keys, key
management, mode of operation, and implementation.
 
The DES was developed to protect unclassified computer data in
federal computer systems against a number of passive and active
attacks in communications and computer systems.  It was assumed
that a knowledgeable person might seek to compromise the security
system by employing resources commensurate with the value of the
protected information.  Agencies determining that cryptographic
protection is needed based on an analysis of risks and threats
can use the DES for applications such as electronic funds
transfer, privacy protection of personal information, personal
authentication, password protection, and access control.
 
The DES has been evaluated by several organizations and has been
found to be mathematically sound.  Some individuals have analyzed
the DES algorithm and have concluded that the algorithm would not
be secure if a particular change were made (e.g., if fewer
"rounds" were used).  Modifications of this sort are not in
accordance with the standard and, therefore, may provide
significantly less security.
 
NIST believes that DES provides adequate security for its
intended unclassified applications.  The algorithm is also widely
used by the private sector.  NIST will continue to evaluate the
security provided by the DES.  At the next review in 1998, the
algorithm specified in the standard will be over 20 years old. 
At that time, NIST will consider alternatives that offer a higher
level of security for possible replacement of the DES.

Other Cryptographic Standards
For many years, the DES was the only FIPS available for federal
encryption requirements.  Changing technology has created new
requirements for different kinds of protection for special
applications.  FIPS 46-2 allows for the use of other FIPS-
approved cryptographic algorithms in addition to, or in lieu of
the DES, when such algorithms are implemented in accordance with
FIPS 140-1.  

FIPS 140-1, Security Requirements for Cryptographic Modules, was
issued in January 1994.  This standard defines levels of security
for the cryptographic modules which perform cryptographic
processes.  Cryptographic modules include the hardware, software,
firmware, or some combination thereof, that implements
cryptographic logic or processes.  The standard provides for four
increasing, qualitative levels of security and covers module
design and documentation, interfaces, authorized roles and
services, physical security, software security, operating system
security, key management, and other issues.  FIPS 140-1 replaces
FIPS 140, General Security Requirements for Equipment Using the
Data Encryption Standard (formerly Federal Standard 1027).  See
the Validation section below for a discussion of the acquisition
of FIPS 140 devices.   
 
In 1994, NIST issued FIPS 185, Escrowed Encryption Standard
(EES), which is suitable for use in telephone communications that
are circuit-switched and use a commercial modem to transmit
digital data.  This standard specifies a technology developed by
the federal government to provide strong encryption protection
for unclassified information and also to provide for the
escrowing of device keys.  The standard provides for lawfully
authorized access to the keys required to decipher enciphered
information.  The escrowed encryption technology is to be
implemented in electronic devices.  The specifications for the
algorithm (SKIPJACK) and for the Law Enforcement Access Field
(LEAF) are classified.  FIPS 185 does not mandate the use of
escrowed encryption devices by federal government agencies, the
private sector or other levels of government.  Such use is
totally voluntary when organizations require the key escrow
features.    

FIPS 186, Digital Signature Standard (DSS), provides
cryptographic techniques for generating and verifying electronic
signatures for applications requiring authentication of data
integrity and the identity of the signer.  FIPS 180, Secure Hash
Standard, provides the hash function used in generating and
verifying digital signatures.  

Implementation of the DES
Early versions of the DES required that the encryption algorithm
be implemented in electronic hardware and firmware.  FIPS 46-2
allows for implementation of the cryptographic algorithm in
software, firmware, hardware, or any combination thereof to
enable more flexible, cost-effective implementations.  

Applicability
The DES is for use by federal department and agencies when agency
officials determine that cryptographic protection of information
is required and the data is not classified according to the
National Security Act of 1947, as amended, or the Atomic Energy
Act of 1954, as amended.  Federal organizations that use
cryptographic devices for protecting classified data can also use
those devices for protecting unclassified data instead of the
DES.  

