<br><br><div class="gmail_quote"><div dir="ltr">On Fri, 26 May 2017, 18:47 Michael Kjörling, <<a href="mailto:michael@kjorling.se">michael@kjorling.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 26 May 2017 15:33 +0000, from robin@digi.ninja (Robin Wood):<br>
> Does this make sense? Are there different bit lengths depending on what you<br>
> are talking about and if so, is there a way to know which is being reported?<br>
<br>
DES has a 64 bit key, of which eight bits (one bit per byte) was<br>
traditionally used for parity and has no cryptographic value, being<br>
ignored by the cipher. Thus 56 bits of key material are used for<br>
single-DES.<br>
<br>
3DES has several different keying modes, but can be used with three<br>
independent DES keys (Wikipedia refers to this as "keying option 1").<br>
That is nominally 3 x 64 bits = 192 bits of key material, but because<br>
only 56 bits of each key is used, only 3 x 56 bits = 168 bits of key<br>
material is used. This is often referred to as 168-bit 3DES, but<br>
calling it 192-bit 3DES is as valid as saying that DES uses a 64-bit<br>
key; that is, not completely correct, but at least has some basis in<br>
reality.<br>
<br>
3DES with three independent keys is vulnerable to a meet-in-the-middle<br>
attack, which reduces the _effective_ security to that of two<br>
applications of DES, corresponding to 2 x 56 = 112 bits of security<br>
for 168 bits of actual key material. The security level is thus the<br>
same as a cipher where no such shortcut exists but which uses a 112<br>
bit key. The work factor for a brute force attack is thus 2^112.<br>
<br>
All of "192 bits", "168 bits" and to some extent "112 bits" are thus<br>
valid answers to the question "what is the key size of 3DES"; it all<br>
depends on what specific metric you are looking at.<br>
<br>
Assuming triple DES with three independent keys, 192 bits is the size<br>
of the physical key; 168 bits is the amount of key material used; and<br>
112 bits is the work factor for breaking the resulting encryption by<br>
brute force.<br>
<br>
Most often we are interested either in the amount of key material<br>
actually used, or the work factor; so calling 3DES with three<br>
independent keys as using a 168-bit key, or as having a 112-bit work<br>
factor, is likely the most useful. The combination of this also works,<br>
obviously; 3DES with three independent keys takes 168 bits of key<br>
material to deliver the security of a 112-bit work factor.<br></blockquote></div><div><br></div><div>A brilliant explanation, thanks.</div><div><br></div><div>I'll have to work out which version the different tools I use use.</div><div><br></div><div>Robin</div><div><br></div><div><br></div><div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<a href="https://en.wikipedia.org/wiki/Triple_DES#Security" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Triple_DES#Security</a><br>
<br>
--<br>
Michael Kjörling • <a href="https://michael.kjorling.se" rel="noreferrer" target="_blank">https://michael.kjorling.se</a> • <a href="mailto:michael@kjorling.se" target="_blank">michael@kjorling.se</a><br>
“People who think they know everything really annoy<br>
those of us who know we don’t.” (Bjarne Stroustrup)<br>
_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com" target="_blank">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" rel="noreferrer" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a></blockquote></div>