Introduction to EMV cryptography

Introduction to cryptography

General concept
Cryptography plays a Central role in the development of card technologies. In applications related to transaction processing, typical tasks for various fields of technology are solved to protect information from unauthorized access, which include:
ensuring the integrity of information (it is impossible for a third party located between the participants of the information exchange to modify the transmitted information in such a way that the receiving party does not notice it);
ensuring the confidentiality of information (it is impossible for a third party located between the participants of the information exchange to obtain information contained in messages transmitted between the participants);
authentication of the information source (confirmation that the transmitting party is the author of the transmitted message, i.e. it is impossible for a third party to assign the authorship of the message on behalf of the participant in the information exchange);
notarization of information (it is impossible to refuse the authorship of the message, in card applications this property is sometimes called non-repudiation — the inability to refuse the result of the operation).
Various cryptographic algorithms, otherwise called encryption algorithms, are used to solve these problems. The encryption algorithm defines a one-to-one conversion that displays a set of possible messages from the sender, the contents of which must be hidden from a third party, into a set of messages, also called cryptotext, that are understandable only to the sender and recipient.
All encryption algorithms are divided into two classes:
symmetric encryption algorithms;
asymmetric encryption algorithms.
Symmetric encryption algorithms are based on the use of a common secret, called a key, by both sides of an information exchange. Knowledge of the key X completely determines the cryptographic transformation Z-Ex (Y)r, which is otherwise called message y classification. This transformation is one-to-one, i.e. there is a function E~l(Z)such that for any Z and Y connected by the equality Z = Ex(Y) r, y = E~1(Z) is true. Reverse conversion is often referred to as decrypting or decrypting a z message.
Symmetric algorithms appeared in ancient times to classify important messages. Already famous Greek historian Herodotus (V century BC) gave examples of letters that are understandable only to the sender and recipient. The Spartans used a mechanical device with which important messages were written in a special way that ensures the secrecy of the message.
The most reliable symmetric cryptographic algorithm is the Vernam code. The essence of this algorithm is that for each sent message Y, represented as a sequence of binary zeros and ones, a random law generates a sequence of 0 and 1 of the same length as the sent message. In this case, the sequence members are independent random variables that take the values 0 or 1 with the same probability of 0.5. the Random sequence plays the role of a one-time key x in the Vernam scheme. Then the cryptographic transformation consists of bitwise addition modulo 2 of the values X and y. It is obvious that to” open ” the described cryptographic algorithm (i.e. to determine Y), it is necessary to iterate through all possible values of the x key.
The obvious disadvantages of this method are the need to pass the recipient the value of the x key for each encrypted message, as well as the variable key length equal to the length of the encrypted message. Of course, the various key values in the Vernam scheme could be renumbered and passed to the recipient in a reliable way once (for example, by passing a file with key values from the sender to the recipient). After that, at the end of each encrypted message, you can tell the recipient what number of key values the sender used to classify the message. But it is obvious that the volume of possible key values must be commensurate with the amount of information exchanged between the parties, and this leads to the fact that the Vernam scheme is practically not used (today this scheme is used for transmitting very important secret information).
Other symmetric algorithms are based on the principle of multiple use of a relatively small key. Such algorithms allow converting various messages Y, Yf…, Yn in such a way that even knowing the values of the function Zf-E^Yj) (g = 1,…, n) for a sufficiently “large” number of messages n, it is impossible to determine the value of the key x.
The essence of asymmetric algorithms (otherwise, schemes based on such algorithms are called cryptosystems with public or public keys) is as follows. In mathematics, there are known functions E for which the inverse function D is calculated quite difficult if some parameter is unknown (in cryptographic schemes, this parameter becomes a secret key). Function E is available to anyone who wants to send a message intended for the owner of the parameter. To encrypt the information sent to the owner of the parameter, it is enough to apply a known (open) conversion to the transmitted message. After that, the owner of the parameter, using the inverse transformation D (closed transformation), which is based on the parameter stored by it, easily decrypts the received message. On the contrary, a person who does not have the desired parameter “will not be able” to calculate the opposite preobra-
call and, therefore, restore the transmitted message. The concept of “fail” has a fairly specific meaning, which will be explained later when considering specific cryptographic algorithms.