The National Security Agency (NSA) of the U.S. Department of
Defense develops and promulgates requirements for
telecommunications and automated information systems operated by
the U.S. government, its contractors, or agents, that contain
classified information or, as delineated in 10 U.S.C. Section
2315, the function, operation, or use of which:

   - involves intelligence activities;
   - involves cryptologic activities related to national
     security;
   - involves the direct command and control of military forces;
   - involves equipment which is an integral part of a weapon or
     weapon systems; or
   - is critical to the direct fulfillment of a military or
     intelligence mission.

The term unclassified information as used in this bulletin
excludes information covered by 10 U.S.C. 2315.  

Waivers for the Mandatory Use of the DES
The head of a federal department or agency may waive the use of
the DES for the protection of unclassified information in
accordance with the provisions of FIPS 46-2.  A waiver is
necessary if cryptographic modules performing an algorithm other
than the DES or another FIPS-approved algorithm are to be used by
a federal agency.  No waiver is necessary if communications
security equipment approved for the protection of classified
information is to be used.  

DES Cryptographic Keys
U.S. government users of DES products which NSA had previously
endorsed for compliance with Federal Standard 1027 may obtain DES
cryptographic keys for these products from NSA upon request at no
cost.  NSA is no longer endorsing products under Federal Standard
1027.  Contact your responsible Communications Security (COMSEC)
officer for further information.   

Alternatively, users of DES, including federal organizations, may
generate their own cryptographic keys.  DES keys must be properly
generated and managed in order to assure a high level of
protection to computer data.  Key Management includes generation,
distribution, storage, and destruction of the cryptographic keys
used in the encryption and decryption processes.  Information on
this subject is included in FIPS 74, FIPS 140-1, and FIPS 171. 
See the reference list.  

Exportability of DES Devices and Software Products
Hardware- and software-based implementations of DES are subject
to federal export controls as specified in Title 22, Code of
Federal Regulations (CFR), Parts 120-130, the International
Traffic in Arms Regulations (ITAR).  Specific information
regarding export applications, application procedures, types of
licenses, and necessary forms may be found in the CFR. 
Responsibility for granting export licenses (except for those DES
implementations noted below) rests with:

     Office of Defense Trade Controls
     Bureau of Political-Military Affairs
     U.S. Department of State
     Washington, DC 20522-0602
     Telephone (703) 875-6650

The Office of Defense Trade Controls, U.S. Department of State,
issues either individual or distribution licenses.  Under a
distribution license, annual reports must be submitted by the
distributor describing to whom the licensed products have been
sold.  License requests for products to be shipped to certain
prohibited countries (see Section 126.1 of the ITAR) are denied
for foreign policy reasons by the Department of State.  Licenses
are normally granted if the end users are either financial
institutions or American subsidiaries abroad.    

Specific Cryptographic Implementations under Jurisdiction of the
Department of Commerce
The Bureau of Export Administration, U.S. Department of Commerce,
is responsible for the granting of export licenses for the
following categories of cryptographic products (including DES):

   o Authentication.  Software or hardware which calculates a
     Message Authentication Code (MAC) or similar result to
     assure no alteration of text has taken place, or to
     authenticate users, but does not allow for encryption of
     data, text, or other media other than that needed for the
     authentication.

   o Access Control.  Software or hardware which protects
     passwords or Personal Identification Numbers (PINs) or
     similar data to prevent unauthorized access to computing
     facilities, but does not allow for encryption of files or
     text, except as directly related to password or PIN
     protection.

   o Proprietary Software Protection.  Decryption-only routines
     for encrypted proprietary software, fonts, or other
     computer-related proprietary information for the purpose of
     maintaining vendor control over said information when such
     decryption routines are not accessible to users of said
     software, font, or other information, and cannot be used for
     any other purpose.

   o Automatic Teller Devices.  Devices limited to the issuance
     of cash or traveler's checks, acceptance of deposits, or
     account balance reporting. 

