Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

# Triple DES: How strong is the data encryption standard?

## Expert Jon Callas explains how strong the Triple DES symmetric encryption algorithm actually is and offers guidance on how it compares to other widely used block ciphers.

The Data Encryption Standard encryption algorithm on which Triple DES is based was first published in 1975. Over the years, as computers grew faster, the block cipher with a simple 56-bit key proved vulnerable to brute force attacks. Then, in 1999, the lifetime of DES was extended by tripling the key size of the cipher and encrypting data in three passes in the new Triple DES specification.

After more than 40 years of DES, and 20 years of 3DES, the algorithm is showing its age: the National Institute of Standards and Technology (NIST) disallowed the use of DES for anything but legacy use in 1999, and two-key 3DES got the hook in 2015. However, the venerable block cipher is still important to understand, both because it is still used to decrypt legacy data, and because, when used with three unique keys, Triple DES is still considered strong enough to protect data.

Part of what Triple DES does is to protect against brute force attacks. The original DES symmetric encryption algorithm specified the use of 56-bit keys -- not enough, by 1999, to protect against practical brute force attacks. Triple DES specifies the use of three distinct DES keys, for a total key length of 168 bits. While NIST disallowed the use of two-key 3DES for encryption, it is still approved for legacy use -- though there are still questions over whether using three distinct DES keys for 3DES provides the strength of a single 168-bit key.

But does 3DES really deliver 168 bits of encryption strength? Not everyone agrees, but cryptographer Jon Callas explains how, and why, the useful life of the DES symmetric key encryption algorithm has been extended through the use of three (and not two or four) encryption rounds with unique keys.

### Triple DES encryption process

What we all call Triple DES operates in three steps: Encrypt-Decrypt-Encrypt (EDE). It works by taking three 56-bit keys (K1, K2 and K3), and encrypting first with K1, decrypting next with K2 and encrypting a last time with K3.

3DES has two-key and three-key versions. In the two-key version, the same algorithm runs three times, but uses K1 for the first and last steps. In other words, K1 = K3. Note that if K1 = K2 = K3, then Triple DES is really Single DES.

Triple DES was created back when DES was becoming weaker than users accepted. As a result, they sought an easy way to get more strength. In a system that is dependent on DES, making a composite function out of multiple passes of DES is likely to be easier than bolting in a new symmetric cipher. This has the added benefit of sidestepping the political issues that arise from arguing about the relative strength of a new cipher versus DES.

### Keying options and encryption modes

As it turns out, when you compose a cipher into a new one, you can't use a double enciphering. There is a class of attacks called meet-in-the-middle attacks in which you encrypt from one end, decrypt from the other and start looking for collisions -- keys that produce the same answer in either direction. With sufficient memory, Double DES -- or any other cipher run twice -- would only be twice as strong as the base cipher. In other words, the double cipher would only be as strong as the same cipher run once, but with a key that was one bit longer.

But that's not all: If the cipher forms a group, then encrypting twice with two keys is equivalent to encrypting once with some other key. It's not trivial to know what that other key is, but it does mean that a brute force attack would find that third key as it tried all the possible single keys. So if the cipher is a group, then multiple ciphering is merely a waste of time.

A group is a relationship between a set and an operator. If they behave more or less the way integers do with addition, they form a group. If you keep encrypting a block and it makes a full circuit over the set of possible blocks, that also forms a group.

As you might guess, DES is not a group. If it were, we wouldn't be discussing this at all. However, DES does have known structural features in it that make people say it's not strongly not a group (in other words, it might be a group). For example, there are known loops in DES where, if you keep encrypting with the same key, you run around in a long loop.

With Triple DES, therefore, each of the three rounds can be run in either direction -- encrypt or decrypt -- using the DES algorithm. This results in eight different possible modes for Triple DES.

Those structural features are why you wouldn't want to use EEE or DDD mode if there were a better option, just as you wouldn't want to use EED, DEE, DDE or EDD. Because of the weak-non-groupness of DES, EDE or DED compositions work best. And Encrypt-Decrypt-Encrypt just makes more sense -- if you use Decrypt-Encrypt-Decrypt, you have to explain why your Triple DES encryption starts with decryption.

### Strength of Triple DES

The reason for going through this multiple encryption exercise is to build a composite cipher that is stronger than Single DES. Because of meet-in-the-middle attacks, Double DES is only one bit stronger than Single DES. Two-key Triple DES (which is no longer approved for encryption due to its susceptibility to brute force attacks) thus has 112 bits of strength (56 multiplied by two).

But what about the three-key version of Triple DES? Common sense dictates it should be at least as strong as two-key Triple DES, but how much stronger? The answer is that no one knows.

I've seen arguments suggesting Triple DES always has 112 bits of strength. I've seen arguments suggesting it has the full 168 bits. (Note that this ignores the obvious weak keys, like K1 = K2.) I don't like either argument, and actually think that the ones that suggest you never get more than 112 bits are better arguments -- even though I disagree.

