Triple DES

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is a stub and thus not approved.
Main Article
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

The Data Encryption Standard, or DES, is in some ways an excellent block cipher; it has withstood decades of analysis with no catastrophic flaws found. However, it has only a 56-bit key which makes it vulnerable to brute force attacks. The DES article has discussion of the weakness and several proposed solutions.

The most widely used method of deriving a stronger cipher from DES is Triple DES or 3DES; apply DES three times with different keys.

Just applying DES twice, double DES, is ineffective. Using two 56-bit keys gives 112 total key bits, so a brute force attack needs 2111 encryptions. However, brute force is not the best attack. A meet-in-the-middle attack needs only 257 DES operations, though a large amount of memory is also required. That is, double DES is only four times stronger than DES, which can be broken by brute force with an average of 255 encryptions.

Triple DES is effective. Apply DES three times with two or three different keys. This is also vulnerable to a meet-in-the-middle attack, but the work factor for that attack is 2112. That provides adequate protection for many applications, and no better attack is known.

Triple DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. For new applications, a newer cipher will generally be both faster and more secure. Triple DES provides only 2112 strength against a meet-in-the-middle attack. Any of the AES generation of ciphers is completely resistant to that attack, and for most of them no known attack is better than brute force which has cost 2127.

Triple DES is, however, still widely deployed in legacy applications. Consider a bank with several thousand ATM machines, with built-in hardware or well-tested software for triple DES. Changing those will certainly be expensive and will entail some risk of bugs in the new system; it may not be worth it.

Triple DES is very likely strong enough. The Copocabana parallel machine breaks DES in a week and costs €9000. Banks can be attractive targets for anyone from thieves to seekers of financial intelligence; a serious attacker might apply large resources and be able to break DES quickly. However, even if an enemy has a machine that cracks the 56-bit DES key in a second, a 112-bit search is 256 times harder. Since 232 seconds is somewhat over a century, this ends up at over 224 centuries, well over 60 million years.

Triple DES can be done with three keys, two keys or just one key, though the one-key variant should never be used. In all cases, the order of operations is EDE or encrypt-decrypt-encrypt.

The three-key variant is widely used; for example RFC 2451 specifies it for use in IPsec.

In the two-key variant the first and third keys are the same, so only 112 key bits are used rather than 168. This gives savings in the overheads for generating, storing and transmitting keys. In many applications, these savings are not significant, but in some they may be important, Either two-key or three-key 3DES has 2112 strength against a meet-in-the-middle attack, and that is the best known attack against either. The three-key variant is stronger against brute force, but that does not matter much since a better attack is known. Overall, it appears the two-key variant is just as strong.

The one-key variant is a "worst of both worlds" solution, the overheads of triple DES (three times those of DES) with the security of DES (inadequate against brute force attacks). The only possible reason to use this would be to make two systems communicate when one can only do DES and the other only Triple DES. Using one-key Triple DES on one end would allow encrypted communication, but it would only be as secure as DES.