How many keys does Triple DES encryption need?

Question

I am porting some C# code to C++, and trying to encrypt a textfile with Triple DES encryption. But I am confused; some encryption APIs only require one key for Triple DES (C# for example: How to implement Triple DES in C# (complete example) ), while others require 2 or 3 keys (in several C++ implementations I've found).

Why is that?

Answer 1

Niall's answer is correct, but to me it felt like a little bit more information would help your understanding of the problem better.

3DES is alternately referred to in some specifications as DES-EDE, which is DES-Encrypt/Decrypt/Encrypt.

var x = Encrypt(key1, input);
x = Decrypt(key2, x);
x = Encrypt(key3, x);
return x;

So 3DES always requires 3 keys, each of which are have 56 key bits stretched into 64 bits (8 bytes) because every 7 bits gets a 1 bit parity check. This is frequently expressed as one 192-bit value (24 bytes) value, or an intermediate 128-bit value (16 bytes).

• If the 3DES key is 64 bits (which has a key strength of 56 bits, and many implementations will reject)
  • k1 = key
  • k2 = key
  • k3 = key
• If the 3DES key is 128 bits (which has a key strength of 112 bits)
  • k1 = key[0..7]
  • k2 = key[8..15]
  • k3 = k1
• If the 3DES key is 192 bits (which has a key strength of 168 bits)
  • k1 = key[0..7]
  • k2 = key[8..15]
  • k3 = key[16..23]

So if we have a 64-bit 3DES key we encrypt with the key, then decrypt with the key (returning the original data) and then encrypt with the key again. That makes "one key" 3DES equivalent to (1)DES.

Note that the DES-equivalent behavior can happen for two-key 3DES if k2 is coincidentally k1, (or 3-key if k1=k2=k3) so using 3DES isn't always an upgrade over using DES.

As for why the implementations differ: In C# arrays are length tagged, so passing one array the recipient can check if you are passing 8, 16, or 24 bytes. In C arrays aren't length tagged, so the API needs to either ask you how long your data is (which is what Windows CAPI and CNG do) or just take three different key pointers, and make you do the fragment cloning for 1-key and 2-key keys.

Answer 2

The TDEA keying is maybe better understood here considering the key length over just a simple key. Depending on the keying option used, it can be a single key length, double key length, or triple key length. All parts are required and would constitute the "key bundle".

The TDEA is basically three applications of the DES cipher. Each part of the "key bundle" is used with one or more executions of the DES cipher algorithm (see also the Feistel cipher);

• for a single key, it is used three times (equates to classic DES but is no longer recommended), K1 = K2 = K3;
• for a double key, the first part of the key is used twice, K1 and K2 are independent and K3 = K1;
• and for the triple key length, each key part is used once, all parts are independent.

What you are seeing as "two" (or "three") keys is most likely the double (or triple) key length being used, each part being provided separately.

The documentation for each API should provide details on how the keys are provided/expected.

A few test cases to check interoperability never hurt either.

---

Some background/context on how TDEA works; source Wikipedia;

Triple DES uses a "key bundle" that comprises three DES keys, K1, K2 and K3, each of 56 bits (excluding parity bits)...

The encryption algorithm is:

ciphertext = E_K3(D_K2(E_K1(plaintext)))

I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3.

Decryption is the reverse:

plaintext = D_K1(E_K2(D_K3(ciphertext)))

I.e., decrypt with K3, encrypt with K2, then decrypt with K1.

Each triple encryption encrypts one block of 64 bits of data.