From: Robert Baskerville
Subject: Triple DES keys
Date: Fri, 6 Dec 2002 13:02:31 +0000
X-Mailer: KMail [version 1.3.2]
Organization: rarely any

> I would like to know the key-length used for 3DES data encryption in
> openssh.

Triple-DES uses a 168-bit key (3 x 56).

DES keys are 56 bit. When you feed the key into the algorithm, you use a
64-bit value, but the extra 8 bits are "parity bits" in theory but rarely
used. The parity bits were added to DES in order to make it less obvious
that the key length was being reduced deliberately. Or maybe I'm just
cynical :-)

There is no such thing as "128-bit Triple-DES" :-)

The 168-bit key can be made from either TWO different 56-bit keys or THREE
different 56-bit keys.

The encryption uses standard DES three times, encrypt operation with key1,
decrypt operation with key2, encrypt operation with key3.

In the two-different-key version, key1 and key3 are the same.

The reason for the E-D-E is that by setting key1 = key2 = key3 the same
software can without modification give you single DES encryption for
backwards compatibility. Of course, you won't be using this if you have
any sense (all the processor overhead of 3DES without ANY of the strength

> Also, I am interested in the export regulations concerning openssh in
> USA.

That's complex, but easy to cope with.

IMPORTING it to the USA is OK. If you want it outside the USA, get it from
outside the USA (ie avoid exporting it because the regulations are complex
and rediculous)

> the sshd man page states 128 bit key used for 3DES.

Hmmm. Not what my copy says. If it claims 128-bit 3DES, it is simply wrong

The other thing which may confuse is that even with 3 different keys 3DES
has only really got a "strength" of 112 bits. That's because the best
attack against double-DES (which requires stupidly large amounts of
memory, but is possible in principle) is an attack which works from both
ends. This results in double-DES only being approx 1-bit stronger (ie
insignificantly stronger) than DES (if you are able to find enough memory
to use this attack). This attack is defeated by adding the third DES
operation. (And if 3DES was ever too weak for you, you'd be wanting 5DES
rather than 4DES etc).

On the plus side, it has been proved that 3DES *is* stronger than DES.
[Just adding extra rounds doesn't necessarily make things stronger.
Triple-ROT13 anyone? If an algorithm forms a group over its keys then
N-rounds with N-different-keys can still be boiled down to a single round
with a single key and are therefore no harder to bruteforce than a single
round. Luckily DES doesn't form such a group. Apologies if this sounds
like gibberish;]

Robert Baskerville

Date: Mon, 09 Dec 2002 10:31:48 -0800
From: Michael Sierchio
CC: Rick Moen,
Subject: Re: 3DES key-length for data authentication wrote:

>The effective keylength of Triple-DES is 112 bits. I don't recall the
>rationale for this now - it should be available in all the usual
>places; e.g. google, "triple-DES effective keylength".

The meet-in-the-middle time-memory trade-off attack (Cf. Merkle-Hellman)
is a chosen plaintext attack, so it's applicable only if the adversary
can mount such an attack -- not likely in a VPN, probably likely in an
encrypted file system. It's easiest to describe for double DES --
Merkle-Hellman allows for breaking double DES with 2 keys in 2^(n+1)
chosen plaintext encryptions, rather than the 2^2n you might expect.
Merkle-Hellman breaks 3-DES-CBC-EDE-3K in 2^2n steps and requires 2^2n
blocks of memory.

The effective key length if the adversary can mount a CPA against
3-DES-CBC-EDE-3K is 112 bits. If the adversary cannot mount the MITM
attack, the effective key length is 168 bits.

In the case of using triple DES for SSH or SSL operations, my educated
guess is that it actually does provide 168 bits worth of key strength.