Tuesday, September 30, 2008

Triple DES (3DES)


Triple DES

Three successive invocations of DES
General
Designers IBM
First published 1978
Derived from DES
Cipher detail
Key sizes 112 (2TDES) or 168 bits (3TDES)
Block sizes 64 bits
Structure Feistel network
Rounds 48 DES-equivalent rounds
Best public cryptanalysis
Lucks: 232 known plaintexts, 2113 operations including 290 DES encryptions, 288 memory; Biham: find one of 228 target keys with a handful of chosen plaintexts per key and 284 encryptions

In cryptography, Triple DES is a block cipher formed from the Data Encryption Standard (DES) cipher by using it three times.


Contents

Algorithm

When it was found that a 56-bit key of DES is not enough to guard against brute force attacks, TDES was chosen as a simple way to enlarge the key space without a need to switch to a new algorithm. The use of three steps is essential to prevent meet-in-the-middle attacks that are effective against double DES encryption. Note that DES is not a group; if it were one, the TDES construction would be equivalent to a single DES operation and no more secure.

The simplest variant of TDES operates as follows: DES(k3;DES(k2;DES(k1;M))), where M is the message block to be encrypted and k1, k2, and k3 are DES keys. This variant is commonly known as EEE because all three DES operations are encryptions. In order to simplify interoperability between DES and TDES the middle step is usually replaced with decryption (EDE mode): DES(k3;DES-1(k2;DES(k1;M))) and so a single DES encryption with key k can be represented as TDES-EDE with k1 = k2 = k3 = k. The choice of decryption for the middle step does not affect the security of the algorithm.

Security

In general TDES with three different keys (3-key TDES) has a key length of 168 bits: three 56-bit DES keys (with parity bits 3-key TDES has the total storage length of 192 bits), but due to the meet-in-the-middle attack the effective security it provides is only 112 bits. A variant, called two-key TDES (2-key TDES), uses k1 = k3, thus reducing the key size to 112 bits and the storage length to 128 bits. However, this mode is susceptible to certain chosen-plaintext or known-plaintext attacks [1] [2] and thus it is designated by NIST to have only 80 bits of security [3].

The best attack known on 3-key TDES requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory[4] (the paper presents other tradeoffs between time and memory). This is not currently practical and NIST considers 3-key TDES to be appropriate through 2030 [3]. If the attacker seeks to discover any one of many cryptographic keys, there is a memory-efficient attack which will discover one of 228 keys, given a handful of chosen plaintexts per key and around 284 encryption operations[5].

Usage

TDES is slowly disappearing from use, largely replaced by the Advanced Encryption Standard (AES). One large-scale exception is within the electronic payments industry, which still uses 2TDES extensively and continues to develop and promulgate standards based upon it (e.g. EMV). This guarantees that TDES will remain an active cryptographic standard well into the future.

By design, DES and therefore TDES, suffer from slow performance in software[6]; on modern processors, AES tends to be around six[citation needed] times faster. TDES is better suited to hardware implementations[6], and indeed where it is still used it tends to be with a hardware implementation (e.g., VPN appliances and the Nextel cellular and data network), but even there AES outperforms it[citation needed]. Finally, AES offers markedly higher security margins: a larger block size and potentially longer keys.

See also

References

  1. ^ Ralph Merkle, Martin Hellman: On the Security of Multiple Encryption (PDF), Communications of the ACM, Vol 24, No 7, pp 465–467, July 1981.
  2. ^ Paul van Oorschot, Michael J. Wiener , A known-plaintext attack on two-key triple encryption, EUROCRYPT'90, LNCS 473, 1990, pp 318–325.
  3. ^ a b NIST, Recommendation for Key Management—Part 1: general (PDF), Special Publication 800-57.
  4. ^ Stefan Lucks: Attacking Triple Encryption (PDF), Fast Software Encryption 1998, pp 239–253.
  5. ^ Eli Biham: How to Forge DES-Encrypted Messages in 228 Steps (PostScript), 1996.
  6. ^ a b Details of the Data Encryption Standard


v d e
Block ciphers

Common algorithms: AES | Blowfish | DES | Triple DES | Serpent | Twofish

Other algorithms: 3-Way | ABC | Akelarre | Anubis | ARIA | BaseKing | BassOmatic | BATON | BEAR and LION | C2 | Camellia | CAST-128 | CAST-256 | CIKS-1 | CIPHERUNICORN-A | CIPHERUNICORN-E | CLEFIA | CMEA | Cobra | COCONUT98 | Crab | CRYPTON | CS-Cipher | DEAL | DES-X | DFC | E2 | FEAL | FEA-M | FROG | G-DES | GOST | Grand Cru | Hasty Pudding cipher | Hierocrypt | ICE | IDEA | IDEA NXT | Intel Cascade Cipher | Iraqi | KASUMI | KeeLoq | KHAZAD | Khufu and Khafre | KN-Cipher | Ladder-DES | Libelle | LOKI97 | LOKI89/91 | Lucifer | M6 | M8 | MacGuffin | Madryga | MAGENTA | MARS | Mercy | MESH | MISTY1 | MMB | MULTI2 | MultiSwap | New Data Seal | NewDES | Nimbus | NOEKEON | NUSH | Q | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SAVILLE | SC2000 | SEED | SHACAL | SHARK | Skipjack | SMS4 | Spectr-H64 | Square | SXAL/MBAL | TEA | Treyfer | UES | Xenon | xmx | XTEA | XXTEA | Zodiac



Standardization: AES process | CRYPTREC | NESSIE


v d e
Cryptography


Retrieved from "http://en.wikipedia.org/wiki/Triple_DES"

Posted by at
Labels:

1 comment:

Unknown said...

After learning about it I wanted to know the major points of difference between simple DES and 3DES. This article covers all about 3DES which helped me a lot.
digital signature software

June 7, 2013 at 1:19 AM

Post a Comment

Subscribe to: Post Comments (Atom)