Triple DES

From Citizendium
Revision as of 09:31, 23 July 2009 by imported>Sandy Harris
Jump to navigation Jump to search

The Data Encryption Standard, or DES, is in some ways an excellent block cipher; it has withstood decades of analysis with no catastrophic flaws found. However, it has only a 56-bit key which makes it vulnerable to brute force attacks. THE DES article has discussion of the weakness and several proposed solutions.

The most widely used method of deriving a stronger cipher from DES is Triple DES or 3DES; apply DES three times with different keys.

Just applying DES twice, double DES, is ineffective. Using two 56-bit keys gives 112 total key bits, so a brute force attack needs 2111 encryptions. However, brute force is not the best attack. A meet-in-the-middle attack needs only 257 DES operations, though a large amount of memory is also required. That is, double DES is only four times stronger than DES, which can be broken by brute force with an average of 255 encryptions.

Triple DES is effective. Apply DES three times with two or three different keys. This is also vulnerable to a meet-in-the-middle attack, but the work factor for that attack is 2112. That provides adequate protection for many applications, and no better attack is known.

Triple DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. For new applications, a newer cipher will generally be both faster and more secure. Triple DES provides only 2112 strength against a meet-in-the-middle attack. Any of the AES generation of ciphers is completely resistant to that attack, and for most of them no known attack is better than brute force which has cost 2127.

Triple DES is, however, still widely deployed in legacy applications. Consider a bank with several thousand ATM machines, with built-in hardware or well-tested software for triple DES. Changing those will certainly be expensive and will entail some risk of bugs in the new system; it may not be worth it.

Triple DES can be done with three keys, two keys or just one key, though the one-key variant should never be used. In all cases, the order of operations is EDE or encrypt-decrypt-encrypt.

The three-key variant is widely used; for example RFC 2451 specifies it for use in IPsec.

In the two-key variant the first and third keys are the same. This gives a saving in key storage and key transmission overheads, only 112 bits are required rather than 168. Either two-key or three-key 3DES has 2112 strength against a meet-in-the-middle attack, and that is the best known attack against either. The three-key variant is stronger against brute force, but that does not matter much since a better attack is known. Overall, it appears the two-key variant is just as strong.

The one-key variant is a "worst of both worlds" solution, the overheads of triple DES (three times those of DES) with the security of DES (inadequate against brute force attacks). The only possible reason to use this would be to make two systems communicate when one can only do DES and the other only Triple DES. Using one-key Triple DES on one end would allow encrypted communication, but it would only be as secure as DES.