Vendors of products in the above four categories should contact
the following for a product classification determination:

     Bureau of Export Administration
     U.S. Department of Commerce
     P.O. Box 273
     Washington, DC 20044
     Telephone (202) 482-4811

Following this determination, the vendor will be informed whether
an export license from the U.S. Department of Commerce is
necessary.  The Bureau of Export Administration will provide
vendors with license procedures and further information as
appropriate.  

Please note that vendors whose products do not fall clearly into
the above categories should follow procedures set forth in the
ITAR, 22 CFR 120-130.

FIPS 140-1 places additional requirements on cryptographic
modules that implement the DES.  NIST is establishing a
validation system for FIPS 140-1 products.  Until the validation
system is in operation, agencies may purchase equipment with FIPS
140-1 modules that have been affirmed in writing by the
manufacturer as complying with the standard.  A copy of the
written affirmation should be sent to the Director, Computer
Systems Laboratory, NIST, B154 Technology, Gaithersburg, MD 
20899-0001.

Additionally, until June 1997, federal agencies may purchase FIPS
140 (former Federal Standard 1027) products that had been
validated under the endorsement program that NSA previously
operated.  Also agencies may buy FIPS 140 products that have not
been validated by NSA if the vendor submits a written affirmation
that the products are in conformance with the provisions of FIPS
140.  A copy of the written affirmation should be sent to the
Director of the Computer Systems Laboratory, address as above.   

NIST also performs validations of products for compliance with
FIPS 113 and 171.  For further information about submitting
products for validation, please contact:
     
     Manager, Security Technology Group
     Computer Security Division
     National Institute of Standards and Technology
     Building 225, Room A216
     Gaithersburg, MD 20899-0001
     Telephone (301) 975-2920

Information About Validated Products
NIST validates DES implementations for conformance to FIPS 46-2. 
When the DES is implemented in software, the processor and
operating system on which the algorithm runs must be specified as
part of the validation process.  Validated implementations are
listed in the Validated Products List (VPL) which is updated and
issued quarterly by NIST.  Copies of the VPL may be obtained
from: 

     National Technical Information Service 
     U.S. Department of Commerce 
     5285 Port Royal Road 
     Springfield, VA 22151  
     Subscriptions (703) 487-4630
     Individual Copies (703) 487-4650
     Ordering Number PB95-937301

The entries in the printed VPL are contained in WordPerfect
Version 5.1 files and may be accessed on the Internet using the
instructions listed below.  

Type:  ftp speckle.ncsl.nist.gov (Internet address is 129.6.59.2)
Login as user ftp
Type your e-mail address preceded by a dash (-) as the password
Type:  cd vpl
Type:  binary
Type:  get and the name of the file you want, e.g., language

For a list of FIPS 140 and FIPS 140-1 products that have been
affirmed by the manufacturer, contact the Manager, Security
Technology Group, Computer Security Division, Building 225, Room
A216, National Institute of Standards and Technology,
Gaithersburg, MD 20899-0001, telephone (301) 975-2920.

Reference Documents

     NIST Publication List 91, Computer Security Publications,
     describes CSL's publications, bulletins, and electronic
     resources for computer security information.  Call (301)
     975-2821 or e-mail dward@enh.nist.gov for a complimentary
     copy.

The following FIPS and other publications are available for sale
by the:  

     National Technical Information Service
     U.S. Department of Commerce
     5285 Port Royal Road
     Springfield, VA  22161
     Telephone (703) 487-4650; rush service (800) 553-6847
     Fax (703) 321-8547 or (703) 321-9038

FIPS 46-2, Data Encryption Standard

This standard provides the technical specifications for the Data
Encryption Algorithm.  

FIPS 74, Guidelines for Implementing and Using the NBS Data
Encryption Standard

This guideline on DES discusses how and when data encryption
should be used, various encryption methods, the reduction of
security threats, implementation of DES, and key management.

