also, look at Susan Landau's article Standing the Test of Time: The Data Encryption Standard in the March 2000 issue of the Notices of the American Mathematical Society (pp. 341 - 349). This can be viewed on-line as a (.ps file) or a (.pdf file).
In 1977, Diffie and Hellman claimed that an appropriate machine consisting of a million LSI chips could try all 256 ~ 1017 keys in one day for the entire search. The cost would be about $20 million for such a machine.
In 1993, Michael Wiener gave a detailed design of a key search machine based on a chip that could test 5 x 107 keys per second, and could be built with current technology for $10.50 per chip. A frame consisting of 5760 chips can be built for $100,000 and would allow a DES key to be found in about 1.5 days on average. A machine using 10 frames would cost a million dollars but would reduce the search time to about 3.5 hours.
Starting in 1996, in an attempt to prove the inadequacy of this key length, Ron Rivest (through his company RSALabs) conducted four contests, offering cash rewards ($10,000) for any individual or group who could break a DES encrypted message. The first contest was won in Jan. 1997 by a group (Deschall - organized by Rake Verser) using a distributed network approach, taking 96 days. The second challenge was won in Feb. 1998 by another group (Distributed.Net) in 41 days. The third in July 1998 by the Electronic Frontier Foundation using a specially built computer (Deep Crack) costing less than $250,000 in 56 hours. The last contest was won in January 1999 by a combination of distributed network (Distributed.Net) and Deep Crack in 22 hours and 15 minutes.
2. S-box construction. The complete specifications of the S-boxes has remained secret. This has lead some to believe that NSA has a backdoor into the DES algorithm. However, in the 1990's IBM published its design criteria for the S-boxes to allay some of these concerns. The criteria indicate how the S-boxes were specified to prevent certain sophisticated cryptographic attacks (in particular differential cryptanalysis). The S-boxes satisfying these criteria were found by computer search. This however does not address any changes that NSA made to the S-box design.
In 1990, Brown, Piepzyk and Seberry at UNSW (Univ. of New South Wales - Australia) proposed a DES-like cipher LOKI which uses a full 64-bit key.
In the 1991, Biham and Shamir introduced a method called differential cryptanalysis and demonstrated that many symmetric cryptosystems can be broken by their method. This has been one of the most effective attacks on DES type systems.
DES was up for review by NIST in 1992 and the decision was made to keep it as a standard (to the surprise of many). It was not expected to remain a standard after the 1997 review, but due to NIST's activities concerning the new AES (Advanced Encryption Standard) the decision was made to keep DES as the standard (but only triple DES was to be considered secure). DES will be dropped as the standard (but triple DES will still be supported) in March 2002, and be replaced by AES.
AES is designed to withstand cryptographic attack against (unclassified) government information well into this new century. It is to be optionally used by the private sector. However, since it will provide far more security than DES does, this optionality is really a smoke screen, AES will become the defacto standard for the private sector. Information on the selection and specifics of the Rijndael algorithm for AES can be obtained on-line from NIST.
Another mode of operation is called cipher block chaining mode (CBC) in which the enciphered output of a message block is xor'ed with the next message block before it is run through DES. In this mode of operation, any altered message block will affect all the ciphertext blocks that follow it. This is a useful property in certain applications, in particular, in the construction of message authentication codes (MAC's).
Of course, if the entire transaction is to be done in secret, the plaintext and MAC can be run through DES (in any mode, but with a different key) before transmission.