A method of
data encryption, namely the use of
DES twice in a row. Be P the
plaintext message, k
1 and k
2 two DES keys, then the result of double DES is the
ciphertext C = DES(DES(P,k
1),k
2).
As everybody proficient in cryptography knows, DES is not safe due to its fixed keylength of 56 bit, which is nowadays too little to be resilent against brute force attacks.
Unfortunately, double DES does not alleviate this problem - it's not much safer than a hypothetical DES with 57 bit keys, which is entirely too little. The reason why it doesn't offer the equivalent of 112 bit encryption that one might naively expect is its
vulnerability to a so-called meet-in-the-middle attack.
It works like this:
- For every possible DES key ki,
compute Mi = DES(C,ki) and store the tuple (Mi, ki).
- Loop again through all possible DES keys kj and compute Nj = DES-1(C,kj). Check whether Nj is the same as one of your stored
Mi. If you find a match, it's pretty likely likely that you've just found the two keys you're looking after!
Since the comparison in step two can be done in more or less constant time using
hashing, you basically only have to go through all possible DES keys twice, resulting in the
effective key lenght of 57 bit.
Of course, step one requires a godawful amount of storage, but if you just store a hash of Mi and recompute the full ciphertext for the (still very few) matches, it shrinks to something that might be feasible in the not-so-far future: roughly one Exabyte for a hash size of 64 bit, which should be sufficient to avoid false matches in nearly all cases.
This is the reason why people use triple DES instead, which provides an effective key lenght of about 108 bit (not the 3*56 bit you might expect for the same reason described above).