Expert advice: Encryption 101 -- Triple DES explained

This commentary is the full response to an Ask the Expert question in the Secure Messaging category. Read the full question here.

What we all call Triple DES is EDE (encrypt, decrypt, encrypt). The way that it works is that you take three 56-bit keys, and encrypt with K1, decrypt with K2 and encrypt with K3. There are two-key and three-key versions. Think of the two-key version as merely one where K1=K3. Note that if K1=K2=K3, then Triple DES is really Single DES.

Triple DES was created back when DES was getting a bit weaker than people were comfortable with. As a result, they wanted an easy way to get more strength. In a system dependent on DES, making a composite function out of multiple DESes is likely to be easier than bolting in a new cipher and sidesteps the political issue of arguing that the new cipher is better than DES.

As it turns out, when you compose a cipher into a new one, you can't use a double enciphering. There is a class of attacks called meet-in-the-middle attacks, in which you encrypt from one end, decrypt from the other, and start looking for collisions (things that give you the same answer). With sufficient memory, Double DES (or any other cipher) would only be twice as strong as the base cipher -- or one bit more in strength.

There's more to it. If the cipher forms a group, then encrypting twice with two keys is equivalent to encrypting once with some key. Now, it's not trivial to know what that other key is, but it means that a brute-force attack would find that third key as it tried all possible single-keys. So if the cipher's a group, then multiple-ciphering is merely a waste of time.

In case you don't know what a group is, permit me a quick explanation. A group is a relationship between a set and an operator. If they behave more or less the way integers do with addition, they form a group. If you could keep encrypting a block and it would make a full circuit over the set of possible blocks, that would also form a group.

As you might guess, DES is not a group. If it was, we wouldn't be discussing this at all. However, DES does have known structural things in it that make people say that it's not strongly not-a-group. There are, for example, known loops in DES where if you keep encrypting with the same key, you run around in a long loop.

These structural weaknesses are why you wouldn't want to use EEE or DDD mode if you had a better option. You also wouldn't want to use EED, DEE, DDE or EDD for the same reason. Because of the weak-non-groupness of DES, you want to use EDE or DED compositions. And EDE just makes more sense -- if you use DED you have to explain to people why your Triple DES encryption starts with decrypting.

Now then, remember that the reason we're going through this multiple-encryption exercise is because we want to make a composite cipher that is stronger than single DES. Because of the meet-in-the-middle attack, double DES is only one-bit stronger than single DES. Two-key triple DES thus has 112 bits of strength. But what about the three-key version of triple DES? Common sense dictates it would be at least as strong as two-key triple DES, but how much stronger?

The answer is that no one knows. I've seen arguments suggest Triple DES always has 112 bits of strength. I've seen them that it has the full 168 bits. (Note that we're ignoring the obvious weak keys, like K1=K2.) I don't like either, myself, and actually think that the ones that you don't ever get more than 112 bits are better arguments, even though I disagree.

One thing to remember is that in cryptography there's a difference between a theoretic attack and a real one. Let's suppose, for example, I came up with an attack that needed 2^80 cipher blocks, and then could always make three-key Triple DES be no stronger than 112 bits.

That's worthy of publication, but it's not practical. A tera-block (eight terabytes) is 2^40 blocks. With this attack, you need eight-tera-tera-bytes of memory and a CPU that can address that much. Also, you could defend against this attack by re-keying after a mere few million terabytes of data.

So let's come right down to where I live -- practical cryptography. If you ask a good cryptographer if 168-bit Triple DES is weaker than some standard 128-bit cipher (CAST, Blowfish, AES, etc.), they'll almost certainly say no -- if you ask the right way. An example of asking the right way would be something like, "Oh, so you're saying I should use Blowfish instead of Triple DES because it's stronger." Even if they think that Triple DES is pretty weak, you'll probably get, "Mmmmmm, no, no, that's not what I'm saying" as an answer, and then maybe a discussion similar to this one. Similarly, a good cryptographer isn't going to tell you to use Triple DES as a stronger alternative to any of the standard 128-bit ciphers.

Therefore, by practical reasoning, it's about as strong as them. It seems safe to guess that Triple DES is stronger than 112 bits, and not as strong as the full 168. Somewhere between 113 and 167, 128 seems to be a good, conservative compromise.

There you have it, the long explanation of why we just lump Triple DES in with 128-bit ciphers. If DES were strongly not-a-group, then it would be 168 bits. Because DES is definitely not a group, but has weakness in that property, we don't exactly know how strong it is, but no one thinks it's all that much weaker than 128. So we just lump it in with the 128-bit ciphers.

Ask the Expert: One-time pads explained

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Disk Encryption and File Encryption Websense, Reconnex top Forrester ranking of DLP vendors Embedded Security Safeguards Laptops Should whole disk encryption products be used with data backup software? Does FTPS encrypt data packets at the hardware or software level? Should disks be encrypted at the hardware level? Is Triple DES a more secure encryption scheme than DUKPT? Windows BitLocker: Enabling disk encryption for data protection NAC, disk encryption gaining attention, survey shows Symantec fills gap with whole disk storage encryption Case Study: Company Deploys Full-Disk Encryption on All Laptops Tech Tips The 5 A's of functional SAN security Effective storage security policies Smart options for safeguarding stored data Outfox SOX: How to make regulations work for you Thwarting Hacker Techniques: Signs of a compromised system Thwarting Hacker Techniques: Wireless security basics Thwarting Hacker Techniques: Internet data manipulation Thwarting Hacker Techniques: Securing remote access points Roberta Bragg's 10 Windows hardening tips in 10 minutes Thwarting Hacker Techniques: Combating social engineers RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) quantum cryptography  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.