Cryptography Reference
In-Depth Information
to encrypt the plaintext, and then use the second key,
K
,to
de
crypt the result
to finally encrypt it with
K
again:
C = DES
K
(DES
−
1
K
(DES
K
(P)))
The receiver uses
K
for decryption,
K
for encryption, and
K
for re-decryption.
The decryption in the middle part may be somewhat surprising, but the reason is
obviously only the compatibility with the simple method: Triple-DES turns back
into the usual DES cipher for
K
K
. This allows a 'triple ciphering device'
to talk to a 'simple ciphering device' without the need to change anything
(except the key selection).
=
There are meet-in-the-middle attacks here, too, which are faster than brute force
for 112-bit keys. Schneier suggests using a separate key in each of the three
steps rather than the two keys,
K
and
K
, to prevent this type of risk.
However,
if
there were an effective attack against DES — the notorious 'back-
door' — it might well be that multiple encryption won't help either. Think only
of the combined Vigenere cipher and transposition discussed in Section 2.2.5,
which can be broken almost as easily as any one of the single methods.
But we are stumbling about in the gray zone again. To this day, there are no
rational arguments against the security of Triple-DES — only irrational ones.
But it's true that Triple-DES is rather slow, particularly in software, so that it
is markedly inferior to more modern algorithms (especially the final candidates
of the AES Initiative; see Section 5.5).
5.2.2 DES with Key-Dependent S-Boxes
In 1994, at the ASIACRYPT conference, Biham and Biryukov introduced a
modified DES that can be easily implemented on certain DES chips and in
software [Bih.biry]. The trick is to construct key-dependent S-boxes. Some
DES chips support variable S-boxes so that these boxes can be created outside
the chips and then be fed into them.
Now, it is well known that the original S-boxes are optimized against differ-
ential cryptanalysis. DES with random boxes is much easier to break. This
actually means that an attacker needs to know the boxes, but let's not draw
over-hasty conclusions.
