|
Financial institutions are performing large scale migrations of their systems from DES to triple-DES. In this white paper, we describe the basic characteristics of DES and triple-DES and look at the security properties that a financial transaction system will want to achieve. We then look at the problems related with a migration from DES to triple-DES; enumerating and discussing several points that we suggest should be considered. Finally, we give some suggestions that will help ease the problems of migration.
1. Introduction
DES, the Data Encryption Standard, is a cryptographic algorithm that was standardized in 1977 by the National Institute of Science and Technology (NIST). When the financial industry started to deploy ATMs, they opted for DES for securing transactions. This choice was reinforced by the development of X9 standards for financial transactions that were based on DES. DES has stood the test of time, no attack against this encryption algorithm in practice has been better than brute forcing the key space. However, DES uses short keys, with current technology the key space (of size 256 ) can be exhausted in around 56 hours using one single machine worth less than 250 000 US dollars, or in 22 hours with the combined help of a network of about 100 000 personal computers. This means that single DES is no longer secure. On the other hand, triple-DES, as defined in ANSI 9.52, is considered to be secure. Indeed, NIST renewed the DES standard in 1983 and 1988, in 1993 it renewed it with hesitation and controversy and in 1999 DES was to be used only in legacy systems. NIST, in 1999, standardized triple-DES, based on ANSI 9.52. Triple-DES is a secure replacement for single DES, it is not currently feasible to exhaustively search the key space of triple-DES, nor will it be in the near future unless drastic unpredictable technological and/or cryptanalysis advancements occur.
In 1993, the financial industry had started replacing DES by triple-DES for the confidentiality of keys residing in cryptographic processors. In 1999, with the concordance of NIST no longer approving single DES, the financial industry started planning a migration, which consists of replacing single DES with triple-DES in all its systems wherever single DES is used.
This migration plan however places the industry, which uses single DES widely, in a challenging position. As will be discussed in this document, the process of migrating from single DES to triple-DES is not as simple as just substituting one algorithm for another.
2. Single DES and triple-DES
DES is a block cipher, encryption algorithm, which encrypts messages of block size 64 bits and produces cryptograms of length 64 bits using a 56-bit key (DES keys are actually 64 bits in length but 8 bits act as parity bits so only 56 bits are actually used for encryption).
We say that DES has strength 256, meaning that the most efficient way to attack DES in practice1 is to search its key space of size 256. That is, to attack DES in practice one has to try each and every possible key until the correct encryption key is identified, this takes on average 256 /2 = 255 steps. Triple-DES, noted as 3DES from here on, uses 2 keys, chosen independently at random, to DES encrypt a message multiple times. There are also ways to use 3DES with 3 different keys, but these schemes do not give a significant amount of extra security in theory and are not considered in financial systems. The most common technique is to encrypt the initial plaintext message with one key, decrypt the result with a second key and finally encrypt this last result with the first key again. This is known as E-D-E double length key 3DES encryption and is illustrated in the following figure.
E-D-E 3DES is compatible with single DES (when KL and KR are identical, E-D-E 3DES produces the same result as single DES). From here on, when we will talk about 3DES we will be referring to double length key E-D-E 3DES.The strength of 3DES is approximately 2112 since using two 56 bit keys in E-D-E 3DES is effectively equal to using one 112-bit key. A brute force search of 3DES 2112 key space is currently not feasible nor will it be in the near future.
|