Asymmetric algorithms are an ideal mechanism for solving problems of ensuring the integrity of transmitted information and authenticating its source. To solve these tasks by using schemes with the public keys in the following way. First of all, an open transformation H (Y) r called a hash function is applied to the transmitted message Y(below, without generality restriction, it is assumed that the message Y has a binary representation), which cards the message Y to a fixed-length binary sequence. The value of a hash function for a certain message is called the digest or hash code of that message. The set of hash function values will be denoted by M.
Obviously, the transformation H(Y) is not one-to-one, since the set of values Y is infinite (note that this set is even uncountable), while the cardinality of the set M is limited.
After a certain message Y has its digest H(Y) calculated, a closed transformation D(H(Y)) is applied to the latter, the parameters of which are known only to the sender of the message. The value s = D(H(Y)) is called an electronic digital signature (EDS) of the message Y.
To verify the digital signature, the receiving party applies the reverse open transformation E to s and compares the received value /?: = f(s) with the value h2 = H(Y’)r where Y’ is the received message. In General, the received message Y ‘ may differ from the transmitted message Y (for example, due to an attempt by a third party to distort the transmitted message).
If f = h2, the EDS is correct. Using digital signature verification, first, the source of information (the transmitting party) is authenticated, since only the transmitting party knows the secret of converting D(H(Y)), and second, the integrity of the received message is confirmed (Y = D).
Of the above-described design of the EDS, it follows that a hash function should satisfy two basic requirements: irreversibility and freedom from conflicts. Let’s explain these requirements.
Let le M-Irreversibility of H(Y) mean that for any value /em – it is difficult to find Y such that H{Y) = i This property is otherwise called the one-way property of the function H (Y). The necessity of this property follows from the fact that if it were not fulfilled, the fraudster located between the sender of the message Y and its recipient, intercepting the message Y and its signature 5, would be able to find such a Y that Y f Y’ and D(H(Y’))=s. By passing a pair of Y and s to the recipient of the message, the fraudster would thus change the message Y so that the recipient would not detect it. At the same time, the fraudster does not need to know the secret key of the sender of the message, which was used to create the EDS of the message.
Freedom from collisions means that it is difficult to match different values of Yx and Yy so that the equality H(Y:) = H(Y2) holds.
Executing the second property is a means of combating insider attacks, when the sender of a message selects a message Y to send to the recipient in such a way that it can select a message Y with a different meaning (Y*Y’), but with the same digest. In this case, the sender can always deny the authorship of the sent message To, claiming that the message y was actually sent.
Obviously, the properties of irreversibility and freedom from collisions do not follow from each other. For example, the function H(Y) may be irreversible, but at the same time there may be algorithms that allow you to build collisions for this function. A good illustration of this is the recent results that show the possibility of constructing collisions for the well-known and widely used in practice hashing algorithms MD5 and SHA-1.
The vulnerability of hash functions, which is a violation of the property of freedom from collisions, was first demonstrated in August 2004 by cryptanalysts from China. This was done using the MD5 hash function, which is widely used (for example, in the SSL algorithm). At the same time, it was pointed out that the approaches used in the works of Chinese specialists to the SHA – 1 hash function, adopted by the US National Institute of standards as a tool for creating EDS, could be applied.
However, the attacks described by Chinese scientists have so far been considered only as an academic experiment that is not applicable in practice. Recently German Krip-
topographers Stefan Lucks (Mannheim University) and Magnus Daum (Ruhr University) proved the fallacy of this opinion, demonstrating in the course of the experiment the possibility of real substitution of documents certified by EDS.
