Eli Biham and Lars Knudsen have exposed a theoretical weakness in a mode
of operating Triple-DES called Cipher Block Chaining with Output
Feedback Masking (CBCM) [1].  While of theoretical interest, however,
the attack is not practical.  Triple DES has not been broken and its
security has not been compromised.

The authors outline two basic attacks.  One requires 2^65 blocks of
chosen ciphertext (i.e., you pick the ciphertext and request the
plaintext from the person whose messages you're trying to break).  Even
ignoring the prospects of getting the plaintext for chosen ciphertext at
all, if I've done my math right, that's about 1 billion terabytes of
data that must be acquired from a single message.  I can't even imagine
the download time :-)

The other attack requires that you get a known plaintext block encrypted
under 2^33 (about 10 billion) variants of one of the three keys.  You,
of course, do not know that key or the others, but you must be able to
control exactly how these variants are formed.  Thus, this can be
regarded as a chosen-key attack of sorts (the authors call it a
"related-key" attack).  Then you crack that one key.  The second key is
cracked with a chosen ciphertext attack and the third key by brute
force.

The time requirements for the attacks are not much more than for
breaking single DES, but the chosen ciphertext and chosen key
requirements are the show stoppers.  To pull these off, you really must
have access to the encryption process, as it is unlikely your adversary
will be a willing accomplice.  But if you can get that kind of access,
you can probably get plaintext and keys by much simpler methods.  Folks
like Eric Thompson at AccessData Corp. do this all the time.

Even though the attack is not realistic, the ANSI working group pulled
that particular CBCM mode from the X9.52 standard because of public
perception and potential lost confidence in Triple DES.

Dorothy Denning
April 3, 1998


[1] http://www.cs.technion.ac.il/%7Ebiham/publications.html