Talk:Triple DES

From Wikipedia, the free encyclopedia

You have new messages (last change).

Hum..; Effective keysize is 112 bits not 168. There's an attack... JidGom 09:03, 16 Dec 2003 (UTC)

Matt, I'm not sure Tuchman being one of the patentees needs to be mentioned either. On the other hand, I see no reason to decide for readers that it doesn't, though perhaps not here. In the DES article maybe. I know that I was surprised to learn it, so on entropy grounds it would appear to be loaded with information, and so worth mentioning.

ww 14:22, 28 Apr 2004 (UTC)

Yep, it would be good to have some patent information in the DES article (US patent 3,962,539); I think we have enough context on Tuchman here, though. — Matt 14:47, 28 Apr 2004 (UTC)
Matt, Agreed, then. You want to put it in there? ww 14:52, 28 Apr 2004 (UTC)

[edit] Attacks on 2DES, 2KEY-3DES & 3KEY-3DES

Rasmus, I'm not sure why your edit re-added the sentence "The use of three steps is essential to prevent meet-in-the-middle attacks; double DES would have serious vulnerabilities." This contradicts your statement in the changelog that 2 key 3DES is not vulnerable to meet-in-the-middle attacks. This statement should either be removed if your statement about meet-in-the-middle attacks is true, or moved up to the prior paragraph if it is not. I am not going to make the edit because truthfully I don't know much about these attacks. — RamanGupta -- 30 June 2005 20:12 (UTC)

I googled the meet-in-the-middle attack, and several sites do seem state that two-key triple DES is vulnerable to that type of attack -- in fact, it seems that even the security of triple DES is reduced from the same attack, but not to the same extent as two-key:
http://www.rsasecurity.com/rsalabs/node.asp?id=2231
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci968714,00.html?track=NL-102&ad=486202
http://www.everything2.com/index.pl?node_id=927656
RamanGupta 1 July 2005 06:07 (UTC)
Note the difference between double DES and 2 key triple DES. Double DES is the operation DES2(P):=DESk2(DESk1(P)), ie. two DES encryptions with two different keys. 2-key 3DES is the operation 2KEY-DES3(P):=DESk1(DES-1k2(DESk1(P))), ie. 3DES where k1=k3.
As meet-in-the-middle attack explains, double DES is only one bit more secure than single DES. This should explain the first sentence. 2KEY-3DES, however, is not vulnerable to meet-in-the-middle attacks. There are other attacks on it, but these require large amounts of known pairs of plaintext and ciphertext, so they aren't really practical.
I read your three links, and I can't see where they contradict this. The rsasecurity mentions the chosen-plaintext attack and the known-plaintext attack. Both 3KEY-3DES and 2KEY-3DES has 112-bits security, even though 3KEY-3DES has a 168 bit key. This is due to the meet-in-the-middle attack (I have clarified this in the article). But except for that, neither should be vulnerable to meet-in-the-middle attacks.
Rasmus (talk) 1 July 2005 07:36 (UTC)
Right, now I understand, sorry for the confusion. I was stupidly thinking that when people said "double DES" they were just using imprecise wording for 2-key Triple DES. That being said, in order ot make this clearer and flow better in the article I moved the discussion of the number of steps (both single and double) a paragraph up. I think it now flows better as it comes right after the discussion of the number and type of operations required for 3DES, and it smoothly flows from a discussion of 3DES, to 2DES, to single-DES compatibility.
One other thing, most articles on the subject seem to either disagree on the strength (in bits) of DESede, or they state that it is not known with certainty. Therefore, why is the article so certain that 3DES provides 112 bits of security? Should this be softened to reflect the uncertainty in the literature, or at least a source attributed to defend the factual nature of the statement?
RamanGupta 1 July 2005 20:59 (UTC)
Yes, that flows better. As for the security of 3DES, I can't really see why we should be uncertain of it. Of course we could discover an attack, but that is also true for DES, AES and lots of other algorithms that are not provable secure. In your second link ("expert advice") he claims that the security of 3KEY-3DES could be anywhere between 113 and 167 bits. But it is easy to see, that 3KEY-3DES is vulnerable to a meet-in-the-middle attack: By using 256+2112 operations and 256 storage, we can break 3KEY-3DES, so the security is at most 112+ε bits.
Rasmus (talk) 1 July 2005 23:18 (UTC)
OK, sounds good. RamanGupta 2 July 2005 23:35 (UTC)

Matt does not discusssing modes, but without it, it is very incomplete, and borderline pedantic. Without operating modes, the cipher has no purpose.

[edit] Non-Standard Abbreviation?

On the other hand, since there are variations of TDES which use two different keys (2TDES) and three different keys (3TDES) the non-standard abbreviation 3DES is confusing and should be avoided. Huh? I've worked extensively with various firewalls from numerous manufacturers, and I've never seen Triple DES abbreviated any other way. Anybody else have a different experience?--Roland 19:15, 29 June 2006 (UTC)

I've seen 3DES, DES3, and occasionally TDES. I've never seen 2TDES or 3TDES. Phr (talk) 05:16, 11 July 2006 (UTC)
Retrieved from "http://en.wikipedia.org../../../t/r/i/Talk%7ETriple_DES_97b0.html"