IBM Crypto Education Community - Group home

NIST Guidance on Three-Key DEA

By John Craig posted Fri February 24, 2023 11:01 AM


Authors: John Craig, Gregg Arquero

The Data Encryption Standard (DES) was first developed in the 70’s and published by the National Institute of Standards (NIST) in 1977.1 At the time, it was the successor to the Lucifer cipher created by IBM in 1971.2 Since its creation, DES was strengthened into the Triple Data Encryption Algorithm (TDEA), also known as Triple DES, in response to successful brute force attacks against single-key DES in 19973. This event was also an impetus for the creation of the entirely new Advanced Encryption Standard (AES) in 2001.

In 2019, an announcement was made by NIST that the three-key variant of TDEA would be phased out as an approved federal information processing standard. As of 2023, three-key TDEA encryption is now considered to be deprecated. This means that while its use is still permitted, users must accept some security risks and limitations. By 2024, three-key TDEA encryption will be officially disallowed.4

The decision to disallow TDEA was made in response to cryptanalysis done by Karthikeyan Bhargavan and Gaëtan Leurent of Inria (Paris), which demonstrated that TDEA was vulnerable to block collision attacks.56 A ciphertext block collision can occur when a single TDEA key bundle is used to encrypt more than 2^32 blocks of 64 bits; or about 34 terabytes of data. These collisions can be used to derive information about the corresponding plaintext of the colliding blocks. 

Three-key TDEA decryption will continue to be permitted for legacy use, so that existing data encrypted under three-key TDEA can still be retrieved. However, no new encrypted data should be created using three-key TDEA. The current guidance suggests that existing encrypted data should be re-encrypted using a more secure standard, such as the aforementioned AES, and all new data should be encrypted likewise.

In an upcoming series of articles, we will explore how to archive DES keys and enable them for decryption only, callable services available in ICSF to re-encrypt legacy data from DES to AES encryption, and the latest DES Wrapping method, WRAPENH3, that can enhance the protection of your existing DES CCA key tokens.



2Horst Feistel. Block Cipher Cryptographic System, US Patent 3,798,359. Filed June 30, 1971. (IBM)


4, page 5