Since DES uses a 56-bit key it is vulnerable to attack. Is it possible to use DES, but make the effective key length longer than 56 bits?
Suppose C = EK(P), where E is DES encryption of plaintext P with key K, and C is the resulting ciphertext. Let D be the corresponding decryption, so that P = DK(C).
The accepted way of making DES more secure is to use two
keys, K1 and K2 in "EDE" mode
C = EK1(DK2(EK1(P)))
Then decryption is
P = DK1(EK2(DK1(C)))
This gives a key length of 112 bits, which is considered very secure.
Question: Why not use
C = EK1(EK1(P))
instead?
Answer: There are still only 256 keys to try so there is no improvement in security.
Question: Why not use
C = EK1(EK2(P))
instead?
Answer: Theoretically, there is a meet-in-the-middle attack that only requires about 257 work (though it also requires an impractical lookup table).
Question: Why is it EDE and not EEE?
Answer: With EDE, if we set K1=K2, then we get single DES.
Question: Why not use three different keys in triple DES?
Answer: You can, though it is not the standard. But then you would need to manage 3 keys while 2 keys (112 bits) is considered sufficiently secure. Also, you would lose backward compatibility with single DES.