3DES — Extending an Algorithm's Life
Thilan Dissanayaka Cryptography May 18, 2020

3DES — Extending an Algorithm's Life

By the early 1990s, DES was in trouble. The 56-bit key that seemed untouchable in 1977 was starting to look fragile. Academic papers were showing theoretical attacks faster than brute force. Hardware was getting cheaper. Everyone knew it was only a matter of time before someone cracked it live.

But here’s the thing — you can’t just swap out the encryption algorithm that runs the entire global banking system overnight. DES was everywhere. ATMs, payment terminals, mainframes, hardware security modules, smartcards. Billions of dollars of infrastructure built around a single algorithm.

The industry needed more time. And the simplest way to buy time was to run DES more than once.

This is the story of Triple DES (3DES) — not a new algorithm, but an engineering hack that extended DES’s life by two decades.

If you haven’t read the DES article yet, go read that first. Everything here builds on it.

The Obvious Idea — Why Not Double DES?

The first instinct is straightforward: encrypt with DES once, then encrypt again with a different key. Double DES. Two keys, each 56 bits, giving us an effective key space of 2^112. Problem solved, right?

Ciphertext = E_K2(E_K1(Plaintext))

Not quite. Double DES is broken by an elegant attack called the meet-in-the-middle attack.

Meet-in-the-Middle Attack

Here’s the idea. Suppose an attacker has a known plaintext-ciphertext pair (P, C). They know:

C = E_K2(E_K1(P))

Which means there’s an intermediate value X:

X = E_K1(P)     (encrypt P with K1)
X = D_K2(C)     (decrypt C with K2)

The attacker:

  1. Encrypts P with every possible K1 (2^56 operations) and stores the results in a table
  2. Decrypts C with every possible K2 (2^56 operations) and looks for a match in the table

If E_K1(P) = D_K2(C) for some K1 and K2, those are likely the correct keys.

Total work: 2^56 + 2^56 = 2^57 operations, plus storage for 2^56 intermediate values. That’s barely more work than cracking single DES. The “112-bit” security of Double DES collapses to effectively 57 bits.

This is why Double DES was never standardized. The meet-in-the-middle attack makes it almost as weak as single DES.

Triple DES — Three Times the Charm

The fix is to use three DES operations. With three passes, the meet-in-the-middle attack requires 2^112 work (meeting in the middle of a triple operation still leaves two operations on one side) — a massive improvement.

But the specific way the three operations are combined matters.

The EDE Construction

3DES uses Encrypt-Decrypt-Encrypt (EDE) ordering:

Encryption:  C = E_K3(D_K2(E_K1(P)))
Decryption:  P = D_K1(E_K2(D_K3(C)))

Wait — why Encrypt-Decrypt-Encrypt? Why not Encrypt-Encrypt-Encrypt?

The answer is backward compatibility. If you set all three keys to the same value (K1 = K2 = K3 = K), the middle Decrypt undoes the first Encrypt, leaving just the third Encrypt:

E_K(D_K(E_K(P))) = E_K(P)

That’s just single DES. This means hardware and software designed for 3DES can interoperate with legacy single-DES systems by simply using the same key three times. In a world where billions of devices needed to be gradually upgraded, this backward compatibility was essential.

Keying Options

3DES supports three different keying configurations, each with different security levels:

Keying Option 1: Three Independent Keys (3TDEA)

K1 ≠ K2 ≠ K3 (all different)
Total key material: 3 × 56 = 168 bits
Effective security: 112 bits (due to meet-in-the-middle)

This is the strongest option. Three completely independent 56-bit keys. The meet-in-the-middle attack still applies to the triple construction, reducing the effective security from 168 bits to about 112 bits — but 112 bits is still far beyond brute-force reach with current technology.

Keying Option 2: Two Independent Keys (2TDEA)

K1 = K3, K2 is different
Total key material: 2 × 56 = 112 bits
Effective security: ~80-112 bits (debated)

This is the most widely deployed option, especially in financial systems. Only two keys are needed, reducing key management overhead. The effective security is lower than Option 1, and some theoretical attacks bring it down to around 80 bits — which is why NIST deprecated this option in 2015.

Keying Option 3: Single Key (Backward Compatible)

K1 = K2 = K3 (all the same)
Total key material: 56 bits
Effective security: 56 bits (equivalent to single DES)

This is just DES with extra steps. It exists solely for backward compatibility — a 3DES implementation can communicate with a DES-only system by using the same key three times. No security improvement.

Comparison

Keying Option Keys Key Material Effective Security Status
Option 1 (3 keys) K1, K2, K3 168 bits ~112 bits Deprecated (use AES)
Option 2 (2 keys) K1, K2, K1 112 bits ~80-112 bits Disallowed after 2023
Option 3 (1 key) K, K, K 56 bits 56 bits Equivalent to DES (broken)

Performance — The Price of Security

The obvious downside of 3DES: it’s three times slower than DES. Every block requires three full DES operations (48 Feistel rounds total instead of 16).

