Since DES uses a 56-bit key it is vulnerable to attack. Is it possible to use DES, but make the effective key length longer than 56 bits?

Suppose C = E_K(P), where E is DES encryption of plaintext P with key K, and C is the resulting ciphertext. Let D be the corresponding decryption, so that P = D_K(C).

The accepted way of making DES more secure is to use two keys, K1 and K2 in "EDE" mode

      C = E_K1(D_K2(E_K1(P)))

Then decryption is

      P = D_K1(E_K2(D_K1(C)))

This gives a key length of 112 bits, which is considered very secure.

Question: Why not use

      C = E_K1(E_K1(P))

instead?

Answer: There are still only 2⁵⁶ keys to try so there is no improvement in security.

Question: Why not use

      C = E_K1(E_K2(P))

instead?

Answer: Theoretically, there is a meet-in-the-middle attack that only requires about 2⁵⁷ work (though it also requires an impractical lookup table).

Question: Why is it EDE and not EEE?

Answer: With EDE, if we set K1=K2, then we get single DES.

Question: Why not use three different keys in triple DES?

Answer: You can, though it is not the standard. But then you would need to manage 3 keys while 2 keys (112 bits) is considered sufficiently secure. Also, you would lose backward compatibility with single DES.