TLS_RSA_WITH_3DES_EDE_CBC_SHA reported as 112 bits

Question

I am no expert in this area but after some searching I am not too sure about the solution.

An external vendor doing a pentration test on our server reported that we have TLS_RSA_WITH_3DES_EDE_CBC_SHA with 112 bits enabled and reported that as a threat. I have read that such ciphers can be disabled from the Microsoft site (We are on Windows Server 2008) which is great but after reading a bit more about what this means on a forum I see that it is a downgrade from 168 due to a vulnability.

Extract:

I'm not a crypto-nerd but if I read this explanation correctly that particular cipher has an effective security of 112 bits but if the encryption is achieved by using 3 56 bit keys (3 X 56 = 168)

Answer:

"One might expect that 3TDEA would provide 56×3 = 168 bits of strength. However, there is an attack on 3TDEA that reduces the strength to the work that would be involved in exhausting a 112 bit key"

I can confirm that SSLLabs do infact rate this cipher to be 112 not 168 which I presume is due to the vulnability.

in this forum entry it is mentioned to be related to OpenSSL

As an update, as of the June 20 snapshot of the OpenSSL codebase, the reported strength of the 3DES Cipher Suites is now 112 bits instead of 168.

Ok. If this is correct then can this downgrade only apply to certificates issued with OpenSSL? I an not sure what the exact vulnerability is causing the downgrade to 112.

Either way, what is the actual approach to disable this. should I set the Registry key (Enabled = 0x0) under the following subkeys?:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
Triple DES 112/112

or:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
Triple DES 168/168

or both, or something else?

I cannot apply the change myself as i do not have permissions on these servers, but I need to instruct the person who will make the change.

Answer 1

You should disable all triple DES ciphers because 192 bit triple DES keys only have about 112 bits of security and 128 bit triple DES keys have even less than 112 bit security, rather around 80 bits for the best attacks. Furthermore, triple DES only has an 64 bit block size, which is detrimental to security as well.

There is a difference between the key size in memory - including overhead like parity bits (192 bits), the bits used of the key (168 bits), the intended security of the key (112 bits) and the actual security given the attacks possible on the cipher (still 112 bits). The figures between parentheses are for triple DES keys (DES ABC). For double DES keys you will come to 128 bits / 112 bits / 112 bits and 80 bits.

AES 128 has an actual security of over 126 bits (128 bits encoded, 128 bits actual and 126 bits of security) it should be strongly preferred. It's also much faster than 3DES and is widely supported, so disabling 3DES altogether should be the preferred option - unless you are certain that clients will fail.

In general you should try and achieve a security of around 128 bits or over.

---

Notes:

• the strength of the symmetric cipher used in TLS has nothing to do with the certificate used;
• the 112 bits of security is because of a meet-in-the-middle attack which was already known when 3DES was designed, so 112 bit is the intended strength of three key 3DES.

Answer 2

Maarten's answer is excellent, but to expand on it a bit, you may want to read up on Meet-in-the-Middle attacks. The idea is, when you have a cryptographic cipher that consists of performing the same operation with two different keys in opposite directions, you can effectively search the key space from both directions at once, storing results (requires enough space to store every possible key value) and looking for matches. This greatly reduces the search time (at the cost of hugely increasing the amount of memory space needed to perform the search).

Both forms of 3DES - ABA and ABC - use this "one key goes one direction, another key goes the other direction" approach. The third pass provides some protection, even when just using the first key over again (ABA mode); without the third pass, an attacker with a lookup table of size 2^56 can break "double-DES" in 2^57 operations (worst-case, each possible key both directions), which is only twice as many operations as breaking single-DES (now possible in about a day of work for dedicated hardware). However, this ABA scheme has been found to be weaker than originally expected. ABC mode, to the best of our knowledge, preserves the effective full strength of twice a DES key (even though it requires three DES keys).

It's also worth noting that 112 bits, or even 80 bits, are still very large search spaces (and 56 bits is a hell of a lot of memory; you'd need thousands of today's hard disks to hold it). While it's definitely a good idea to move to ciphers with a minimum effective strength of 128 bits, especially for anything that you want to keep safe in the long term, there are very few if any* entities in the world today (maybe the NSA and its ilk) that can break an 80-bit cipher in a reasonable time, and none* that can break 112 bit ciphers (which are about 4 billion times as difficult).

*To the best of our knowledge, at least...