Re: Why is 3DES favoured over AES?

On 18/05/2011 12:06, Mok-Kong Shen wrote:
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf says however 3DES (with 2 keys)
has only 80-bit of security.

Yes. That figure is considering the adversary has about 2^40 plaintext/ciphertext pairs. When that occurs, security starts to be threatened by the very block size of DES (64 bits): the adversary has 2^-16 odds that a random block is in her dictionary (and thus can break some authentication protocols with fair odds).
I believe the attack is this one: "A Known-Plaintext Attack on Two-Key Triple Encryption", Paul C. van Oorschot and Michael J. Wiener, Eurocrypt 1990
<http://people.scs.carleton.ca/~paulv/papers/Euro90.pdf>
Beside an awfull lot of plaintext, that attack requires a lot of fast memory, and is IMHO it is not yet a practical threat in real bank applications.

Could someone explain why it is that expensive to switch over to AES?
One could easily, I surmise, have a transition period where both systems are available.

You have to specify, develop, test, sometime certify, deploy the new systems (a Common Criteria certification can cost hundred thousands of Euro and last well over a year). The new devices (e.g. Point of Sales Terminals) will either be incompatible with deployed ones (e.g. bank Smart Cards), or need to support both type of key/crypto during a transition period. In the later case breaking an old key may compromises the new devices to some degree, the new devices are more complex than the old ones, and the risk that one of the implementations has a security-threatening or interoperability bug is significantly increased.

This is why I see AES introduced in new systems that do not need require compatibility with old ones.


Francois Grieu
.

Relevant Pages

  • [Full-disclosure] STEP Security
    ... Internet-Drafts are working documents of the Internet Engineering ... security in otherwise insecure environments. ... APT (Another Possible Threat) ... of a cyber attack before more terabytes of data are exfiltrated from ...
    (Full-Disclosure)
  • Attack Simulation and Threat Modeling book
    ... Attack Simulation and Threat Modeling is a book that explores the abundant ... resources available in advanced security data collection, classification, ... Threat Vectors and Attack Signatures ...
    (Pen-Test)
  • Re: Why is 3DES favoured over AES?
    ... Mok-Kong Shen wrote: has only 80-bit of security. ... That figure is considering the adversary has about 2^40 plaintext/ciphertext pairs. ... I believe the attack is this one: "A Known-Plaintext Attack on Two-Key Triple Encryption", Paul C. van Oorschot and Michael J. Wiener, Eurocrypt 1990 ... You have to specify, develop, test, sometime certify, deploy the new systems (a Common Criteria certification can cost hundred thousands of Euro and last well over a year). ...
    (sci.crypt)
  • [Full-disclosure] Raising Robot Criminals
    ... identity theft and robot-driven attack propagation. ... security as well as on Sql Injection, this text is not yet another one. ... security numbers - are opened for remote penetration. ...
    (Full-Disclosure)
  • =?windows-1252?Q?Re=3A_Lahore=2DTerror_Attacks=3A_RAW=92s_Guerilla_Warfare?=
    ... security forces have been martyred in foiling three separate terrorist ... attacks by killing 9 terrorists at FIA Building, ... suicide attack in Kohat. ... been waging a guerilla warfare in Pakistan through its well-trained ...
    (sci.military.naval)