Triple DES

Since DES uses a 56-bit key it is vulnerable to attack. Is it possible to use DES, but make the effective key length longer than 56 bits?

Suppose C = EK(P), where E is DES encryption of plaintext P with key K, and C is the resulting ciphertext. Let D be the corresponding decryption, so that P = DK(C).

The accepted way of making DES more secure is to use two keys, K1 and K2 in "EDE" mode

      C = EK1(DK2(EK1(P)))

Then decryption is

      P = DK1(EK2(DK1(C)))

This gives a key length of 112 bits, which is considered very secure.

Question: Why not use

      C = EK1(EK1(P))


Answer: There are still only 256 keys to try so there is no improvement in security.

Question: Why not use

      C = EK1(EK2(P))


Answer: Theoretically, there is a meet-in-the-middle attack that only requires about 257 work (though it also requires an impractical lookup table).

Question: Why is it EDE and not EEE?

Answer: With EDE, if we set K1=K2, then we get single DES.

Question: Why not use three different keys in triple DES?

Answer: You can, though it is not the standard. But then you would need to manage 3 keys while 2 keys (112 bits) is considered sufficiently secure. Also, you would lose backward compatibility with single DES.