The resulting situation has already puzzled the experts on information security. It is quite possible that in the near future we will see the stop of using and replacing the hash functions of the MD5 and SHA-1 algorithms. If you imagine the widespread use of these algorithms, you will understand the scale and complexity of solving such a problem.
The need to implement the properties of irreversibility and freedom from collisions of the hash function imposes constraints on the function H(Y), but also on the cardinality of the set M. the cardinality of set M must be large enough (in practice the values H(Y) with a length from 128 to 256 bits, while the length of the value of the hash function is determined by the specific task).
The collision-free property has the following ill-formalized properties of the transformation H(Y):
messages Y are” uniformly “cardped using H(Y) to elements of the set M, i.e. each element of the set M corresponds to approximately the same number of messages Y displayed in this element and belonging to the set A of binary sequences of limited but” large ” length (approximately|/4|/|Af|, where |A|, \M\ are the powers of the set A and the set of hash function values, respectively);
the function H(Y) must not be continuous, i.e. the “proximity” of the values Y1 and K does not imply the “proximity” of the values H(YJ and H(YZ).
It is easy to show that the uniformity property of the display H(Y) implies that the probability that for any randomly selected messages Y] and Yz the equality /Y(Y’1) = H (Yz)r is equal to |Af|_1. In the case when the function H(Y) displays messages in the set of all binary sequences of length n, the probability of the event H(YJ = H (YZ) is equal to 2L the Length of the hash function value in practice is determined by the probability that the hash function values from two randomly selected messages are not equal to each other. For example, at n = 160, this probability is approximately 0.68-y ‘ 48, which makes the event H(Yl) = H (Yz) almost improbable.

Let’s now consider m<N=2n different messages for which the hash function value is calculated. Assuming that all the hash values are equally probable, we can estimate the probability P (t) that all the hash codes corresponding to these messages are different.

In other words, the probability P (t) becomes “palpable” when Tg / 2N = 1 or t~ 2P, g. Therefore, the longer the l, the lower the probability of a collision.
Now let’s look at how symmetric and asymmetric algorithms are used to solve the problem of ensuring the security of information exchange. Asymmetric encryption algorithms are usually used to authenticate the source of information and ensure its integrity. By their nature, these algorithms are designed to solve these problems in information exchange systems with a large number of users (closed conversion for signature and open conversion for signature verification).
Symmetric algorithms are usually used to solve the problem of ensuring the confidentiality of transmitted information. However, if the open and closed transformations in an asymmetric algorithm are defined on the same set of messages and are commutative, i.e. the equality E(D(Y)) = D(E(Y)) is fulfilled, then the asymmetric algorithm can also be used for message encryption. Indeed, the transmitting party converts message Y to message E[Y) using an open conversion of the message recipient. Then only the recipient of the message can perform the reverse conversion, which means that the content of the Message will be known only to the addressee, which is the solution to the problem of ensuring the confidentiality of information exchange.

It should be noted that many well-known asymmetric algorithms have the commutativity property (for example, the most famous RSA algorithm). However, in practice, the “encryption” property of such asymmetric algorithms is used very rarely and, as a rule, only for the two sides of an information exchange to exchange a symmetric encryption key at the beginning of a confidential dialog, which is then used to encrypt messages inside the dialog. This is due to the fact that with equal protection provided by symmetric and asymmetric algorithms, the former work 2-4 orders of magnitude faster than the latter. The speed of the algorithm (computational complexity of the algorithm) is a key factor in many information exchange systems, which determines the main role of symmetric algorithms in solving the problem of ensuring the confidentiality of data exchange.
The combination of symmetric and asymmetric encryption algorithms is also widely used in the EMV standard.
Currently, cryptographic methods are subject to standardization at the national and international levels. For example, Russia and the United States have three national standards for cryptography: the encryption algorithm standard, the digital signature standard, and the hashing function standard.
Cryptographic information security tools defined by ISO standards are based on the same three types of algorithms, as well as algorithms for public key distribution and asymmetric encryption.
