.NET And Triple DES Security
page 1 of 8
Published: 21 Sep 2004
Unedited - Community Contributed
Triple DES has grown into an industry standard in terms of encrypting and decrypting data. In this article we'll cover a very shallow layer of the history and methodology of Triple DES and show how to implement Triple DES in our .NET applications. This article will dig a little deeper than some care to go for those readers that are just learning how to use encryption in their applications and aren't satisfied with saying "it just works."
by Kay Lee
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 53614/ 160

What Is Triple DES?

[ Download Code ] | [ Download Help ]

A Little History

Data Encryption Standard (DES) was originally called Lucifer.  The first publicly known version of DES was introduced by IBM in 1974.  It was submitted to the National Institute of Standards and Technology (NIST) as a cryptographic algorithm for protecting information.  Its purpose was not for the more top secret of information.  It was submitted in cases where only a frugal security measure was needed.  After being modified by the National Security Agency (NSA - Big Brother) in 1976, it was renamed to Data Encryption Standard (DES).  In 1977, it was introduced to the population, and that's when the battle began over DES.  In 1997, NIST abandoned DES, and searched for a new standard called Advanced Encryption Standard (AES).  The growing need for security caused the need for an enhancement to make DES a worthy algorithm in systems where an overhaul was not logical due to many legacy systems.


What Is DES?

DES is a private-key encryption that encrypts and decrypts data in 64 bit blocks.  It's been proven that the DES algorithm is only 56 bit strong because of the way it calculates the bits (only 7 of the bits are used therefore making the key only 56 bits in reality rather than 64).  The DES algorithm is iterated 16 times to achieve its goal.  What makes DES difficult to break by brute force is that the security of the algorithm is said to be exponentially increased per iteration.  The benefits of those implementing DES as their encryption method is that it's decrypted in almost the same fashion it's encrypted.  Making the decrypt method similar enough to share the same supporting methods gives the application a less complicated set of processing instructions.

The weakness in DES is in the collisions (similar outputs between the iterations).  These weaknesses become evident when you notice groups formed while brute force attacking.  Even though we talk about a potential hack, we must focus on the fact that the potential may not be feasible in most scenarios.  Everything is breakable, but will take a considerable amount of time (sometimes years) of constant processing.  The best way to gauge your security is in the type of data you're encrypting and the scale of deciphering your encryption. Furthermore, it's highly advised to avoid using the same private key for every encryption.  By jumbling up the keys used, you will avoid having a break-one break-all scenario.

What is Triple DES?

Triple DES was brought out after the fall of DES as the standard encryption practice.  Since a lot of companies and agencies utilized DES to store sensitive data, it wasn't feasible to alter the means of encryption completely as it would affect current data accumulated over several years.  Triple DES is the same series of DES iterations but is most commonly Encrypt-Decrypt-Encrypt (EDE) per iteration.  With three keys, the application will encrypt with the first key, decrypt with the second key, and encrypt again with the final key.  You may utilize only two separate keys, but it’s advised to keep all three keys completely different to maximize the security of the encryption. 

As mentioned previously, DES will run through 16 iterations to achieve its desired cipher text (final output).  With Triple DES, it will Encrypt-Decrypt-Encrypt the block and a completely different output is generated with a final combination.  It’s said that the security is 192 bit encryption, but also argued that regardless of the keys, the security is only 168 bit.  This debate is clearly beyond the scope of this article/writer. If you wish to participate with the scientists in their discussions, it’s your humility at stake.  It's a safe bet that Triple DES is exponentially stronger than the previous DES.


Why should I use Triple DES when it’s not the most secure?

In applications development, it is almost impossible to do everything with the most secure, proper, and advanced edge.  When you factor in scalability as well as overall performance, you must find a middle ground between all factors.  The more complex encryption you use the longer it will take to execute per request.  Even though Triple DES is not as secure as AES (Rijndael), it is a very powerful encryption that is more than enough for our everyday to enterprise applications.  As a developer, you should always evaluate what are the pro’s and con’s of a technology prior to utilizing it.  It will save you hours to days in creating work-around methods and poor explanations.
Triple DES is not as fast as its ancestor DES, but it is faster than the other complex algorithms.  The implementation is not difficult and can be very flexible and concrete with the right methods.  The following excerpt describes the feasibility of the possible hack of a Triple DES implementation.

"One thing to remember is that in cryptography there's a difference between a theoretic attack and a real one. Let's suppose, for example, I came up with an attack that needed 2^80 cipher blocks, and then could always make three-key Triple DES be no stronger than 112 bits.
That's worthy of publication, but it's not practical. A tera block (eight terabytes) is 2^40 blocks. With this attack, you need eight-tera-tera-bytes of memory and a CPU that can address that much. Also, you could defend against this attack by re-keying after a mere few million terabytes of data."

It might not be the best encryption on a broad theoretical situation, but for what you will probably need to do, it is usually better than what you actually need.

In the next page, we'll cover the sample code.  To see it in it's entire solution, just download the code, and open the files in your favorite editor (Visual Studio .NET 2003 right?).

View Entire Article

User Comments

Title: Hai   
Name: mangala
Date: 2008-07-22 7:54:10 AM
Title: Public Key   
Name: Joe Grant
Date: 2006-12-08 12:12:50 PM
How would one go about create a public key to share with someone so they can decrypt without sharing the private key?
Title: Excellent coverage of TripleDES   
Name: Sam
Date: 2005-08-02 9:11:49 PM
Great stuff... simple but with enough background information to understand the important elements eg. PK, IV, Cipher etc. I will be using parts of it in my enterprise application.
Title: triple des   
Name: Josh
Date: 2004-10-13 10:12:45 PM
we've been looking at different encryption methods in class and lectures have been so boring. i decided to search around and found your article to be a great practical implementation. i wish my class would provide us with pratical examples like this. Thanks.
Title: Thanks   
Name: Kay Lee
Date: 2004-10-13 6:42:03 PM
Thanks. I'm glad you like it, and I hope the source works well for you.
Title: Triple DES Encryption   
Name: Brian Chiasson
Date: 2004-10-12 3:35:52 PM
Excellent article. I have been looking for a couple of hours for something on encryption. It shed light on the subject and provided me with useful code for my intranet application. Thanks a million...

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2017 ASPAlliance.com  |  Page Processed at 2017-03-23 4:16:05 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search