Great question! Too many people concentrate on the encryption method rather than on how the encryption is generated....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Yes, encryption "keys" are the key factor in protecting the data.
Triple DES can use three key scenarios: All three keys are independent; two keys are identical and one is independent; and finally, all three keys are identical. While no encryption method is totally uncrackable, the encryption method used -- including the number of keys -- increases the time and effort needed to break the encryption. Because each encryption level in Triple DES is only 56 bits, using three identical keys means once the key is uncovered (fairly easy with today's decrypting technologies), a meet-in-the-middle attack is possible because one key allows access to all the envelopes and the data payload. Using two keys provides 112 bit encryption (56 bits x 2) and generally is considered a safe way to prevent meet-in-the-middle attacks.
However, I'd recommend the following scenario: Encrypt first with Key 1, then encrypt again with Key 2, and finally, encrypt again with Key 1 -- this is also a NIST standard from NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised), May 2006. The reason behind this recommendation is that meet-in-the-middle attackers will be required to break through two different levels of encryption to make it doubly hard to get to the data payload. If someone were to use the scenario you list, once an attacker decrypts the outer shell of the packet, he or she can easily get to the next shell, and then work on the encrypted data payload. I'd prefer the hacker to work to get through the first shell, and then find the next shell with a new encryption based on a different key. Assuming the same level of effort is needed to break the second key, the attacker may give up and go on to easier targets. Plus, if the attacker can break the two keys in the shell, then he or she can probably break the key used for the data-payload. Of course, if you want the ultimate protection provided by Triple DES, you should use three independent keys: This is the U.S. Government's standard deployment.
For more information:
- Is Triple DES a more secure encryption scheme than DUKPT? Read more.
- Learn more about encryption vs. tokenization for credit card number security.
Related Q&A from Randall Gamby
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses.continue reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most...continue reading
A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.