Triple DES: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
(create as redirect; should probably become real page later)
 
imported>Sandy Harris
(convert from redirect to article, using text from block cipher)
Line 1: Line 1:
#REDIRECT [[Block_cipher#Triple_DES]]
Another way to derive a stronger cipher from DES is to apply DES multiple times with different keys.
 
Just applying DES twice, '''double DES''', is '''ineffective'''. Using two 56-bit keys gives 112 total key bits, so a [[brute force]] attack needs 2<sup>111</sup> encryptions. However, brute force is not the best attack. A [[meet-in-the-middle attack]] needs only 2<sup>57</sup> DES operations, though a large amount of memory is also required. That is, double DES is only four times stronger than DES, which can be broken by [[brute force]] with an average of 2<sup>55</sup> encryptions.
 
'''Triple DES''' or '''3DES''' is '''effective'''. Apply DES three times with two or three different keys. This is also vulnerable to a meet-in-the-middle attack, but the work factor for that attack is 2<sup>112</sup>. That provides adequate protection for many applications, and no better attack is known.
 
Triple DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. For new applications, '''a newer cipher will generally be both faster and more secure'''. Triple DES provides only 2<sup>112</sup> strength against a [[meet-in-the-middle attack]]. Any of the [[#The_AES_generation | AES generation]] of ciphers is completely resistant to that attack, and for most of them no known attack is better than brute force which has cost 2<sup>127</sup>.
 
Triple DES is, however, still '''widely deployed in legacy applications'''. Consider a bank with several thousand ATM machines, with built-in hardware or well-tested software for triple DES. Changing those will certainly be expensive and will entail some risk of bugs in the new system; it may not be worth it.
 
Triple DES can be done with three keys, two keys or just one key, though the one-key variant should never be used. In all cases, the order of operations is EDE or encrypt-decrypt-encrypt.
 
The three-key variant is widely used; for example RFC 2451 specifies it for use in [[IPsec]].
 
In the two-key variant the first and third keys are the same. This gives a saving in key storage and key transmission overheads, only 112 bits are required rather than 168. Either two-key or three-key 3DES has 2<sup>112</sup> strength against a meet-in-the-middle attack, and that is the best known attack against either. The three-key variant is stronger against brute force, but that does not matter much since a better attack is known. Overall, it appears the two-key variant is just as strong.
 
The one-key variant is a "worst of both worlds" solution, the overheads of triple DES (three times those of DES) with the security of DES (inadequate against brute force attacks). The only possible reason to use this would be to make two systems communicate when one can only do DES and the other only Triple DES. Using one-key Triple DES on one end would allow encrypted communication, but it would only be as secure as DES.

Revision as of 00:52, 23 July 2009

Another way to derive a stronger cipher from DES is to apply DES multiple times with different keys.

Just applying DES twice, double DES, is ineffective. Using two 56-bit keys gives 112 total key bits, so a brute force attack needs 2111 encryptions. However, brute force is not the best attack. A meet-in-the-middle attack needs only 257 DES operations, though a large amount of memory is also required. That is, double DES is only four times stronger than DES, which can be broken by brute force with an average of 255 encryptions.

Triple DES or 3DES is effective. Apply DES three times with two or three different keys. This is also vulnerable to a meet-in-the-middle attack, but the work factor for that attack is 2112. That provides adequate protection for many applications, and no better attack is known.

Triple DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. For new applications, a newer cipher will generally be both faster and more secure. Triple DES provides only 2112 strength against a meet-in-the-middle attack. Any of the AES generation of ciphers is completely resistant to that attack, and for most of them no known attack is better than brute force which has cost 2127.

Triple DES is, however, still widely deployed in legacy applications. Consider a bank with several thousand ATM machines, with built-in hardware or well-tested software for triple DES. Changing those will certainly be expensive and will entail some risk of bugs in the new system; it may not be worth it.

Triple DES can be done with three keys, two keys or just one key, though the one-key variant should never be used. In all cases, the order of operations is EDE or encrypt-decrypt-encrypt.

The three-key variant is widely used; for example RFC 2451 specifies it for use in IPsec.

In the two-key variant the first and third keys are the same. This gives a saving in key storage and key transmission overheads, only 112 bits are required rather than 168. Either two-key or three-key 3DES has 2112 strength against a meet-in-the-middle attack, and that is the best known attack against either. The three-key variant is stronger against brute force, but that does not matter much since a better attack is known. Overall, it appears the two-key variant is just as strong.

The one-key variant is a "worst of both worlds" solution, the overheads of triple DES (three times those of DES) with the security of DES (inadequate against brute force attacks). The only possible reason to use this would be to make two systems communicate when one can only do DES and the other only Triple DES. Using one-key Triple DES on one end would allow encrypted communication, but it would only be as secure as DES.