According to draft guidance published by NIST on July 19, 2018, the Triple Data Encryption Algorithm (TDEA or 3DES) is officially being retired. The guidelines propose that, after a period of public consultation, 3DES is deprecated for all new applications and usage is disallowed after 2023.
Background on the 3DES Guidance
First introduced in 1998, the 3DES algorithm is still broadly adopted in finance, payment and other private industry to encrypt data in-transit and at-rest, including EMV keys for protecting credit card transactions. The proposal to formally retire the algorithm is not entirely surprising, especially considering historical movements by NIST:
- The Advanced Encryption Standard (AES) was introduced in 2001 to replace 3DES
- Data Encryption Standard (DES), the algorithm 3DES is based on, was retired in 2005
- The two-key variant of 3DES was retired in 2015
In July 2017, NIST initially proposed retiring 3DES following a security analysis and practical demonstration of attacks on 3DES in several real-world protocols. In November 2017, NIST restricted usage to 220 64-bit blocks (8 MB of data) using a single key bundle, so it could no longer effectively be used for TLS, IPsec, or large file encryption.
- Deprecated means “the use of the algorithm and key length is allowed, but the user must accept some risk.”
- Disallowed means an “algorithm or key length is no longer allowed for the indicated use.”
The designation of a major encryption algorithm as a security risk has implications to US Federal Institutions and vendors subject to NIST guidelines. This announcement is also a reflection on best practices for institutions in the finance industry, and could impact PCI cryptography recommendations.
What is 3DES?
The Triple Data Encryption Algorithm, alternately referred to as Triple DES (Data Encryption Standard), 3DES, TDES, Triple DEA, or TDEA, is a symmetric key-block cipher which applies the DES cipher in triplicate by encrypting with the first key (k1), decrypting with the second key (k2), and encrypting with the third key (k3). A two-key variant also exists, where k1 and k3 are the same.
Why 3DES is Likely to Be Disallowed after 2023
3DES is a ciphersuite based on the Data Encryption Standard developed by IBM in the early 1970s and adopted by NIST (with minor changes) in 1977. 3DES was introduced during a period of transition between two major algorithms. In 1997, NIST announced a formal search for candidate algorithms to replace DES. In 2001, AES was released with the intention of coexisting with 3DES until 2030, permitting a gradual transition. However, the retirement of 3DES has been likely accelerated by research which has revealed significant vulnerabilities and is, by some accounts, long overdue.
NIST first initiated discussion of deprecating 3DES following the analysis and demonstration of attacks on 3DES. The Sweet32 vulnerability was made public by researchers Karthikeyan Bhargavan and Gaëtan Leurent. This research exploited a known vulnerability to collision attacks in 3DES and other 64-bit block cipher suites which are greatest during lengthy transmissions, the exchange of content files, or transmissions vulnerable to text injection. After the exposure of this vulnerability, NIST proposed 3DES be deprecated, and soon thereafter, restricted its usage.
Understanding the Implications of 3DES’ Deprecation
3DES is a major algorithm, and one which is deeply embedded into payment systems, standards and technology in the finance industry. The five-year timeline proposed by NIST to disallow the use of 3DES could present challenges for the industry due to non-upgradable infrastructure, billions of credit cards in circulation and potential interoperability issues.
Organizations using 3DES should be aware of how this algorithm is used within their network environment and the cloud, including its use by vendors. Working to develop an understanding of 3DES implementations can enable organizations to proactively manage 3DES risks with regards to discovered vulnerabilities within the algorithm and the sensitivity of business data.
To protect mission-critical data during the transition period to AES or another method of encryption, organizations can adopt stop-gap measures, such as changing 3DES keys more frequently.
Organizations should be aware of the dangers created by inertia or accepting the business risks of deeply-embedded ciphersuites which are insecure. With the threat of quantum computing on the horizon, threatening to break many of today’s most popular algorithms, NIST’s recommendation is for organizations to “plan for cryptographic agility to facilitate transitions to quantum-resistant algorithms where needed in the future.“
As firms consider compliance and threats, crypto-agility can enable fast response to emerging research and recommendations by supporting the transition from one encryption standard to another at a moment’s notice. Solutions for cryptography as a service enable organizations in highly-regulated industries to protect business-critical data with globally compliant solutions for encryption.
- Draft NIST Special Publication 800-131A Revision 2: Transitioning the Use of Cryptographic lgorithms and Key Lengths (July 2018) by the National Institute of Standards and Technology
- Federal Information Processing Standards Publication 197: Announcing the Advanced Encryption Standard (AES) (1997), by the National Institution of Standards and Technology
- Federal Information Processing Standards Publication 46-3: Data Encryption Standard (DES) (1999), by the National Institute of Standards and Technology
- News: Update to Current Use and Deprecation of TDEA (July 2017), by the National Institute of Standards and Technology
- NIST Special Publication 800-67, Revision 2: Recommendations for the Triple Data Encryption Algorithm Block Cipher (November 2017), by the National Institute of Standards and Technology
- News: Announcing Development of Federal Information Processing Standard for Advanced Encryption (January 1997), by the National Institute Of Standards and Technology
- Cryptomathic Answers Compliance-Driven Call for Crypto-Agility (May 2018), by Cryptomathic