1. Home
2. Questions
3. Unanswered
4. AI Assist Labs
5. Tags
7. Chat
8. Users
10. Companies
Teams

Ask questions, find answers and collaborate at work with Stack Overflow for Teams.
Try Teams for free Explore Teams
Teams
Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Return to Answer

Clarification on encryption limit

Source Link

edited 13 hours ago

3.6k
4
30
45

The Sweet32 attack doesn't necessarily require a large amount of data to be encrypted with the same key to be successful. While the average-case does require $2^{36.6}$ blocks (776 GiB) of ciphertext, researchers have found collisions with as few as $2^{20}$ blocks (8 MiB). NIST recommends not using 3DES for any scenario where more than $2^{20}$ blocks are encrypted with a single key.

DES is also rather difficult to secure in contexts where hardware side-channel attacks are in scope, for example in embedded devices. Certain implementations may be vulnerable to cache timing side-channel attacks against the S-box. Power analysis and EM side-channel analysis are quite effective against DES for a number of reasons, not least of which that leaking a few bits of the key is more impactful when small key sizes are used. It is possible to implement DES, and thus 3DES, in a manner that frustrates these side-channel attacks, but it is a non-trivial undertaking and it isn't that unusual to find that even EMV systems get it wrong. See Heyszl et. al. (2020) for a review of such attacks.

The Sweet32 attack doesn't necessarily require a large amount of data to be encrypted with the same key to be successful. While the average-case does require $2^{36.6}$ blocks (776 GiB) of ciphertext, researchers have found collisions with as few as $2^{20}$ blocks (8 MiB). NIST recommends not using 3DES for any scenario where more than $2^{20}$ blocks are encrypted.

DES is also rather difficult to secure in contexts where hardware side-channel attacks are in scope, for example in embedded devices. Certain implementations may be vulnerable to cache timing side-channel attacks against the S-box. Power analysis and EM side-channel analysis are quite effective against DES for a number of reasons, not least of which that leaking a few bits of the key is more impactful when small key sizes are used. It is possible to implement DES, and thus 3DES, in a manner that frustrates these side-channel attacks, but it is a non-trivial undertaking and it isn't that unusual to find that even EMV systems get it wrong. See Heyszl et. al. (2020) for a review of such attacks.

The Sweet32 attack doesn't necessarily require a large amount of data to be encrypted with the same key to be successful. While the average-case does require $2^{36.6}$ blocks (776 GiB) of ciphertext, researchers have found collisions with as few as $2^{20}$ blocks (8 MiB). NIST recommends not using 3DES for any scenario where more than $2^{20}$ blocks are encrypted with a single key.

DES is also rather difficult to secure in contexts where hardware side-channel attacks are in scope, for example in embedded devices. Certain implementations may be vulnerable to cache timing side-channel attacks against the S-box. Power analysis and EM side-channel analysis are quite effective against DES for a number of reasons, not least of which that leaking a few bits of the key is more impactful when small key sizes are used. It is possible to implement DES, and thus 3DES, in a manner that frustrates these side-channel attacks, but it is a non-trivial undertaking and it isn't that unusual to find that even EMV systems get it wrong. See Heyszl et. al. (2020) for a review of such attacks.

Source Link

answered 19 hours ago

3.6k
4
30
45

The Sweet32 attack doesn't necessarily require a large amount of data to be encrypted with the same key to be successful. While the average-case does require $2^{36.6}$ blocks (776 GiB) of ciphertext, researchers have found collisions with as few as $2^{20}$ blocks (8 MiB). NIST recommends not using 3DES for any scenario where more than $2^{20}$ blocks are encrypted.

DES is also rather difficult to secure in contexts where hardware side-channel attacks are in scope, for example in embedded devices. Certain implementations may be vulnerable to cache timing side-channel attacks against the S-box. Power analysis and EM side-channel analysis are quite effective against DES for a number of reasons, not least of which that leaking a few bits of the key is more impactful when small key sizes are used. It is possible to implement DES, and thus 3DES, in a manner that frustrates these side-channel attacks, but it is a non-trivial undertaking and it isn't that unusual to find that even EMV systems get it wrong. See Heyszl et. al. (2020) for a review of such attacks.