In an era when DES was already considered slow compared to newer designs, tripling the workload was painful. Some rough comparisons:

Algorithm Block Size Key Size Relative Speed
DES 64 bits 56 bits 1x (baseline)
3DES 64 bits 112/168 bits ~0.33x (3x slower)
AES-128 128 bits 128 bits ~3-6x faster than 3DES

AES isn’t just more secure than 3DES — it’s also significantly faster. This is because AES was designed from scratch for modern hardware, while 3DES carries the weight of a 1970s design run three times.

In hardware (HSMs, smartcards, payment terminals), 3DES was acceptable because dedicated silicon could accelerate it. In software, the performance gap was harder to ignore.

The Sweet32 Attack — Why Block Size Matters

Here’s a vulnerability that has nothing to do with the key length. 3DES has a 64-bit block size (inherited from DES). This creates a problem when you encrypt large amounts of data with the same key.

The Birthday Bound

The birthday paradox from probability theory tells us that in a set of 2^(n/2) random values from an n-bit space, there’s a ~50% chance of a collision (two identical values).

For a 64-bit block cipher, after encrypting approximately 2^32 blocks (about 32 GB of data), you’re likely to see two plaintext blocks that produce the same ciphertext block. In CBC mode (the most common mode used with 3DES), this leaks information about the plaintext through XOR relationships.

The Attack

In 2016, researchers Karthikeyan Bhargavan and Gaetan Leurent demonstrated this as the Sweet32 attack. They showed that by capturing enough TLS traffic encrypted with 3DES (about 785 GB), they could recover HTTP session cookies.

The attack works against any 64-bit block cipher used in a long-lived TLS session — 3DES was the most prominent target.

Attack requirements:
- Same key used to encrypt ~32 GB of data
- Attacker can observe the ciphertext
- Attacker can trigger the victim to send known/predictable plaintext

Result:
- Recovery of secrets (session cookies) from the encrypted stream

Why AES Isn’t Vulnerable

AES uses a 128-bit block size. The birthday bound for 128-bit blocks is 2^64 blocks — about 256 exabytes. No realistic session encrypts that much data. This is one of the key design improvements AES brought over DES/3DES.

Sweet32 was the final nail in the coffin for 3DES in TLS. Major browsers and TLS libraries began disabling 3DES cipher suites shortly after the paper was published.

Where 3DES Still Lives

Despite being deprecated, 3DES refuses to die completely. You’ll still find it in:

Payment Card Industry

The payment ecosystem is the last major holdout. EMV chip cards, PIN encryption, and key management in ATM networks have historically relied on 3DES. The reasons are mostly inertia:

  • Hardware security modules (HSMs) in banks were designed around 3DES
  • EMV specifications (which govern chip cards worldwide) were written with 3DES
  • Replacing HSMs and payment terminals costs billions globally
  • The PCI DSS compliance framework only recently began requiring AES migration

The payment industry has been migrating to AES, but the timeline stretches to 2030+ for full deprecation in some regions.

Legacy Government and Military Systems

Some older government systems still use 3DES for classified data. These systems were certified under older standards (FIPS 46-3) and are being phased out as part of broader modernization efforts.

Mainframe Environments

IBM mainframes and their associated middleware have deep 3DES integration. Mainframe shops tend to move slowly — some applications have been running for 30+ years, and changing the encryption layer requires extensive testing and certification.

NIST Deprecation Timeline

NIST has been gradually phasing out 3DES:

Year Action
2005 NIST recommends AES over 3DES for new applications
2015 Keying Option 2 (2-key 3DES) disallowed for encryption after 2015
2017 Sweet32 attack demonstrated
2019 NIST formally deprecates 3DES (SP 800-131A Rev. 2)
2023 3DES disallowed for all encryption in federal systems

The message is clear: use AES. There is no scenario where choosing 3DES over AES makes sense for new development.

Implementing 3DES — Just to Understand It

Let’s see what 3DES looks like in code. This is for understanding — not for production use.