FIPS 81, DES Modes of Operation

FIPS 81 defines four modes of operation for DES which may be used
in a wide variety of applications.  The modes specify how data
will be encrypted and decrypted.  The four modes are:  (1)
Electronic Codebook (ECB), (2) Cipher Block Chaining (CBC), (3)
Cipher Feedback (CFB), and (4) Output Feedback (OFB).  

FIPS 113, Computer Data Authentication

This standard specifies a Data Authentication Algorithm, based
upon DES, which may be used to detect unauthorized modifications,
both intentional and accidental, to data.  The Message
Authentication Code as specified in ANSI X9.9 is computed in the
same manner as the Data Authentication Code as specified in this
standard.  

FIPS 139, Interoperability and Security Requirements for Use of
the Data Encryption Standard in the Physical Layer of Data
Communications

This standard specifies interoperability and security-related
requirements for using encryption at the Physical Layer of the
ISO Open Systems Interconnection (OSI) Reference Model in
telecommunications systems conveying digital information.  FIPS
139 was previously issued by the General Services Administration
as Federal Standard 1026.

FIPS 140-1, Security Requirements for Cryptographic Modules 

This standard specifies the security requirements that are to be
satisfied by a cryptographic module utilized within a security
system protecting unclassified information within computer and
telecommunication systems.  

FIPS 141, Interoperability and Security Requirements for Use of
the Data Encryption Standard With CCITT Group 3 Facsimile
Equipment

This document specifies interoperability and security-related
requirements for use of encryption with the International
Telegraph and Telephone Consultative Committee (CCITT), Group 3-
type facsimile equipment.  

FIPS 171, Key Management Using ANSI X9.17

This standard specifies a selection of options for the automated
distribution of keying material by the federal government when
using the protocols and ANSI X9.17. 

FIPS 180, Secure Hash Standard

This standard specifies a Secure Hash Algorithm (SHA) which can
be used to generate a condensed representation of a message
called a message digest.  The SHA is required for use with the
Digital Signature Algorithm (DSA) as specified in the Digital
Signature Standard and whenever a SHA is required for federal
applications.  This standard is being revised to correct a minor
technical flaw and will be issued as FIPS 180-1 in 1995.

FIPS 185, Escrowed Encryption Standard (EES)

This standard specifies a technology developed by the federal
government to provide strong encryption protection for
unclassified information and to provide for lawful authorized
access to the keys required to decipher enciphered information.

FIPS 186, Digital Signature Standard (DSS)

This standard specifies a Digital Signature Algorithm (DSA)
appropriate for applications requiring a digital rather than a
written signature.  The DSA provides the capability to generate
and verify signatures.

NBS Special Publication 500-156, Message Authentication Code
(MAC) Validation System:  Requirements and Procedures

This special publication describes a Message Authentication Code
(MAC) Validation System (MVS) to test message authentication
devices for conformance to two data authentication standards: 
FIPS 113 and ANSI X9.9-1986, Financial Institution Message
Authentication (Wholesale).  The MVS is designed to perform
automated testing on message authentication devices which are
remote to NIST.  

NIST Special Publication 800-2, Public-Key Cryptography

This publication surveys public-key cryptography, discussing the
theory and examining examples of public-key cryptosystems.  The
related topics of digital signatures, hash functions, and zero-
knowledge protocols are also covered.

DES has been incorporated into voluntary industry standards.  For
information, contact the American Bankers Association, X9
Secretariat, 1120 Connecticut Avenue, NW, Washington, DC 20036
and the American National Standards Institute, 11 West 42nd
Street, New York, NY 10036.  To order copies of voluntary
industry standards, contact the Washington Publishing Company,
P.O. Box 203, Chardon, OH 44024-0203, telephone (800) 334-4912.

NIST's Computer Security Program
For further information regarding other aspects of NIST's
computer security program, please contact:

     Computer Security Division
     National Institute of Standards and Technology
     Building 225, Room A216
     Gaithersburg, MD 20899-0001
     Telephone (301) 975-2934
     Fax (301) 948-1233