Editing Weak key (section)

==Weak keys in DES==
The [[block cipher]] [[Data Encryption Standard|DES]] has a few specific keys termed "weak keys" and "semi-weak keys". These are keys that cause the encryption mode of DES to act identically to the decryption mode of DES (albeit potentially that of a different key).

In operation, the secret 56-bit key is broken up into 16 subkeys according to the DES [[key schedule]]; one subkey is used in each of the sixteen DES rounds. DES ''weak keys'' produce sixteen identical subkeys. This occurs when the key (expressed in [[hexadecimal]]) is:<ref>FIPS, ''Guidelines for Implementing and Using the NBS Data Encryption Standard'', FIPS-PUB 74, http://www.itl.nist.gov/fipspubs/fip74.htm</ref>
* Alternating ones + zeros (0x0101010101010101)
* Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
* '0xE0E0E0E0F1F1F1F1'
* '0x1F1F1F1F0E0E0E0E'

If an implementation does not consider the parity bits, the corresponding keys with the inverted parity bits may also work as weak keys:
* all zeros (0x0000000000000000)
* all 'F' (0xFFFFFFFFFFFFFFFF)
* '0xE1E1E1E1F0F0F0F0'
* '0x1E1E1E1E0F0F0F0F'

Using weak keys, the outcome of the [[DES supplementary material#Permuted choice 1 .28PC-1.29|Permuted Choice 1 (PC-1)]] in the DES [[key schedule]] leads to round keys being either all zeros, all ones or alternating zero-one patterns.

Since all the subkeys are identical, and DES is a [[Feistel network]], the encryption function is self-inverting; that is, despite encrypting once giving a secure-looking cipher text, encrypting twice produces the original plaintext.

DES also has ''semi-weak keys'', which only produce two different subkeys, each used eight times in the algorithm: This means they come in pairs ''K''<sub>1</sub> and ''K''<sub>2</sub>, and they have the property that:

:<math>E_{K_1}(E_{K_2}(M))=M</math>

where E<sub>''K''</sub>(M) is the encryption algorithm encrypting [[plaintext|message]] ''M ''with key ''K''. There are six semi-weak key pairs:
* 0x011F011F010E010E and 0x1F011F010E010E01
* 0x01E001E001F101F1 and 0xE001E001F101F101
* 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
* 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
* 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
* 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1

There are also 48 possibly weak keys that produce only four distinct subkeys (instead of 16). They can be found in a NIST publication.<ref>NIST, ''Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher,'' [http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-67r1.pdf Special Publication 800-67], page 14</ref>

These weak and semi-weak keys are not considered "fatal flaws" of DES. There are 2<sup>56</sup> (7.21 &times; 10<sup>16</sup>, about 72 quadrillion) possible keys for DES, of which four are weak and twelve are semi-weak. This is such a tiny fraction of the possible keyspace that users do not need to worry. If they so desire, they can check for weak or semi-weak keys when the keys are generated. They are very few, and easy to recognize. Note, however, that currently DES is no longer recommended for general use since [[Data Encryption Standard#Brute-force attack|''all'' DES keys can be brute-forced]] it's been decades since the [[EFF DES cracker|Deep Crack]] machine was cracking them on the order of days, and as computers tend to do, more recent solutions are vastly cheaper on that time scale.  Examples of progress are in Deep Crack's article.