How does 3DES work, and what is the actual security difference between 3DES with 2 keys vs 3 keys?
3DES with 2 keys (EDE mode, 112-bit key) provides roughly $2^{60}$ actual security. 3DES with 3 keys (168-bit key) provides about $2^{112}$ security — much stronger but still not what the key size suggests.
* 3DES runs Encrypt–Decrypt–Encrypt; setting all three keys equal collapses it to single DES for legacy compatibility. *
3DES with 2 keys ($K_1, K_2$):
- Encrypt-Decrypt-Encrypt: $C = E_{K_1}(D_{K_2}(E_{K_1}(M)))$
- Nominal key: 112 bits → expected brute force $2^{112}$
- Actual security: ~$2^{60}$ operations + $2^{60}$ storage (chosen-plaintext TMTO)
- The security gain over single DES is real but not substantial
3DES with 3 keys ($K_1, K_2, K_3$):
- $C = E_{K_1}(D_{K_2}(E_{K_3}(M)))$
- Nominal key: 168 bits → expected brute force $2^{168}$
- Actual security: ~$2^{112}$ (meet-in-the-middle reduces it)
- Much stronger than the 2-key variant
- 112 bits is considered sufficient until 2030
Why use Decrypt (D) in the middle? For backward compatibility — if $K_1 = K_2 = K_3$, then 3DES reduces to single DES: $E_K(D_K(E_K(M))) = E_K(M)$.
Bottom line: With AES available (128/256-bit keys, faster, no meet-in-the-middle vulnerability), multiple-DES is no longer necessary. 3DES is allowed until 2030 but AES is the standard.
Go deeper:
Triple DES (Wikipedia) — EDE mode, 2-key vs 3-key, and the 2030 sunset.