3DES key-length

Danny De Cock godot at ulyssis.org
Thu Dec 5 22:19:19 EST 2002


about the 3des key length stuff: for 3des, a 64-bit plaintext block P is
transformed into a 64-bit ciphertextblock C applying the following
procedure: C=enc(key1,dec(key2,enc(key3,P))).

in this scheme, enc(key,data) stands for the single-DES encryption of some
<data> using the <key>.  both <data> and <key> consist of 8 bytes, where
the <key> is is encoded in such a way that it only holds 56-bit real
key-bits, and 8 parity bits.

it is clear that dec(key,data) stands for a single-DES decryption using
the <key> on some <data>.

this means that each of the 3 keys in this scheme consists of 56 actual
key bits.

if <key1> = <key2> = <key3>, then the 3DES-scheme is equivalent to the

using <key1> = <key3> with a different <key2> leads to 3DES with two keys.
this scheme is generally known as two-key 3DES, with a total key size of
112 bits.

if all three keys are different, one refers to the scheme as 3-key 3DES
with a total key size of 168 bits.

comparing 3DES with the AES on the key length only is not fair as the AES
can be used with keys of 128, 196 and 256 bits, but this algorithm
operates on 128-bit data blocks (as mentioned above, 3DES and the DES use
64-bit data blocks).

based on the ssh man pages, ssh supports 3DES with 3 different keys.

these keys are derived from the shared secret which is negotiated using
the diffie-hellman protocol during the ssh key handshake.

hope this helps, danny.

On Wed, 4 Dec 2002, Dan Kaminsky wrote:

> > I would like to know the key-length used for 3DES data encryption in
> > openssh.
> > I thought that it should be 192 (3 * 64) bits, but the sshd man page states
> > 128 bit key used for 3DES.
> This is one time when Marketing got it right.
> Key length is a bit messy...3DES uses three 64 bit keys, but 8 bits of
> each key is parity(i.e. doesn't contribute to security value).  So
> there's 56*3 or 168 bits of entropy behind each 3DES key.
> If I remember correctly, there's an optimized model of 3DES cracking
> that reduces the complexity of 168 bit 3DES to 112 bits.  (2DES is
> only 1 bit more complex to break than straight DES, due to this
> attack.)  But 3DES has undergone vastly more cryptanalysis than any
> other algorithm, so it's a bit unfair to say it's inferior to those
> ciphers that directly use 128 bit keys (Blowfish, AES, etc.)
> So -- instead of mucking with the details of 64 bit keys that are
> really 56 bit but are used thrice to give 192 bits of keying material
> with only 168 bits used but with only 112 bits of security on a very
> widely trusted algorithm...
> It's 128 bit.
> > Also, I would like to know the 3des key negotiation - who generates the key
> > (the client or the server).
> Don't remember off the top of my head, I'll dive through the specs if
> nobody else pipes up.  Under DH, neither side actually needs to
> generate the key -- it can be the unified outcome of their asymmetric
> exchange.
> > I am interested in the export regulations concerning openssh in USA. Any
> > idea on this ?
> Should be pretty free of US regs; all the crypto modules are imported
> from Canada / Germany / Etc.
> Yours Truly,
> 	Dan Kaminsky
> 	DoxPara Research
> 	http://www.doxpara.com

Don't kid yourself.  Little is relevant, and nothing lasts forever.
Mail : Danny.DeCock at esat.kuleuven.ac.be              daniel.decock at postbox.be
WWW  : http://ace.ulyssis.org/~godot                        godot at advalvas.be

More information about the openssh-unix-dev mailing list