In General, ISO standards do not define a specific encryption algorithm. The ISO 8732 and ISO 10116 standards regulate block cipher encryption modes. The ISO 10126-1 standard defines the General principles of message encryption in wholesale banking transactions, and the ISO 10126-2 — DES standard defines an algorithm for use in banking.
The ISO 14888-3 standard defines two broad classes of EDS schemes, the stability of which is based on the assumption of the complexity of solving factorization and discrete logarithm problems in a finite commutative group. The first class is satisfied, in particular, by the RSA scheme, the second-by the Schnorr scheme and all possible variants of the El Gamal scheme. These algorithms will be described in more detail below.
Thus, the ISO 14888 standard covers almost all really used EDS schemes. At the same time, the standard does not impose requirements for circuit parameters. As a result, the set of schemes defined by the standard includes algorithms for which EDS forgery can be performed using relatively small computing resources.
The ISO standards for calculating the message hash function are more specific. In particular, ISO 10118-3.4 standards define the hash functions SHA-1, PIPEMD-128, PIPEMD-160, MASH – 1, and MASH-2.
ISO standards are mainly recommendations for the selection of various cryptographic algorithms, in most cases without making specific requirements for their stability.
A brief overview of symmetric encryption algorithms
Let’s start with the most popular symmetric encryption algorithm in the world – the DES (Data Encryption Standard) algorithm.
The DES algorithm was developed by IBM and in 1977 was adopted by the National Institute of Standards and Technology as the US Government standard for encrypting information of the “less-than – top-secret” category (lower than the highest secrecy category). Since then, it has been re-certified as such a standard every 5 years until 1993. In 1998 The US national Institute of standards and technology refused to certify DES, which was due to the fact that the level of development of computer technology made it possible to open DES using relatively cheap computing tools.
DES is a so-called “block cipher” (when the encrypted information is processed by blocks of fixed length, in the case of DES, the block length is 64 bits) and has a key length of 56 bits (the key is represented by a binary sequence of 64 bits, which is obtained from the sequence of key bits by adding an odd-check bit after every 7 bits of the key; thus, in the binary representation of the key, the odd-check bits are in positions 8, 16, 24, 64
The DES algorithm is based on numerous nonlinear transformations (permutations, substitutions, shifts, compressions, and S-transformations) performed on individual elements of the encrypted block. Such transformations can be described by a system of nonlinear equations whose solution is an NP-complete problem (there is no known deterministic polynomial-complexity solution algorithm).
Let’s describe the operation of the DES algorithm very schematically. First, the 64-bit block of encrypted information w undergoes an initial fixed permutation (each bit of w occupies a position specified by a special table defined by DES). The resulting block W is represented as W= C0)||/?(0), where L(0), R(0) are the first (left) and last 32 bits of the W block respectively, the || sign denotes the concatenation (connection) of the blocks.
The DES algorithm is recursive. Having obtained for some p (1<p<16) the values of blocks L (n-1), R (n-l), blocks L (n), R (n), we define using the following equalities:
L(n) = R(n-l), R(n) = L(/7 -1) © /(R(n -1), K(n)), where © denotes bitwise addition modulo 2; the function / is defined below; and K(n) is a 48 — bit sequence obtained from the DES key using a fixed set of permutations, shifts, and substitutions defined in the DES standard. The crypttext of the encrypted block w is a block /.(16)||/?(16).
It is obvious from (B1) that the crypttext is decrypted using the following set of equalities:
R(n-l) = L(n)
L(n-l) = R (n)@mn), K(n)),
for 1<p<16. After calculating using these equations the values of the blocks.(0), /?(0) decryption of the initial block is complete.

