The Triple Data Encryption Algorithm (TDEA), also called Triple Data Encryption Standard (or 3DES), is specified in SP 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. Currently, the 3-key variant of the algorithm is allowed for encryption as specified in SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
It is known that for a 64-bit block cipher like TDEA, a ciphertext collision will likely occur when about 232 blocks are encrypted with a single key bundle. A collision in ciphertext blocks, once found, reveals information about the corresponding plaintext blocks. Moreover, the amount of data would have to be significantly below 232 blocks for the probability of a collision to be very small. This security weakness motivated the requirement for the 128-bit block size in the development of the Advanced Encryption Standard (AES). AES is specified in FIPS 197, Advanced Encryption Standard (AES).
A security analysis and practical demonstration of attacks on TDEA in several real-world protocols, done by Karthikeyan Bhargavan and Gaëtan Leurent of Inria (Paris), available at https://sweet32.info/, provide evidence that the collision attack on TDEA represents a serious security vulnerability for many common uses of these protocols — including the HTTPS protocol for secure Internet connections. Moreover, the analysis shows that the security vulnerability remains serious unless more stringent limits are imposed on the amount of data that can be encrypted under a single 3-key bundle than the current data limit recommended by NIST in SP 800-67, Revision 1.
In response, NIST plans to reduce the maximum amount of plaintext allowed to be encrypted under a single TDEA 3-key bundle from 232 to 220 (64-bit) blocks. This will be announced in the upcoming draft of SP 800-67 Revision 2, and NIST will seek comments on this reduction in the public review of that document.
In addition, NIST plans to disallow the algorithm for TLS, IPsec and possibly other protocols. TLS is discussed in SP 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations; draft revision 2 of SP 800-52 will be available for public comment in the near future. IPsec will be discussed in a new draft publication: SP 800-194, Cryptographic Recommendations for the Internet Security Protocol (IPsec) and Internet Key Exchange (IKE), which will also be available for public comment soon.
NIST urges all users of TDEA to migrate to AES as soon as possible.
NIST is developing a draft deprecation timeline for the 3-key variant of TDEA including a sunset date.
NIST requests comments on the current plan described in this announcement, including suggestions for the deprecation timeline.
Comments may be sent to TDEA_Deprecation@NIST.gov by 10/1/2017.