Re: 3DES key-length for data authentication

From: Michael Sierchio (
Date: 12/09/02

  • Next message: Philip Le Riche: "Re: Cygwin and SSH"
    Date: Mon, 09 Dec 2002 10:31:48 -0800
    From: Michael Sierchio <>

    > The effective keylength of Triple-DES is 112 bits. I don't recall the
    > rationale for this now - it should be available in all the usual
    > places; e.g. google, "triple-DES effective keylength".

    The meet-in-the-middle time-memory trade-off attack (Cf. Merkle-Hellman)
    is a chosen plaintext attack, so it's applicable only if the adversary
    can mount such an attack -- not likely in a VPN, probably likely in an
    encrypted file system. It's easiest to describe for double DES --
    Merkle-Hellman allows for breaking double DES with 2 keys in 2^(n+1)
    chosen plaintext encryptions, rather than the 2^2n you might expect.
    Merkle-Hellman breaks 3-DES-CBC-EDE-3K in 2^2n steps and requires 2^2n
    blocks of memory.

    The effective key length if the adversary can mount a CPA against
    3-DES-CBC-EDE-3K is 112 bits. If the adversary cannot mount the MITM
    attack, the effective key length is 168 bits.

    In the case of using triple DES for SSH or SSL operations, my educated
    guess is that it actually does provide 168 bits worth of key strength.