A function /(x,y), where x is a binary variable with a length of 32 bits and the variable length of 48 bits, has a range of permissible values of the set of all sequences of length 32 bits and is constructed as follows. The x variable is “extended” to the 48-bit XG variable using the 6-column and 8-row table defined in the DES standard (the numbers at the intersection of the table’s rows and columns are called table elements; each table element takes a value from 1 to 32):

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

The” extension ” of variable x is performed as follows. All bits of variable x are renumbered from 1 to 32. In the given table, the value of a bit with a number equal to the value of this element is set instead of each of its elements. The result is a table of 6 columns and 8 rows, whose elements take the values 0 or 1. Imagine now the resulting table as a string with a length of 48 bits. To do this, take the first row of the table, keeping the sequence of elements in it, then the second row, and so on up to and including the eighth row of the table. The result is a string of 48 bits long, representing the variable XG
Then the variable x: is added bitwise modulo 2 with the variable y. The resulting block b, consisting of 48 bits, is divided into eight 6-bit blocks b = B1||B2||B3||B4||B5||B6||B7||B8. In turn, each of these eight blocks is converted to 4-bit blocks AJ \AG\A \ / L4| \ A5\ |L6[\A7\A] using special nonlinear transformations 5U…, 5g.Each S-transformation is defined in the DES algorithm by a table consisting of 4 rows and 16 columns. Table elements are whole decimal numbers that take values from 0 to 15.

O 8 13 3 12
9 1 10 14 3
7 14 10 15
10 7 9 5
11 2 14 15
13 0 11 7 4
1 4 11 13 12
b 11 13 8 1
7 5 10 b 1
12 2 15 8 b
8 0 5 9 2
O 15 14 2 3 12

Let’s take a table for converting 57 as an example. According to DES the table has the following format:
The table rows are numbered from top to bottom from 0 to 3, and the columns are numbered from left to right from 0 to 15.
Then the conversion 57 that displays block B7 (a sequence of bits ZVZ2, …,Z6) to AJt is constructed as follows. Two numbers are defined: 0<57<3 and 0<C7<15, whose binary representations are respectively 57 = (Z7Z6), CL = {Z/3Z/5). Next, the element located at the intersection of row 57 and column CL is selected from the table. Remember that the table elements are numbers from 0 to 15. Therefore, 4 bits are sufficient for a binary representation of any number of the table. The binary representation of the selected table element is a 4-bit sequence L?.
The function definition is completed by applying the permutation defined in the DES standard to the 32-bit block AG\ \AG\AG|L4|\A5\A6\A7\ |L8.
The DES algorithm has a number of interesting properties. The first property concerning symmetry is almost obvious and consists in the fact that if in the encrypted block and the DES key all 0 is replaced by 1 and Vice versa, the result of encryption is a block that is obtained from the original crypttext by inversion of 0 and 1. Indeed, in DES, only permutations, substitutions, shifts and addition modulo 2 are used, which do not depend on how the digits 0 and 1 are “called”.
The second property is called the avalanche effect and is highly desirable from the point of view of secrecy: a slight change in the original message or key leads to significant changes in the crypttext.
DES was first published in 1973, and since then, so many different articles and sections have been written about IT in special books on cryptography around the world that it would seem that it should have been “opened”long ago. However, for a long time no there was not only a “breaking” of this cipher, but, in fact, even a decrease in the estimates of its cryptographic strength.
Today, there are several methods of opening the DES. The first and universal method consists of a complete search of all possible key variants and checking them for correct decryption before obtaining the true value. In the case of DES, you need to iterate over 256 (or approximately 7.2-1016) possible key variants.
Of course, the progress of computer technology in recent years has been so significant that sorting through all possible variants of the DES key no longer seems as improbable a task as it was in 1993. There are two successful public attacks on the DES algorithm, committed in 1999 with the involvement of computers connected to the Internet (open project). In the first case, the key was compromised in about 3 months, and 85% of all possible key values were analyzed to find it. In the second case, the key was opened in a few weeks, and it took about 25% of all the key values to go through. In addition, there is a known case when a computer built with the money of the Electronic Privacy Information Center organization and consisting of 1728 processors that provide a search of 88 billion key variants per second, opened DES in 56 hours of operation.
As a result, the DES algorithm is no longer considered reliable, and the simplest alternative is the Triple DES algorithm (otherwise known as 3DES), which uses a 112— bit key (double-length key) or 168-bit key (triple-length key).
Another method of opening DES is called differential cryptanalysis. It reduces the number of keys to check, but generally requires cryptotext for 247 values of the selected encrypted blocks. The method of differential cryptanalysis has proved difficult to implement in practice due to the excessively complex requirements for the open blocks chosen for encryption.
The ideas of differential cryptanalysis have found application in attacks on microprocessor cards, called the Differential Fault Attack. In these attacks, it is possible to make changes (errors) in the results of calculations performed on a certain cycle of the DES algorithm. In this case, the method of differential cryptanalysis allows you to reduce the search for possible DES keys to a fairly modest value, which is easily implemented in practice. For more information about using differential cryptanalysis in attacks on a microprocessor card
Another attack, known as linear cryptanalysis, allows you to recover the DES key by analyzing 243 open texts. The experimental linear DES cryptanalysis was first successfully implemented on 12 HP 9735 automated workstations and took 50 days.
An important advantage of DES is its high performance. So, DES is faster than the RSA algorithm (see below) the same cryptographic strength (for this purpose, the key length in RSA must be approximately 384 bits) is approximately 100 times if the software implementation of both cryptographic algorithms is used, and 1000-10, 000 times if the implementation of algorithms is used in specialized computing devices called Hardware Security Module.
Even the software implementation of DES on a personal computer can encrypt data at a speed of about 1 Mbit/s. Implementation of DES on microprocessor cards using a special coprocessor takes only 2-8 microseconds.
As already noted, in 1998, the national Institute of standards and technology refused to certify DES as a U.S. government standard. After several years of discussion, the American national Institute of standards and technology approved the new AES (Advanced Encryption Standard) block symmetric encryption algorithm instead of DES on October 2, 2000. The AES standard is based on the Rijndael block encryption algorithm
The new standard has a good chance of becoming international, if not de jure, then at least de facto. First, it is based on an algorithm adopted based on an open competition in which algorithms proposed by mathematicians from many countries of the world participated. Second, the winning algorithm was developed by Belgian cryptographers Vincent Rehmen and Jon Damen (the algorithm is called Rijndael by the first letters of its authors ‘surnames, in a transcription from Flemish, it is pronounced roughly as “Randal”). Rijndael’s Belgian, rather than American, origin should help AES gain recognition in Europe, which has long been suspicious of DES.
The Rijndael algorithm was thoroughly analyzed by specialists from the National Institute of standards and technology and the us national security Agency, as well as numerous other laboratories. However, no one was able to identify the vulnerabilities of this algorithm.
The Rijndael algorithm can work with keys of 128, 192, and 256 bits in length, and therefore it is protected from attacks by a full search of all possible keys in the foreseeable future. In addition, the algorithm combines high performance and moderate memory requirements. Therefore, it can be implemented in a variety of devices, including mobile phone SIM and smart cards. Finally, the Rijndael algorithm is not protected by patents and is available for free use in any products.
As a replacement for DES, the triple DES symmetric algorithm has become very popular in recent years. This algorithm typically uses a key consisting of two DES keys, and consists of three steps. At the first step, the 64-bit block is encrypted using the first key and the DES algorithm. At the second step, the crypttext obtained at the first step is decrypted using the second key and in accordance with the DES algorithm. In the last third step, the decryption result obtained in the second step is re-encrypted using the first key and the DES algorithm. The resulting 64-bit block is a Triple DES crypttext. Thus, the Triple DES algorithm requires using DES three times, which is where its name comes from.
It is obvious that to open the Triple DES algorithm with a key length of 112 bits, you will need to check 2SH (or approximately 5.2*1033) of different keys using the full search method.
In many well-known implementations, the encryption speed of the Triple DES algorithm is approximately 1.5-2.5 times lower than the DES performance.
