Is Triple DES Secure?

Jarred McGinnis
December 22, 2020

Short answer, No.

The short answer with supporting evidence is no, because it has been deprecated by the NIST since 2017 for new applications and for all applications by 2023. It has been superseded by the more robust and longer key lengths of AES. ENISA, Europe’s version of the NIST, classified Triple DES (3DES) as legacy since 2014 and recommends for encryption a minimum of 128 bits. Triple DES gives you only 112 bits and, with a 112 bit key, NIST suggests that only provides 80 bits of actual security.

The long answer.

The long answer takes us to an algorithm named after a fallen angel, conspiracy theories involving either nefarious or possibly benevolent government interference and the birth of a new field of academic research. The long answer is still no but there are some conditions if you must.

The Triple DES cryptographic standard was designed to compensate for the short key length of the previous standard DES by applying the DES cipher three times to each data block, making Triple DES a pretty sensible name for the new standard. This approach provided security for a number of decades but also became the weakness that led to it being cracked and ultimately abandoned for the more robust AES.

Originally, DES was based on the Lucifer cipher and its 128 bit data blocks and a 128 bit key. In the mid-70s when the US government was looking for a standard for encrypting unclassified but sensitive information, IBM submitted DES after taking on board some design changes from the NSA. The helpful men in black suggested a suspiciously small key length of 56 bits. The 64 bits that is often mentioned in association with DES includes 8 parity bits. The NSA also made some unexplained changes to the S-boxes, which was enough for outsiders to convince themselves that the intelligence agency had snuck in a backdoor to the symmetric key’s algorithm. Despite these concerns, DES was accepted as a standard and quickly spread across the world. Even today, DES can only be cracked via brute force despite the decades of cryptanalytic attempts. There are three potential attacks with less theoretical complexity but require enough impractical constraints that they cannot be considered a legitimate concern.

The truth was more interesting and nuanced than the conspiracy theory. The NSA did indeed shorten the key length, because they were fairly confident that the the only computer capable of a brute force attack was in their basement. Around the time that DES became the standard, Diffie and Hellman suggested a DES key could be discovered in a day with a machine that would cost US$20 million to build, which for NSA budgets is considered petty cash. As for the mysterious changes to the S-boxes, the NSA actually improved them against a differential cryptanalysis. A technique solely known to them for over a decade until it was discovered independently by Eli Biham and Adi Shamir in 1989. Since the NSA were the only ones with the means to use brute force, they wanted to ensure DES was strong enough against any other attack ensuring its wide adoption and longevity as a standard. A standard for which they had the only practical attack against. More recently, NSA’s previous keenness on Suite B and revelations from the Snowden disclosures suggest the snoops in DC have similar leverage on elliptical curve algorithms.

Before DES, cryptography was purely a government and military concern. With the rise of electronic banking including automated teller machines, a wider need was founded and with it a new academic discipline of cryptography and cryptanalysis.

Thanks. That was indeed a long answer but what about 3DES?

Triple DES’s key length does make it more secure against brute force attacks, but as mentioned in a previous post by relying on sequential encryption operations, it was vulnerable to meet-in-the-middle attacks. Generally, it is recommended that you move away from 3DES to something like its direct successor AES which brings you to the promised land of 128 bit block size and keys of 128, 192 and 256 bits. Oh AES, how you spoil us! AES comes with go-faster stripes as well when it comes to encryption performance. So, if it is practical, you should be doing an inventory of where 3DES exists within your organization and making the switch.

With that said, attacks like Sweet32 rely on collision attacks due to the 3DES’s small block size. To avoid providing enough data to result in collisions, it is recommended that you encrypt no more than 8mbs of plaintext before changing keys. Depending on your use case, that might indeed be enough to make 3DES secure or not.

Avoiding 3DES completely might not be feasible

Large swathes of the electronic payment industry have 64 bit block sizes baked into their systems that make it complicated to replace them with the more secure AES. Then you need to start considering plans to ensure you stay on the right side of the 8mb data payload guidance. If your problem isn’t capability issues of an ecosystem of billion different payment devices from point-of-sale systems, smart payment cards, card terminals and automated teller machines all from different vendors then it’s probably time to start identifying where you are still using 3DES and replacing it. This is good crypto-agility practice as the attacks and the computing power behind them is only going to get better. Even more so when you consider the inevitable rise of quantum cryptography.

Despite the well known vulnerabilities, our crypto protocol scan site Discovery finds 3DES still appearing in TLS, SSL and PGP configurations. Cryptosense Analyzer often discovers Java applications using 3DES in its business logic code, application framework components and libraries, including standard keystores. These organizations may be taking unnecessary risks with their data security and we recommend to everyone to regularly audit their sites, identify the risks and develop feasible migration strategies.

Read about other weak cryptography to avoid in our Java cryptography white paper.