Prevent meet-in-the-middle attacks with TDES encryption

Don't let meet-in-the-middle attacks decrypt your sensitive data. Learn how to use the triple DES encryption algorithm to prevent such attacks, with expert Randall Gamby.

Is a meet-in-the-middle attack possible if a two-key TDES is used? Such that the message is encrypted first with Key 1, then encrypted again with Key 2, and finally, encrypted again with Key 2, that is: EK1(EK2(EK2(M)))?

Great question! Too many people concentrate on the encryption method rather than on how the encryption is generated....

Yes, encryption "keys" are the key factor in protecting the data.

Triple DES can use three key scenarios: All three keys are independent; two keys are identical and one is independent; and finally, all three keys are identical. While no encryption method is totally uncrackable, the encryption method used -- including the number of keys -- increases the time and effort needed to break the encryption. Because each encryption level in Triple DES is only 56 bits, using three identical keys means once the key is uncovered (fairly easy with today's decrypting technologies), a meet-in-the-middle attack is possible because one key allows access to all the envelopes and the data payload. Using two keys provides 112 bit encryption (56 bits x 2) and generally is considered a safe way to prevent meet-in-the-middle attacks.

However, I'd recommend the following scenario: Encrypt first with Key 1, then encrypt again with Key 2, and finally, encrypt again with Key 1 -- this is also a NIST standard from NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised), May 2006. The reason behind this recommendation is that meet-in-the-middle attackers will be required to break through two different levels of encryption to make it doubly hard to get to the data payload. If someone were to use the scenario you list, once an attacker decrypts the outer shell of the packet, he or she can easily get to the next shell, and then work on the encrypted data payload. I'd prefer the hacker to work to get through the first shell, and then find the next shell with a new encryption based on a different key. Assuming the same level of effort is needed to break the second key, the attacker may give up and go on to easier targets. Plus, if the attacker can break the two keys in the shell, then he or she can probably break the key used for the data-payload. Of course, if you want the ultimate protection provided by Triple DES, you should use three independent keys: This is the U.S. Government's standard deployment.

For more information:

This was last published in November 2009

Dig Deeper on Disk and file encryption tools