In Python:

from Crypto.Cipher import DES3
from Crypto.Random import get_random_bytes

# Generate a 24-byte key (3 x 8 bytes = Keying Option 1)
# DES3 requires the key to have correct parity bits
while True:
    key = get_random_bytes(24)
    try:
        DES3.adjust_key_parity(key)
        break
    except ValueError:
        continue

# Encrypt
cipher = DES3.new(key, DES3.MODE_CBC)
plaintext = b"Hello from the world of 3DES!!!"  # Must be multiple of 8 bytes
plaintext += b"\x01"  # Pad to 32 bytes
ciphertext = cipher.encrypt(plaintext)
iv = cipher.iv

print(f"Ciphertext: {ciphertext.hex()}")
print(f"IV: {iv.hex()}")

# Decrypt
decipher = DES3.new(key, DES3.MODE_CBC, iv=iv)
recovered = decipher.decrypt(ciphertext)
print(f"Decrypted: {recovered}")

In OpenSSL on the command line:

# Encrypt a file with 3DES-CBC
$ openssl enc -des-ede3-cbc -in secret.txt -out secret.enc -k "mypassword"

# Decrypt
$ openssl enc -des-ede3-cbc -d -in secret.enc -out recovered.txt -k "mypassword"

Notice the cipher name: des-ede3-cbc. That’s DES, Encrypt-Decrypt-Encrypt, 3 keys, CBC mode.

Lessons from 3DES

3DES teaches us several important lessons about real-world cryptography:

1. Backward compatibility drives adoption. The EDE construction wasn’t the most elegant solution, but it let the world migrate gradually from DES to 3DES without replacing every piece of hardware simultaneously. This pragmatism is why 3DES succeeded where a clean-break replacement might have stalled.

2. Block size matters as much as key size. DES’s 56-bit key was the obvious weakness, and 3DES fixed that. But the 64-bit block size was a time bomb that nobody worried about until Sweet32 detonated it in 2016. AES’s designers learned from this and doubled the block size to 128 bits.

3. “Good enough” solutions have long tails. 3DES was always meant to be temporary — a bridge to AES. But temporary solutions in critical infrastructure have a way of becoming permanent. Twenty years after AES was standardized, 3DES is still processing credit card transactions.

4. Performance is a security property. If encryption is too slow, people disable it or use it incorrectly. 3DES’s poor performance (relative to AES) wasn’t just an inconvenience — it was a reason organizations delayed adopting encryption or kept using DES.

What Comes Next

3DES was a bridge, and we’ve crossed it. The destination is AES (Advanced Encryption Standard) — a completely different design that’s faster, stronger, and built for the modern world.

In the next article, we’ll explore AES from the ground up — the substitution-permutation network, the byte-level operations, the MixColumns magic, and why it’s been the gold standard for over two decades.

Thanks for reading!

ALSO READ
Blockchain 0x000 – Understanding the Fundamentals
May 21, 2020 Web3 Development
Blockchain 0x000 – Understanding the Fundamentals

Imagine a world where strangers can exchange money, share data, or execute agreements without ever needing to trust a central authority. No banks, no intermediaries, no single point of failure yet...

Identity and Access Management (IAM)
May 11, 2020 Identity & Access Management
Identity and Access Management (IAM)

Who are you — and what are you allowed to do? That's the fundamental question every secure system must answer. And it's exactly what Identity and Access Management (IAM) is built to solve.

How I built a web based CPU Simulator
May 07, 2020 Pet Projects
How I built a web based CPU Simulator

As someone passionate about computer engineering, reverse engineering, and system internals, I've always been fascinated by what happens "under the hood" of a computer. This curiosity led me to...

Writing a Shell Code for Linux
Apr 21, 2020 Exploit Development
Writing a Shell Code for Linux

Shellcode is a small piece of machine code used as the payload in exploit development. In this post, we write Linux shellcode from scratch — starting with a simple exit, building up to spawning a shell, and explaining every decision along the way.

Exploiting a Stack Buffer Overflow on Windows
Apr 12, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Windows

In a previous tutorial we discusses how we can exploit a buffer overflow vulnerability on a Linux machine. I wen through all theories in depth and explained each step. Now today we are going to jump...

Access Control Models
Apr 08, 2020 Identity & Access Management
Access Control Models

Access control is one of the most fundamental concepts in security. Every time you set file permissions, assign user roles, or restrict access to a resource, you're implementing some form of access control. But not all access control is created equal...

Exploiting a Stack Buffer Overflow on Linux
Apr 01, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Linux

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening....

Basic concepts of Cryptography
Mar 01, 2020 Cryptography
Basic concepts of Cryptography

Ever notice that little padlock icon in your browser's address bar? That's cryptography working silently in the background, protecting everything you do online. Whether you're sending an email,...

Common Web Application Attacks
Feb 05, 2020 Application Security
Common Web Application Attacks

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these...

Remote Code Execution (RCE)
Jan 02, 2020 Application Security
Remote Code Execution (RCE)

Remote Code Execution (RCE) is the holy grail of application security vulnerabilities. It allows an attacker to execute arbitrary code on a remote server — and the consequences are as bad as it sounds. In this post, we'll go deep into RCE across multiple languages, including PHP, Java, Python, and Node.js.

AUTHOR
Thilan Dissanayaka

Thilan Dissanayaka

Security Engineer at WSO2. Passionate about clean code and cybersecurity. Building secure, scalable applications with modern technologies.

CATEGORIES