One thing to remember is that, in cryptography, there's a difference between a theoretical attack and a real one. Let's suppose I came up with an attack that needed 2^80 cipher blocks, which would reduce the strength of three-key Triple DES to no stronger than 112 bits. This attack would be worthy of publication, but it would not be practical. A tera-block (eight terabytes) is 2^40 blocks. With this attack, you would need eight tera-terabytes (or, eight trillion trillion bytes) of memory and a CPU that could address that much. Also, you could defend against this attack by rekeying after encrypting just a few million terabytes of data.

So let's come right down to where I live -- practical cryptography. If you ask a good cryptographer if 168-bit Triple DES is weaker than other standard 128-bit ciphers, like Blowfish, CAST or the Advanced Encryption Standard, they'll almost certainly say no -- if you ask the right way. An example of asking the right way would be, "So, are you saying I should use Blowfish instead of Triple DES because it's stronger?"

Even if they think Triple DES is pretty weak, you'll probably get a response like, "Mmmmmm, no, no, that's not what I'm saying," followed by a discussion similar to this one. Likewise, a good cryptographer won't tell you to use Triple DES because it's a stronger alternative to any of the standard 128-bit ciphers.

Therefore, by practical reasoning, Triple DES is about as strong as 128-bit ciphers. It seems safe to guess, therefore, that Triple DES is stronger than 112 bits, but not as strong as the full 168. Somewhere between 113 and 167, 128 bits seems to be a good, conservative compromise for estimating the strength of three-key Triple DES.

That is why we usually compare Triple DES with 128-bit ciphers. If DES were strongly not a group, then it would be 168 bits. Because DES is definitely not a group, but has weakness in that property, we don't exactly know how strong it is, but no one thinks it's all that much weaker than 128 bits. So we just lump it in with the 128-bit ciphers.

#### Next Steps

Understand the differences between symmetric and asymmetric encryption

This was last published in May 2017

### 1 comment

Send me notifications when other members comment.
In what ways is Triple DES still relevant for your organization?
Cancel

## SearchCloudSecurity

• ### Container security awareness, planning required as threats persist

As container security vulnerabilities continue to emerge, companies should plan ahead and have strategies ready to defend against...

• ### The problems with cloud-based email security

Cloud-based email security can be challenging for enterprises to achieve. Learn what makes it a challenge and how to secure email...

• ### How to deploy deep packet inspection in the cloud

Despite privacy concerns about deep packet inspection, it can help improve cloud network security for enterprises. Expert Frank ...

## SearchNetworking

• ### How 5G can start a brand new era for the virtual RAN

5G is forging the way for operators to delve into virtualized RANs. Yet, despite its benefits, vRAN lacks standards and is still ...

• ### Array Networks launches monitoring system for app performance

Array Networks launches a monitoring and reporting tool that draws data from the vendor's application delivery controllers to ...

• ### VMware-VeloCloud sees the future of SD-WAN with 5G, hybrid cloud

A glimpse into one software-defined WAN vendor's vision shows a heavy interest in SD-WAN's integration with the network edge, 5G ...

## SearchCIO

• ### Comparing chatbots vs. virtual assistants vs. conversational agents

Is a conversational agent the same as a chatbot or a virtual assistant? Not exactly. IBM Watson VP and CTO Rob High explains the ...

• ### MIT CIO 2019: Scaling AI and data to build the 'smart enterprise'

The theme of MIT Sloan CIO Symposium 2019 is 'leading the smarter enterprise.' We caught up with event chair Lindsey Anderson to ...

• ### A buyer's guide to PPM tools, features, benefits and vendors

Explore all the factors that go into purchasing a project portfolio management platform, including analysis features, ...

## SearchEnterpriseDesktop

• ### Use IT help desk tools to resolve and prevent IT incidents

The software that manages the IT help desk helps admins track, monitor and resolve incidents to optimize the benefits that these ...

• ### Enterprises are adopting UEM technology -- but slowly

The bigger the company, the more challenging it will be to migrate to a UEM system. But, according to Gartner's Chris Silva, the ...

• ### What's included in Microsoft 365 subscription plans

Microsoft 365 has different plans for all kinds of businesses. Learn about the different subscription plans that this cloud-based...

## SearchCloudComputing

• ### Google Cloud taps into VMware vRealize for hybrid deployments

Google Cloud is now tied into VMware vRealize through a plug-in that enables users to manage on-premises VMware workloads ...

• ### Kick-start your app migration strategy with these best practices

As the cloud becomes more popular, most enterprises will need a migration strategy. Before they move to the public cloud, ...

• ### Strike a cost-performance balance in microservices deployment

To successfully deploy microservices in the cloud, IT teams should beware of these four common mistakes around resource locations...

## ComputerWeekly.com

• ### Digital Darwinism unkind to those who wait, says Palo Alto

As business-driven digital transformation, including the move to cloud, continues apace, companies need to rethink their approach...

• ### All change: What can suppliers and IT buyers expect from G-Cloud 11?

The government is set to start accepting applications for the next iteration of G-Cloud from 25 March, but will it be more of the...

• ### Half of women in tech say diversity is not a company priority

Women in technology have claimed diversity is still not a focus for their company in a majority of cases, according to research

Close