It’s time to start to say goodbye to Triple-DEA
The three-key triple data encryption algorithm (TDEA) has weakened and is being depreciated. Here's how you should move forward with encrypting your data.
Jan 25, 2024 • 5 Minute Read
- Public Sector
The strength of all cryptographic algorithms decreases over time. Sometimes it’s because of some new cryptanalysis that weakens the effective strength of a cipher and sometimes it’s because access to more powerful computers make it feasible to brute-force a key.
At some stage the algorithm loses the strength to protect specific data, and at the end of 2023 this fate befell Three-key Triple Data Encryption Algorithm (TDEA also frequently called Triple DES or TDES/3DES), as the National Institute of Standards and Technology (NIST) finally disallowed its use to encrypt sensitive, unclassified Federal information after the end of 2023 (see NIST Special Publication 800-131A Revision 2).
The adoption of three-key TDEA was itself the result of the weakening of two-key TDEA which itself was retired in 2015. And yes, two-key TDEA replaced plain old DEA (or DES if you prefer) when it was weakened.
The security strength of the combination of a cryptographic algorithm and a particular key length is expressed as a number of bits. Three key TDEA (which I’m just going to call TDEA from here onwards) has a security strength of 112 bits. Currently the NIST-approved replacement for TDEA, the Advanced Encryption Standard (AES) has a security strength equal to the size of key used 128, 192 or 256 bits.
What should you do?
Over the course of 2023, I heard lots of different and sometimes strange opinions about what organisations using TDEA should do. Should they migrate to AES? And if so what key length, 128, 192 or 256 bits? What should they do with data that’s already been encrypted with TDEA?
I’ve also heard reports that auditors have refused to accept data that’s encrypted with TDEA as “encrypted”. This is nonsense. NIST hasn’t said that TDEA is “broken” or no longer offers 112 bits. of security strength, it has just disallowed its continued use to encrypt data.
Should you stop using TDEA to encrypt data?
If you’re using TDEA to meet a regulatory or contractual requirement, then work out what the regulator, contract or related standards body says.
If you’re protecting sensitive unclassified information in a Federal environment, then no. You need to start using something with 128 bits of security strength.
TDEA is used extensively in payments for the protection of PINs and cardholder data. The Payment Card Industry (PCI) Security Standards Council (SSC) has not disallowed the use of TDEA across its PIN standards, and says it meets the PCI DSS requirement to use “strong cryptography” to protect stored cardholder data (see FAQ 1570) which is to use cryptography with a minimum security strength of 112 bits.
In many cases like payment processing, TDEA is embedded in the industry and in hardware that is costly to replace and wouldn’t be justified given the risk of an attack against the encrypted data. But over time it is anticipated that entire industries will migrate away from TDEA.
If you’re using TDEA to reduce the risk of a breach of confidentiality of some data, then you need to look at the risk of continuing to use it, and yes, you should start to plan your migration to AES. Because in the near future one or more of these things may happen.
There will be further attacks found against TDEA weakening its security strength to a level below what you are comfortable will provide adequate protection of data.
A regulation or contract you are subject to will disallow its use.
Quantum computing will reduce the security strength of TDEA to effectively zero.
One thing to consider is risk related to the lifespan of the data. If in, say, seven years an attacker was able to decrypt data that you encrypted today would that be a problem? Would the plaintext version of seven-year-old data be a problem for you in seven years’ time?
What about already encrypted data?
Again, I’ve heard some misleading advice that organisations should decrypt all the stored data they have encrypted with TDEA and re-encrypt it with AES, because it no longer counts as “encrypted”. More nonsense. NIST has disallowed the use of TDEA for encryption, it is still allowed for the decryption of previously encrypted data.
But again, you need to think about the lifespan of that data. Is it the type of data than an attacker would get value from if it was compromised today but only decrypted in seven years’ time?
It's time to embrace cryptoagility
As the demise of single-, two- and three-key TDEA remind us, no cryptographic algorithm is forever. So, if you are looking at where you use TDEA in your organisation, can I also suggest that, if you’ve not done one already, you inventory your use of all cryptography in 2024.
At some stage in the next perhaps ten years, it is predicted that quantum computers will be able to break or weaken the classical cryptographic algorithms we use today and so you’ll need to make some changes.
For symmetric cryptography, if you are using TDES or ASE 128 bit, then you’ll need to move to AES using 256 bit keys – that’s a job to do, but not a hard job to do, unless you don’t know where you use symmetric cryptography!
For asymmetric cryptography the job is going to be harder as you’ll need to move to using post-quantum (PQ) algorithms and implementing those isn’t going to be a simple cut-and-replace exercise.
An issue we all face is understanding when quantum computing fatally weakens both low-strength AES and all current public-key cryptography. How long we will have to change, and will that be long enough to continue to protect data and secrets in the ways we want?
Making sure that you’ve an up-do date inventory and an idea of how long it will take you to migrate to longer symmetric keys and PQ asymmetric cryptography is the first step to understanding this risk. And that would be my first resolution for 2024.
Want to learn more about cybersecurity?
I offer a wide range of cybersecurity courses on Pluralsight. Here are just some of them: