Home page logo

basics logo Security Basics mailing list archives

Re: NewBie:cryptography : DES vs Blowfish?
From: shawn () nunleys com
Date: Sat, 2 Nov 2002 13:47:19 -0800

Which is more secure...  that's a broad question, of course.  If your 
intention is to determine the security of the protocol itself, and not the 
implementation of it in a particular application, then you must look at the 
various cryptanalysis studies done against each protocol.  DES has been 
proven, time and again, to be very resistant to cryptanalysis attacks, but it 
does have a limited key size.  Most implementations use 56bit keys, and even 
with triple DES you're only using 2 56bit keys.  Blowfish and GOST have not 
had as much study, but the key sizes can be bigger.  So, barring any newly 
discovered weaknesses (it can happen) you can get more brute-force attack 
protection from Blowfish and GOST.

(plagiarized from aliennetworks.com)
DES (Data Encryption Standard)
DES is, by far, the world’s most popular encryption solution. DES is a block 
cipher; it encrypts data in 64-bit blocks. It is also a symmetric algorithm; 
this implies that it uses the same algorithm and key for decryption and 
encryption. With a key length of 56 bits, DES performs 16 rounds (Loops) which 
are comprised of multiple XOR and data substitutions. One of DES’ strengths is 
an avalanche effect that is caused by a portion of the result of round 16 
being fed back into round one of the next data block; This causes an increase 
in data diffusion that can make DES very hard to crack. 

The math behind DES - All possible 64 bit plaintext blocks can be mapped onto 
all possible 64 bit cipher text blocks in 264! Possible ways. The DES 
algorithm, with a 56 bit key, will produce around 256 of these mappings 
(That’s about 100000000000000000 possible mappings). When DES was developed, 
there was no known way to crack it in a single lifetime; Now, with 
differential and linear cryptanalysis tools at hand, new advances in computer 
hardware, and great strides in number theory, a dedicated DES cracking machine 
could be built for under $1,000,000 that could break any message in just a few 
hours. In 1984 DES chips capable of performing 256,000 encryptions and 
decryptions per second were available; in 1987 chips that could do 512,000 
were available. In 1993 , Michael Wiener designed a machine that could do a 
brute-force crack on any DES message, decoding it in 3.5 hours. There are many 
other attacks that can break DES (Eventually), including differential 
cryptanalysis, Dif-Lin, meet-in-the-middle, and chosen plaintext. These 
attacks all share two common factors; they’re very difficult to execute in 
practice, and they can become expensive. Are their other ways? The algorithm 
is over 20 years old; the NSA no longer uses it for encrypted transmissions; 
and the source code and substitution boxes are available in the public domain. 
The combination of readily available data on the algorithm, exponential 
increases in computing power, and increasing value of transmitted data is 
giving many companies a reason to reevaluate DES as their choice for encrypted 
transmissions. Regrettably, they have few options that offer actual security. 

Blowfish is a fast 64 bit block cipher with a variable-length key. Key 
expansion in Blowfish can create a 448 bit keyspace – quite a bit larger than 
DES. The major drawback of Blowfish is that it is optimized for applications 
where the keyspace does not change very often. In spite of this shortcoming, 
Blowfish passes many security tests, and provides a very good level of 
security. Blowfish is in the public domain (Anyone can go get the source code 
for free), and is easy to implement. 

The math behind Blowfish - Blowfish consists of 16 rounds, or loops. 
Cryptanalysis of Blowfish by Serge Vaudenay reveals a partial differential 
attack that can recover the plaintext array in 28r+1 chosen plaintexts. There 
is also a class of known weak keys that can increase the effectiveness of this 
attack by a factor of two.
[end of plagiarism]

In my opinion, it's not the protocol that's the issue nearly as much as the 
technical implementation and your procedures for protecting your keyspace.  
Whenever you must resort to using symmetric-key crypto, you face some tough 
issues with regard to key distribution.


Quoting DocValde <DocValde () gmx de>:

Hallo Roberto Ramsis,
am Freitag, 1. November 2002 um 12:37:15 schrieben Sie:

i needed to know,which is more secure : DES , BLOWFISH,GOST? and which is 

DES  is  obsolete  since  few  years,  (not  only)  since its key length is
fixed to 56bit
effective. Even TripleDES has only 112bit effective.

With  GOST, i had not to deal yet, but Blowfish seems to be quite good and
fast enough for
almost any use. Be sure to use 128bit keylength upwards.

Best regards,

Malte von dem Hagen



web:   http://www.DocValde.net
eMail: DocValde () gmx de
icq:   71581747

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]