71

Which one is more secure and least possible to be broken through cryptanalysis AES or 3DES (no matter performance)?

I need to use encryption for my projects to store and secure sensitive information which includes bank accounts, sort codes, and third party data related bank. I am currently considering using 3DES in CFB mode, but I am not very sure if it is the best option and what are other alternatives.

I know the title does not give much idea what the question is about, but I couldn't think of something better.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
DaGhostman Dimitrov
  • 911
  • 1
  • 7
  • 11

2 Answers2

77

Go for AES.

AES is the successor of DES as standard symmetric encryption algorithm for US federal organizations. AES uses keys of 128, 192 or 256 bits, although, 128 bit keys provide sufficient strength today. It uses 128 bit blocks, and is efficient in both software and hardware implementations. It was selected through an open competition involving hundreds of cryptographers during several years.

DES is the previous "data encryption standard" from the seventies. Its key size is too short for proper security. The 56 effective bits can be brute-forced, and that has been done more than ten years ago. DES uses 64 bit blocks, which poses some potential issues when encrypting several gigabytes of data with the same key.

3DES is a way to reuse DES implementations, by chaining three instances of DES with different keys. 3DES is believed to still be secure because it requires 2112 operations which is not achievable with foreseeable technology. 3DES is very slow especially in software implementations because DES was designed for performance in hardware.

Resources:
http://www.differencebetween.net/technology/difference-between-aes-and-3des http://www.icommcorp.com/downloads/Comparison%20AES%20vs%203DES.pdf (offline, still in the Web Archive)

forest
  • 64,616
  • 20
  • 206
  • 257
Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • 2
    [AES and other NIST standards aren't very good in software](http://www.imperialviolet.org/2012/10/21/nist.html) – Andrei Botalov Jan 02 '13 at 20:17
  • 12
    @AndreyBotalov: for the case AES, this is a quite biased view. At the time of the AES selection process (I was there !), after having assembled lots of analysis to the effect that 13 of the 15 candidates looked "rock solid", a lot of performance measurements were done, and Rijndael was one of the "fast" ciphers. Actually it was the one which was the most consistently fast across many architectures, and that was very instrumental in its choice. RC6 was faster _on a PC_ but a PC is the last platform to have real encryption performance issues. AES beats RC6 on smartcards and small ARM/Mips. – Thomas Pornin Jan 03 '13 at 21:12
  • 7
    Plus we now have AES extensions in modern processors, which can massively increase the speed of the cipher. – Polynomial Jan 10 '13 at 09:16
52

Neither 3DES nor AES is breakable with current technology (and foreseeable technology as well). However, you may encounter some security issues with 3DES if you encrypt more than about 32 gigabytes of data with a single key, whereas the limit is much higher with AES (this is due to the block size; 3DES uses 64-bit blocks, which can lead to trouble after processing 264/2 blocks, i.e. 32 gigabytes; AES uses 128-bit blocks, for a limit of 2128/2 blocks, i.e. 268 bytes, also known as "quite a lot of data").

Since AES is also noticeably faster than 3DES, there is little reason to use 3DES for new designs.

forest
  • 64,616
  • 20
  • 206
  • 257
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 27
    Thanks, I learned a new technical term today. "Quite a lot of data" –  Dec 30 '12 at 00:12
  • 9
    +1 for "quite a lot of data." [According to WolframAlpha](http://www.wolframalpha.com/input/?i=2%5E68+bytes), 2^68 bytes of data is approximately 20 times the information content of "all human knowledge." – Reid Dec 30 '12 at 00:42
  • It should be 2^64 – Andrei Botalov Jan 02 '13 at 20:13
  • 7
    @AndreyBotalov: it is 2^64 _blocks_, and each block is 16 bytes (2^4), hence 2^68 _bytes_. – Thomas Pornin Jan 02 '13 at 21:28
  • 1
    Can someone explain what kind of "trouble" one runs into after 2^(64/2) with a 64-bit block size? – Fahad Yousuf May 04 '14 at 07:44
  • 1
    @FahadYousuf Because of the Birthday Problem, once you encrypt sqrt(2^n) blocks, you have a 50% chance of a collision – Cole Tobin Oct 15 '15 at 19:33
  • (and foreseeable technology as well): is it still true with quantum computing? I heard quantum computers could break it more easily. BTW what's best for a CA private key? – Vinz243 Aug 14 '16 at 15:25