Q
Problem solve Get help with specific problems with your technologies, process and projects.

# Prevent meet-in-the-middle attacks with TDES encryption

## Don't let meet-in-the-middle attacks decrypt your sensitive data. Learn how to use the triple DES encryption algorithm to prevent such attacks, with expert Randall Gamby.

Is a meet-in-the-middle attack possible if a two-key TDES is used? Such that the message is encrypted first with Key 1, then encrypted again with Key 2, and finally, encrypted again with Key 2, that is: EK1(EK2(EK2(M)))?

Great question! Too many people concentrate on the encryption method rather than on how the encryption is generated....

Yes, encryption "keys" are the key factor in protecting the data.

Triple DES can use three key scenarios: All three keys are independent; two keys are identical and one is independent; and finally, all three keys are identical. While no encryption method is totally uncrackable, the encryption method used -- including the number of keys -- increases the time and effort needed to break the encryption. Because each encryption level in Triple DES is only 56 bits, using three identical keys means once the key is uncovered (fairly easy with today's decrypting technologies), a meet-in-the-middle attack is possible because one key allows access to all the envelopes and the data payload. Using two keys provides 112 bit encryption (56 bits x 2) and generally is considered a safe way to prevent meet-in-the-middle attacks.

However, I'd recommend the following scenario: Encrypt first with Key 1, then encrypt again with Key 2, and finally, encrypt again with Key 1 -- this is also a NIST standard from NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised), May 2006. The reason behind this recommendation is that meet-in-the-middle attackers will be required to break through two different levels of encryption to make it doubly hard to get to the data payload. If someone were to use the scenario you list, once an attacker decrypts the outer shell of the packet, he or she can easily get to the next shell, and then work on the encrypted data payload. I'd prefer the hacker to work to get through the first shell, and then find the next shell with a new encryption based on a different key. Assuming the same level of effort is needed to break the second key, the attacker may give up and go on to easier targets. Plus, if the attacker can break the two keys in the shell, then he or she can probably break the key used for the data-payload. Of course, if you want the ultimate protection provided by Triple DES, you should use three independent keys: This is the U.S. Government's standard deployment.

This was last published in November 2009

## Content

Find more PRO+ content and other member only offers, here.

#### Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### How Amazon GuardDuty could bolster enterprise cloud security

The new Amazon GuardDuty aims to secure enterprise AWS accounts and workloads, but does it? Expert Ed Moyle takes a closer look ...

• ### What the Azure AD Connect vulnerability can teach enterprises

Enterprises should learn from a Microsoft Azure AD Connect vulnerability that cloud security requires a hands-on approach. Expert...

• ### How the Meltdown vulnerability affects cloud services

The Meltdown vulnerability has far-reaching implications, including with cloud providers. Expert Dave Shackleford looks at the ...

## SearchNetworking

• ### Ethernet bandwidth costs fall to a six-year low

Ethernet bandwidth costs in data center switches fell to a six-year low in 2017. Crehan Research reported cloud provider demand ...

• ### Yahoo Japan deploys intent-based network with Apstra AOS

Yahoo Japan deploys an Apstra intent-based network to oversee multiple vendors. Cisco touts Los Angeles Hospital, as well as the ...

• ### Is it best to buy or build a network automation system?

Bloggers explore the question of buying versus building a network automation system, the challenges of hyper-converged ...

## SearchCIO

• ### Gartner issues four-part prescription for data and analytics leaders

Fake facts, discrimination, complexity and illiteracy are four challenges CIOs and data experts must overcome to reap the value ...

• ### Cybersecurity trend forecast: Streamlined, simplified security

In this SearchCIO Q&A, Javvad Malik discusses why streamlining infosec processes is becoming a top cybersecurity trend and how ...

• ### Former Equifax CIO's indictment should be a red flag for IT execs

A former Equifax CIO has been indicted for insider trading following the company's 2017 data breach. Will it force IT execs to ...

## SearchEnterpriseDesktop

• ### How to take advantage of SCCM and Intune co-management

IT can combine Microsoft Intune and System Center Configuration Manager to manage users' mobile devices, as well as any legacy ...

• ### Get to know your Windows 10 update options

Windows as a service changes the way updates work in Windows 10 from past versions of the OS. Each of the three servicing ...

• ### Top six Windows 10 migration problems and how to avoid them

Users and IT professionals sometimes have issues after a Windows 10 migration. Careful planning can mitigate these issues before ...

## SearchCloudComputing

• ### Analysts: How to make IBM Cloud services more competitive

To make IBM Cloud more competitive, Big Blue must stand by its enterprise base, while it also satisfies the developer community ...

• ### Don't overlook these practices in software modernization

During app modernization projects, teams commonly overlook basic goals, processes and tools. which can sully app launches as a ...

• ### Google preemptible VMs reduce cloud costs -- with a catch

With its preemtible VMs, Google offers spare compute capacity at a discounted price. But be careful not to run certain apps on ...

## ComputerWeekly.com

• ### IBM delivers Watson-powered voice assistant for consumer brands

Alexa and Google Assistant have taken residence in people's homes. IBM aims to give companies a way to deliver their own branded ...

• ### Croydon Council partners with Rainmaker to shake up its IT

Croydon Council has employed digital transformation specialist Rainmaker to help it change the way it delivers IT over the next ...

• ### Ofcom opens 5G spectrum auction

Ofcom has opened the bidding in the auction of spectrum to support 4G and 5G mobile networks

Close