2

We're writing a new application that is working with relatively sensitive information. The team is debating whether we should support 3DES and/or AES encryption for the data. Unfortunately a Google search is giving mixed results.

We have libraries available to do both and use them in other products. What should we use? What's the reason to prefer either?

user5994461
  • 5,301
  • 1
  • 36
  • 57
  • 1
    "Can," yes. "Should," no. There is no good reason for a modern system to use any variant of DES. But DES variants can be very important in interacting with legacy systems. If that's necessary, then yes. But almost universally, AES with a correct mode (such as GCM), and correct construction (for GCM, a properly selected nonce and a fully randomized key) is what you should use today. – Rob Napier Jun 17 '20 at 21:16

1 Answers1

5

Short answer is no, you cannot use 3DES because 3DES is prohibited for usage by regulations.

Long answer:

There are three major DES algorithms. I am gonna cover 3DES, 2-3DES and DES, all prohibited.

Gotta be extra careful when dealing with XXXDES because they're easily confused and misconfigured.

AES 128 bits is the generally accepted replacement.

DES

DES is the basic algorithm, published in 1975, using 56 bits keys.

It laid the foundation of symmetric cryptographic / block cipher a very long time ago.

DES has been insecure and prohibited from usage since the beginning of the 2000's. Computational power has grown over time, to the point where it's easy to crack 56 bits keys.

2-keys 3DES (or 2TDES or 2DES)

2DES is a similar algorithm using two 56 bits keys, providing 112 bits strength encryption.

It's actually 3DES (requiring 3 keys) with the 3rd key not being set. I am gonna call it 2DES to distinguish.

2DES is very tricky because it's virtually indistinguishable from 3DES. They're both defined in the standard and implemented together. It's possible that software claiming to do 3DES is actually doing 2DES or either depending on configuration settings, and that's a problem.

2-keys 3DES is prohibited from usage in applications, as of March 2019.

Quoting the official NIST.SP.800-131Ar2 document, page 13:

Encryption using two-key TDEA is disallowed.

3DES (or TDES or TDEA)

3DES is an evolution of DES using three 56 bits keys, providing 112 bits strength encryption.

Due to construction, this is only as strong as 2^112 + 2^56, rather than 2^168. See meet in the middle attack.

3DES is prohibited from usage in applications, as of 2023.

3DES is prohibited from usage in new applications, as of November 2017.

3DES is prohibited from usage in legacy applications (created before 2017 and in operation before 2023) unless the usage fits within the limitations specified by NIST in which case 3DES is only deprecated (can be used until 2023). There are quite a few disseminated across NIST documents including but not limited to not doing 2key 3DES, blacklisting a set of keys listed in the spec, not encrypting more than 8 MB of data, etc...

The odds to satisfy all the restrictions for legacy status AND be able to evidence it are fairly low. Do yourself a favor and consider that 3DES is simply prohibited generally since 2017. If you're dealing with systems using 3DES in 2020, they're in dire need of an upgrade!

Additional Restrictions

3DES is considered 112 bits strength (it's weak). Anything that restricts the usage of less than 128 bits encryption de-facto affects 3DES.

Software regulations don't specify accepted technical measures (they don't say to use 3DES or any algorithm by name), they usually write to follow the recommended or generally accepted security practices. Sometimes explicitly pointing to NIST or similar agency who emits standards.

There is an interesting conundrum in how regulations combine. For example, there are extra regulations around systems dealing with payments or sensitive information or PII. Depending on interpretation and exact usage, 3DES could be prohibited as soon as it's deprecated by any formal standard (long before the NIST formally terminates it in 2023).

ENISA, The European Union Agency for CyberSecurity (equivalent of NIST in Europe) published official guidelines in 2013 recommending 128 bits minimum for encryption and formally classifying both 3DES and 2DES as legacy.

Legacy: (two-key 3DES and three-key 3DES)

  • No known weaknesses at present.
  • Better alternatives exist.
  • Lack of security proof or limited key size.

Generally speaking we feel the minimum key size for a block cipher should be 128 bits; the minimum for the block size depends on the precise application but in many applications(for example construction of MAC functions) a 128-bit block size should now be considered the minimum in many application. We also consider that the maximum amount of data which should be encrypted under the same key should be bounded by 2n/2, where n is the block size in bits. However, as indicated before some short lived cryptograms may warrant smaller block and key sizes in their constructions; but for general applications we recommend a minimum of 128 bits.

No need to panic

While all variants of 3DES need to go away, there is no need to panic about it (unlike RC4 or MD5 for example that really have issues).

The algorithm is not catastrophically broken or vulnerable as long as you follow the guidelines like not encrypting more than 8 MB of data with it (well, gotta admit it is broken somewhat). The fundemental issue is 3DES keys could be cracked in a reasonable human time if one were to put a whole AWS datacenter to the task.

AES-128 is the direct successor to DES. It's a direct replacement and it's a lot faster.

If 3DES can encrypt 100 MB/s on a core, AES-128 can encrypt 300MB/s on the same core, or 1000MB/s if the CPU has AES-NI instructions (most x64 CPU after 2016).

user5994461
  • 5,301
  • 1
  • 36
  • 57
  • "Is prohibited" is very misleading here. NIST-800 provides guidance for "the use of cryptography by Federal Government agencies for the protection of sensitive, but unclassified information." It is not a law or regulation that applies generally, and most certainly not globally. You generally should not use any of the forms of DES unless you have a good reason, and you give a lot of helpful reasons, but for most uses it has nothing to do with being prohibited. If you work on credit card swipe machine, DUKPT+3DES is generally still required, not prohibited. – Rob Napier Jun 17 '20 at 21:10
  • 1
    NIST if the official US body defining technological standards to be followed. Every procurement contract for hardware/software stating that it must satisfy recommended or generally accepted security practices is an implicit call to NIST standards. They are widely recognized and referred to beyond the US, due to most countries not having an equivalent body or standard of any sort, and large companies doing business across borders. (funfact: the last European regulation on digital authentication is almost a verbatim copy/paste of the related NIST standards). – user5994461 Jun 18 '20 at 09:18
  • Card machines support AES. Vendors have three years to get their act together and support AES before 3DES is disallowed for usage. Banks follow NIST regulations closely and they are expected to terminate 3DES by 2023 -if they haven't done so already- in order to be compliant. For customers, buying a new device that stops working because it can only do 3DES is a receivable cause for a firmware upgrade, a replacement, a refund or as much as terminating the procurement/support contract if the vendor can't resolve it, for the simple fact that the device isn't up to par. – user5994461 Jun 18 '20 at 09:20
  • 1
    Usage of 3DES is not prohibited. NIST *recommends* that it should not be used anymore. – Melab Jun 18 '20 at 14:25