NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only.
Triple DES (aka TDEA/TDES) is used to protect Web Sites, Virtual Private Networks, remote sessions, e-commerce transactions, and more. TDES is embedded in the hardware of commercial and consumer products including network gear like routers, firewalls, VPNs, and load balancers; and computers like servers, PCs, and laptops. TDES hardware is also widely deployed in the core infrastructure of the financial industry. It powers Point-of-Sale terminals and PIN pads, ATM/ABMs, gas pumps, kiosks, Host Security Modules (HSMs), and more. TDES is supported in standards including ISO, ANSI, and PCI. And there are also many standard mechanisms built upon TDES. It's safe to say that the investment in TDES can be measured in the billions of dollars.
All of these standards bodies have been working diligently on updating everything built upon TDES. Industry has known for a long time that AES would replace TDES. As a result a lot of commercial information security gear has supported both TDES and AES in parallel. Extensive hardware upgrades should not be required. However, much of the migration costs will be on the so-called "soft" side in activities like management, configuration, and transition. The financial industry has additional challenges as changing financial cryptography requires a far more deliberate and careful approach to ensure they comply with a broad range of regulations and standards.
And while they often follow NIST guidance, it's a fairly safe bet that the financial industry will not want to replace or mitigate all of this kit quickly. So this raises some questions:
- When (not if) they will follow NIST to deprecate TDES?
- What will their guidance be?
If the financial industry chooses to deviate from NIST and delay sunset there is justification. We've previously recommended considering the strength of use-cases in transition planning and prioritization [See 2]. It is important to remember that while TDES has been deprecated as a general purpose cipher that some use-cases are inherently safer. We know that some of the financial industry's most widely deployed use-cases are safer. So delaying the sunset of these use-cases is neither unreasonable nor unjustified.
- NIST published (SP) 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths. Details: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
- Article discussing the implications to TDES and PCI: NIST Moves on Sweet32 – 3DES, Blowfish, and Others – Mostly Unsafe https://controlgap.com/blog/nist-moves-on-sweet32/
- AES was developed as a replacement for DES. It was standardized in 2001 and includes both stronger keys and stronger block lengths. See https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
- Triple DES (aka TDES, TDEA, and 3DES) was a clever way of strengthening and extending DES by using double and triple length keys to drive three encryption rounds. The design facilitated transition from DES using a single key mode. It was introduced in 1995. See https://en.wikipedia.org/wiki/Triple_DES
- Single DES was developed from 1973 and approved as a standard in 1976. An effort by EFF broke DES by brute force attack in 1998. See https://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology