Continue your mission
The transition from the Data Encryption Standard to the Advanced Encryption Standard is one of the most instructive episodes in cryptographic standardization history. It involves IBM engineers, NSA influence, a $250,000 key-cracking machine, a multinational competition, and Belgian mathematicians. The process also produced a template that NIST is now using for post-quantum cryptography.
Symmetric encryption is the class of cryptographic algorithms where the same key encrypts and decrypts data. The two parties sharing encrypted data must share the same key, which is why symmetric encryption is also called shared-key or secret-key encryption. Symmetric algorithms are the workhorses of data protection: fast, efficient, and suited to bulk data encryption.
For most of the 1970s and 1980s, the dominant symmetric encryption standard in the United States was the Data Encryption Standard (DES). For most of the 2000s to the present, it has been the Advanced Encryption Standard (AES). The transition between them is a case study in how cryptographic standards are created, challenged, broken, and replaced, and in the complicated relationship between government, industry, and the cryptographic research community.
This article belongs entirely to the DPS domain: Data Protection and Sovereignty. The Sovereign Data Protocol (SDP) provides CDA's methodology for data protection, and its cryptographic requirements trace directly through this history. Understanding why AES-256 is the current standard for data at rest, why 3DES is deprecated, and why post-quantum cryptography is now entering the standards process requires understanding how we got from DES to AES.
---
The Data Encryption Standard (1977)
In the early 1970s, NIST's predecessor, the National Bureau of Standards (NBS), identified a need for a common government encryption standard. Federal agencies were using incompatible, ad hoc encryption approaches for sensitive but unclassified data. A common standard would enable interoperability and set a baseline for data protection.
In 1973, NBS issued a public call for proposals. IBM submitted an algorithm developed by a team including Horst Feistel and Walter Tuchman, originally called Lucifer. IBM's submission used a 64-bit key. The National Security Agency (NSA) became involved in the evaluation and standardization process, which was not unusual for cryptographic matters involving the federal government. The NSA made two significant changes before DES was published as a standard in 1977.
First, the key length was reduced from 64 bits to 56 bits. (The DES block size remained 64 bits; the key size reduction was separate.) A 56-bit key provides 2^56 possible keys, approximately 72 quadrillion. This sounded large in 1977 but would prove inadequate within two decades as computing power increased.
Second, the internal design structures called S-boxes, which perform nonlinear substitution operations central to DES's security, were modified from IBM's originals. The NSA's changes were not explained publicly at the time.
Both changes generated sustained controversy. Critics argued the NSA had deliberately weakened DES, shortening the key to make brute-force attacks more feasible for the NSA's own codebreaking operations. The S-box changes were viewed with similar suspicion.
The truth, revealed gradually over subsequent decades, was more nuanced. On key length: the NSA's stated position was that 56-bit keys were sufficient for the unclassified data protection the standard was designed for. The concern about NSA-accessible brute force may have been partially valid. On S-boxes: in the late 1980s, cryptographers including Eli Biham and Adi Shamir developed differential cryptanalysis, a technique for analyzing the statistical relationship between plaintext and ciphertext to recover key material. They discovered that DES's S-boxes were specifically resistant to differential cryptanalysis, suggesting the NSA had known about differential cryptanalysis more than a decade before academics discovered it and had quietly hardened DES against it. The NSA had strengthened, not weakened, the S-box design in at least this respect.
Triple DES: An Improvised Extension
As concern about DES's 56-bit key length grew in the 1980s, the cryptographic community developed 3DES (Triple DES) as a backward-compatible extension. 3DES applies the DES algorithm three times to each block: encrypt with key 1, decrypt with key 2, encrypt with key 3 (EDE mode). This extends the effective key length and dramatically increases the cost of brute-force attacks.
3DES was widely deployed in financial systems. ATMs, payment terminals, and banking back-end systems adopted 3DES because it extended DES's security without requiring replacement of existing DES infrastructure. It became embedded in financial industry standards including those governing PIN block encryption and payment card processing.
3DES remained in widespread use far longer than most cryptographers would have preferred. Its performance characteristics, slower than DES (three passes through the cipher) and far slower than AES, made it a drag on systems where it persisted. It is now deprecated by NIST and by major security standards including PCI DSS, but complete retirement from legacy financial infrastructure has been slow.
Breaking DES
In 1998, the Electronic Frontier Foundation (EFF) built a machine called Deep Crack specifically to demonstrate that 56-bit DES keys could be broken by a dedicated machine at modest cost. Deep Crack cost approximately $250,000 to build. In the 1998 DES Challenges organized by RSA Security, Deep Crack recovered a DES key in 22 hours and 15 minutes.
This was not a surprise to cryptographers. The theoretical inadequacy of 56-bit keys had been discussed for decades. What Deep Crack provided was a visceral, public demonstration: a quarter-million-dollar machine, buildable by a well-funded organization, could break any DES-encrypted communication within a day. Intelligence agencies with significantly larger budgets could presumably do this far faster.
