Length of Triple DES algorithm

Aronius, Joakim Joakim.Aronius at CA.COM
Wed Sep 13 07:25:26 EDT 2000 

Small clarification: And the reason why the keylengths are 56, 112 and 168 instead of 64, 128 and 192 (which they are) is because 8 bits of each 64 bit block contains a checksum. This means that a 64 bit key has (at most) an entropy of 56 bits. Any reference to 64, 128 or 192 bit DES is the same as 56, 112 or 168 bits, respectively.

Joakim Aronius

 -----Original Message-----
From: 	Michael H. Warfield [mailto:mhw at WITTSEND.COM]
Sent:	den 12 september 2000 19:34
To:	VPN at SECURITYFOCUS.COM
Subject:	Re: Length of Triple DES algorithm

On Tue, Sep 12, 2000 at 10:39:12AM -0400, Matthew Harding wrote:
> I have seen references to key length of triple DES ranging anywhere from
> 112 bits to 168, with stops of 128 bits in between.

> Is there a well established length for 3DES? Do some vendors implement
> 3DES differently, or is it just a naming convention? Are there any
> security implications between using 3DES with anything less than 168
> bits? I had heard somewhere that the second transform with 3DES doesn't
> actually add anything to the overall security, hence it is only really
> 112 bits of protection.

	The key is the key...

	3DES is three passes through the DES algorithm with each key
(K1, K2, K3) being 56 bits.  Convention is to use DES in encrypt mode
on the first pass, decrypt mode on the second, and encrypt mode on
the third (EDE mode).  So what this means is that, to encrypt with 3DES,
you encrypt with K1, then decrypt with K2, then encrypt with K3.
Decryption is just the reverse.  You decrypt with K3, then encrypt with
K2, then decrypt with K1.

	As I said, the key is the key...

	If K1, K2, and K3 are all different, you have 168 bit 3DES.

	If K1 == K3, you have 112 bit 3DES.  You merely encrypt with K1
twice.  This prevents "meet in the middle" attacks which can be employed
against the encryption if you only passed through DES twice.

	If K1 == K2 == K3, this is DES compatibility mode (the first
encrypt is canceled by the decrypt in the second pass) and allows 3DES
engines to process single DES traffic by merely setting the three 56
bit keys identical.  Actually, any time either K1 == K2 or K2 == K3,
you have only 56 bits of encryption strength and the real key is the
odd key, since the matching keys cancel (unlike the K1 == K3 case where
you end up encrypting with the same key twice).

	As far as the second transform not adding to the security, that
is absolutely not true.

	Reference to Bruce Schneier's "Applied Cryptography".

> Any clarifications welcome!

> Thanks,
> Matthew

> --
> Matthew Harding, Director
> NeuroTrain ATS Inc.
> Tel: 1-877-58-NEURO (613-824-6397)
> Fax: 613-841-2158
> matt at neurotrain.com

	Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

VPN is sponsored by SecurityFocus.COM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000913/ecaad650/attachment.htm

More information about the VPN mailing list