Triple DES: How strong is the data encryption standard?
Expert Jon Callas explains how strong the Triple DES symmetric encryption algorithm actually is and offers guidance on how it compares to other widely used block ciphers.
The Data Encryption Standard encryption algorithm on which Triple DES is based was first published in 1975. Over...
Continue Reading This Article
Enjoy this article as well as all of our content, including EGuides, news, tips and more.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
the years, as computers grew faster, the block cipher with a simple 56bit key proved vulnerable to brute force attacks. Then, in 1999, the lifetime of DES was extended by tripling the key size of the cipher and encrypting data in three passes in the new Triple DES specification.
After more than 40 years of DES, and 20 years of 3DES, the algorithm is showing its age: the National Institute of Standards and Technology (NIST) disallowed the use of DES for anything but legacy use in 1999, and twokey 3DES got the hook in 2015. However, the venerable block cipher is still important to understand, both because it is still used to decrypt legacy data, and because, when used with three unique keys, Triple DES is still considered strong enough to protect data.
Part of what Triple DES does is to protect against brute force attacks. The original DES symmetric encryption algorithm specified the use of 56bit keys  not enough, by 1999, to protect against practical brute force attacks. Triple DES specifies the use of three distinct DES keys, for a total key length of 168 bits. While NIST disallowed the use of twokey 3DES for encryption, it is still approved for legacy use  though there are still questions over whether using three distinct DES keys for 3DES provides the strength of a single 168bit key.
But does 3DES really deliver 168 bits of encryption strength? Not everyone agrees, but cryptographer Jon Callas explains how, and why, the useful life of the DES symmetric key encryption algorithm has been extended through the use of three (and not two or four) encryption rounds with unique keys.
Triple DES encryption process
What we all call Triple DES operates in three steps: EncryptDecryptEncrypt (EDE). It works by taking three 56bit keys (K1, K2 and K3), and encrypting first with K1, decrypting next with K2 and encrypting a last time with K3.
3DES has twokey and threekey versions. In the twokey version, the same algorithm runs three times, but uses K1 for the first and last steps. In other words, K1 = K3. Note that if K1 = K2 = K3, then Triple DES is really Single DES.
Triple DES was created back when DES was becoming weaker than users accepted. As a result, they sought an easy way to get more strength. In a system that is dependent on DES, making a composite function out of multiple passes of DES is likely to be easier than bolting in a new symmetric cipher. This has the added benefit of sidestepping the political issues that arise from arguing about the relative strength of a new cipher versus DES.
Keying options and encryption modes
As it turns out, when you compose a cipher into a new one, you can't use a double enciphering. There is a class of attacks called meetinthemiddle attacks in which you encrypt from one end, decrypt from the other and start looking for collisions  keys that produce the same answer in either direction. With sufficient memory, Double DES  or any other cipher run twice  would only be twice as strong as the base cipher. In other words, the double cipher would only be as strong as the same cipher run once, but with a key that was one bit longer.
But that's not all: If the cipher forms a group, then encrypting twice with two keys is equivalent to encrypting once with some other key. It's not trivial to know what that other key is, but it does mean that a brute force attack would find that third key as it tried all the possible single keys. So if the cipher is a group, then multiple ciphering is merely a waste of time.
A group is a relationship between a set and an operator. If they behave more or less the way integers do with addition, they form a group. If you keep encrypting a block and it makes a full circuit over the set of possible blocks, that also forms a group.
As you might guess, DES is not a group. If it were, we wouldn't be discussing this at all. However, DES does have known structural features in it that make people say it's not strongly not a group (in other words, it might be a group). For example, there are known loops in DES where, if you keep encrypting with the same key, you run around in a long loop.
With Triple DES, therefore, each of the three rounds can be run in either direction  encrypt or decrypt  using the DES algorithm. This results in eight different possible modes for Triple DES.
Those structural features are why you wouldn't want to use EEE or DDD mode if there were a better option, just as you wouldn't want to use EED, DEE, DDE or EDD. Because of the weaknongroupness of DES, EDE or DED compositions work best. And EncryptDecryptEncrypt just makes more sense  if you use DecryptEncryptDecrypt, you have to explain why your Triple DES encryption starts with decryption.
Strength of Triple DES
The reason for going through this multiple encryption exercise is to build a composite cipher that is stronger than Single DES. Because of meetinthemiddle attacks, Double DES is only one bit stronger than Single DES. Twokey Triple DES (which is no longer approved for encryption due to its susceptibility to brute force attacks) thus has 112 bits of strength (56 multiplied by two).
But what about the threekey version of Triple DES? Common sense dictates it should be at least as strong as twokey Triple DES, but how much stronger? The answer is that no one knows.
I've seen arguments suggesting Triple DES always has 112 bits of strength. I've seen arguments suggesting it has the full 168 bits. (Note that this ignores the obvious weak keys, like K1 = K2.) I don't like either argument, and actually think that the ones that suggest you never get more than 112 bits are better arguments  even though I disagree.
One thing to remember is that, in cryptography, there's a difference between a theoretical attack and a real one. Let's suppose I came up with an attack that needed 2^80 cipher blocks, which would reduce the strength of threekey Triple DES to no stronger than 112 bits. This attack would be worthy of publication, but it would not be practical. A terablock (eight terabytes) is 2^40 blocks. With this attack, you would need eight teraterabytes (or, eight trillion trillion bytes) of memory and a CPU that could address that much. Also, you could defend against this attack by rekeying after encrypting just a few million terabytes of data.
So let's come right down to where I live  practical cryptography. If you ask a good cryptographer if 168bit Triple DES is weaker than other standard 128bit ciphers, like Blowfish, CAST or the Advanced Encryption Standard, they'll almost certainly say no  if you ask the right way. An example of asking the right way would be, "So, are you saying I should use Blowfish instead of Triple DES because it's stronger?"
Even if they think Triple DES is pretty weak, you'll probably get a response like, "Mmmmmm, no, no, that's not what I'm saying," followed by a discussion similar to this one. Likewise, a good cryptographer won't tell you to use Triple DES because it's a stronger alternative to any of the standard 128bit ciphers.
Therefore, by practical reasoning, Triple DES is about as strong as 128bit ciphers. It seems safe to guess, therefore, that Triple DES is stronger than 112 bits, but not as strong as the full 168. Somewhere between 113 and 167, 128 bits seems to be a good, conservative compromise for estimating the strength of threekey Triple DES.
That is why we usually compare Triple DES with 128bit ciphers. If DES were strongly not a group, then it would be 168 bits. Because DES is definitely not a group, but has weakness in that property, we don't exactly know how strong it is, but no one thinks it's all that much weaker than 128 bits. So we just lump it in with the 128bit ciphers.
Dig Deeper on Disk and file encryption tools
PRO+
Content
Find more PRO+ content and other member only offers, here.

Buyer's Handbook
Finding a secure managed file transfer tool: Key considerations
Please create a username to comment.