The demonstration accelerated the search for a replacement that was already underway.
---
The DES-to-AES transition matters for two reasons. The immediate reason is practical: DES and 3DES are insecure for most current applications, and any system still relying on them is using a cryptographic control that does not meet modern standards. The deeper reason is that the transition established a model for how cryptographic standards should be created and replaced.
NIST's AES competition was the first cryptographic standardization process conducted with full public transparency and international participation. The contrast with DES, developed largely in private with NSA involvement that generated lasting controversy, was intentional. The open process produced a standard that the global cryptographic research community had subjected to years of analysis before adoption, providing much higher confidence than closed-door standardization could achieve.
NIST's post-quantum cryptography standardization competition, launched in 2016, explicitly followed the AES model: public call for submissions, multiple years of public cryptanalysis, and international participation. The first post-quantum standards were published in 2024. The AES competition's process is now the template for how cryptographic standards are made.
---
DES Structure
DES is a Feistel network cipher. A Feistel network divides the plaintext block into two halves and applies a series of rounds (16 in DES) where one half is processed through a round function and XORed with the other, then the halves swap. The round function involves expansion, XOR with a round key derived from the main key, substitution through S-boxes, and permutation.
The 56-bit key undergoes a key schedule that generates 16 48-bit round keys. Breaking DES means finding the key that produces the observed ciphertext from a known plaintext, which with a 56-bit key is feasible by exhaustive search (trying all 2^56 possible keys) with late-1990s hardware.
3DES Key Modes
3DES can operate with two or three independent keys. Two-key 3DES uses K1 and K2 where K3 equals K1, providing approximately 112 bits of effective security. Three-key 3DES uses three independent keys for approximately 168 bits of nominal security, though meet-in-the-middle attacks reduce the practical strength to around 112 bits. The performance cost relative to AES, with no security benefit for new deployments, is why 3DES is deprecated.
AES Structure
The Rijndael algorithm, designed by Joan Daemen and Vincent Rijmen of Belgium, was selected as AES in 2001 (FIPS 197). Unlike DES, AES is a substitution-permutation network rather than a Feistel cipher. It operates on a 4x4 byte state matrix through four operations repeated across 10, 12, or 14 rounds (for 128-, 192-, or 256-bit keys respectively): SubBytes (nonlinear byte substitution via an S-box), ShiftRows (cyclic row shifting), MixColumns (column transformation providing diffusion), and AddRoundKey (XOR with the round key).
AES is designed for efficient hardware and software implementation. Hardware AES acceleration is now built into most modern processors, making AES-128 and AES-256 encryption effectively free in performance terms on modern hardware.
No practical attack against AES has been found. The best known theoretical attacks (biclique cryptanalysis) reduce the key search space by a small factor that has no operational significance: even a marginally faster-than-brute-force attack against AES-256 requires computation far beyond anything achievable with foreseeable classical computing resources.
The AES Competition
NIST launched the AES competition in 1997, publishing a call for candidate algorithms with specific requirements: 128-bit block size, support for 128-, 192-, and 256-bit keys, efficient in both hardware and software, and publicly analyzable. Fifteen candidate algorithms were accepted from teams in multiple countries. The evaluation proceeded through two rounds of public cryptanalysis over three years. Five finalists (MARS, RC6, Rijndael, Serpent, Twofish) were evaluated extensively before Rijndael was selected in 2001.
---
CDA's Data Protection and Sovereignty domain, governed by the Sovereign Data Protocol, requires AES-256 for data at rest. This is not an arbitrary choice. It reflects the DES history directly: 3DES is deprecated, DES is broken, and AES-256 with its 256-bit key provides security margins appropriate for data that may need to remain protected for decades.
SDP's principle is: "Your data lives where you decide. Period." Cryptographic integrity is a prerequisite for that principle. Data stored in a location you control is not truly sovereign if the encryption protecting it can be broken by current or foreseeable attack capabilities.
The post-quantum dimension adds urgency. Shor's algorithm, running on a sufficiently large and stable quantum computer, could break RSA and elliptic curve cryptography efficiently. AES-256 is considered quantum-resistant: Grover's algorithm (the quantum speedup applicable to symmetric key search) effectively halves the key length, meaning AES-256 provides 128-bit security against quantum attack. 128 bits of security against quantum brute force is considered adequate for foreseeable threat timelines.
SDP's cryptographic lifecycle management component tracks algorithm deprecation and plans for transitions. RSA-1024 is already deprecated. RSA-2048 is approaching the planning horizon for deprecation. NIST's post-quantum standards (CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium for digital signatures, published 2024) provide the migration targets. Organizations that have not begun planning the transition from classical to post-quantum asymmetric cryptography are behind the planning timeline that responsible data protection requires.
---
---
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system.
Written by Evan Morgan
Found an issue? Help improve this article.