Following the example of the United States in developing an open national encryption standard, the USSR adopted the state data encryption standard for computer networks in 1989. It received the designation GOST 28147-89 and was marked “for official use” until the end of the existence of the USSR itself. In Russia, it was officially adopted in 1992 as a data encryption standard along with other former USSR standards. The standard was formally declared fully “open” in may 1994. The GOST 28147-89 standard is a block cipher as well as DES. The length of the information block is also 64 bits. The key length is 256 bits, and there is no practical possibility of going through all the acceptable key variants not only today, but in the coming decades.
The encryption speed for the hardware implementation of GOST 28147-89 is 1.1 MB / s, and in the future it can be increased to 7-8 MB/s. Comparison of implementation performance on Pentium processors shows that the speed of the GOST 28147-89 encryption algorithm is approximately 2-3. 5 times lower than the speed of the Rijndael encryption algorithm.
Around the same time (in 1989), an alternative to the DES algorithm was developed and published as a draft of Japan’s open national data encryption standard, designated FEAL. It is also a block cipher, using a 64-bit block of data and a 64-bit key. However, neither it nor any other algorithm has been adopted to date as the national encryption standard of Japan.
In 1990, K. lay and J. Massey (Switzerland) proposed a draft international data encryption standard, called IDEA (International Data Encryption Algorithm), which is highly valued in the international cryptographic community and has been actively promoted in recent years by the efforts of international standardization organizations (primarily European ones) to become an official pan-European data encryption standard. The key length of the IDEA algorithm is 128 bits for encrypting a 64-bit block. As will become clear below, the algorithm will remain resistant to” hacking ” for the next few decades.
The IDEA algorithm uses three groups of operations — bitwise addition modulo 2, addition modulo 216, and multiplication modulo 216+1. Operations are performed on blocks of 16-bit length, resulting from dividing the encrypted block into 4 sub-blocks. The algorithm is cyclic— 8 transformation cycles are used.
Today, the IDEA algorithm is patented in the United States and most European countries. The patent holder is a company Ascom – Tech. Non-commercial use of the standard is free of charge.
Some cryptographic algorithms (in particular, DES, IDEA) when encrypting using certain keys can not cure the proper level of cryptographic stability. These keys are called weak keys. For DES, there are 4 weak keys and 12 semi-weak keys. And although the probability of getting into them is 16 / 256 = 2-10-16, in serious cryptographic systems, this can not be ignored.
The power of the set of weak IDEA keys is 251. However, due to the fact that the power of all IDEA keys is equal to 2128, the probability of hitting a weak key is about 3-107 times less than that of DES.
The IDEA algorithm is faster than Triple DES, but slower than DES. The encryption speed of the algorithm in the case of its software implementation on a Pentium-200 computer is about 15 Mbit/s.
The RC2 and RC4 algorithms are variable-length ciphers for very fast encryption of large amounts of information (developed by Ron Rivest). These two algorithms are faster than DES, and can increase security by selecting a longer key. The RC2 algorithm is block-based and can be used as an alternative to DES. The RC4 algorithm implements a stream cipher and is almost ten times faster than DES. The RC2 and RC4 algorithms with a 128-bit key length provide the same level of protection as IDEA. Relatively recently, RC5 and RC6 algorithms have appeared, which are the development of the mentioned RC2 and RC4 algorithms.the RC6 Algorithm was even nominated in the competition for the new Advanced Encryption Standard. In the nominated version, the RC6 block size was fixed at 128 bits, the number of cycles was 20, and the key size could take one of three values— 128, 192, and 256 bits.
The results of a comparative analysis of the algorithms discussed above are shown in table. B1,

Results of comparative analysis of symmetric encryption algorithms
The Crypto Algorithm
high Performance (Pentium-200), Mbit/with the key Length, bit
DES low 30 56
3DES is a good 12 112
IDEA good 15 128
GOST 28147-89 high 8 256