In March of 2019, NIST announced that it was retiring the 3DES encryption algorithm. This was done in stages, where the algorithm was first deprecated and then in December 2023 it will be disallowed. This change may impact customers who adhere to NIST standards. You can find the updated NIST guidelines here.
Advanced Authentication has been replacing the usage of 3DES in some areas of the solution. This includes advancing to the use of TLS 1.2 for example, which uses AES256 for encryption. The 3DES algorithm has been removed except for the encryption of the various credentials when they are stored in the database and inside the AuthID. There are no plans at this time to change the encryption algorithm in these areas.
Broadcom recommends that to mitigate the use of 3DES for credential storage, customers enable the database Transparent Database Encryption (TDE) feature. This can encrypt the entire database itself with the AES256 algorithm and prevent any exposure of data that was initially encrypted with 3DES by Advanced Authentication. This capability is supported by both Microsoft and Oracle.
The AuthID credential has two components, one on the server and one on the device. The key on the server is encrypted with 3DES in the database similar to the other credentials. This can be mitigated by the TDE feature described above. On the device, the AuthID is further protected by our patented cryptographic camouflage feature which is used in combination with the encryption algorithms to protect the private key. Mobile OTP and PUSH credentials as well as Risk Authentication are not affected by the NIST guidelines as long as TDE is implemented.
Final decisions on the usage of Advanced Authentication and the AuthID should be made in consultation with the security team of your organization.
For any questions or concerns you can reach out to the Support team.
FAQs
This CVE, combined with the inadequate key size of 3DES, led to NIST deprecating 3DES in 2019 and disallowing all uses (except processing already encrypted data) by the end of 2023.
Is 3DES encryption deprecated? ›
About Triple DES or 3DES
Effective as of the final publication of this revision of SP 800-131A, encryption using three-key TDEA is deprecated through December 31, 2023, using the approved encryption modes.
Why is 3DES or Triple DES officially being retired? ›
Even Triple DES Isn't Always Sufficient Protection
But even Triple DES became demonstrated useless in opposition to brute force assaults (similarly to slowing down the system notably). According to draft guidance published with the aid of NIST on July 19, 2018, TDEA/3DES is officially being retired.
What are the vulnerabilities of Triple DES encryption? ›
Encryption algorithm Triple DES is a block cipher which is still recognized as secure, but deprecated. It has multiple vulnerabilities (eg: sweet32 attack, meet-in-the-middle attack, brute-force attack) and it is considered as weak and disallowed by National Institute of Standards and Technology after 2023.
What can I use instead of 3DES? ›
AES, or Advanced Encryption Standard, was established by the U.S. National Institute of Standards and Technology (NIST) in 2001 to replace DES and 3DES as the go-to encryption standard. Like 3DES, AES is a symmetric key encryption algorithm that uses the same encryption key for both encrypting and decrypting data.
How do I migrate from 3DES to AES? ›
Procedure
- Migrate encrypted data in the database to use AES 128-bit encryption. ...
- Update the Business Audit Key that is defined in BusinessAuditDataCapture. ...
- Update the instance configuration file, for each instance, to include the AES_DB="true" parameter. ...
- Update product. ...
- Restart the server.
While more secure than single DES, Triple DES is considered slow compared to modern encryption algorithms like AES. There are variations in how Triple DES is implemented. For example, some modes use two keys (EEE or EDE) instead of three, depending on specific security requirements.
What is the disadvantage of 3DES? ›
Limitations of 3DES
Slow Speed: The triple-layered encryption process of 3DES makes it slower than other encryption algorithms. Limited Key Size Options: While 3DES supports variable key sizes, the maximum key size is only 192 bits, which may not be enough to meet the security needs of some applications.
What is the recommended replacement for DES? ›
This cipher has been superseded by the Advanced Encryption Standard (AES). DES has been withdrawn as a standard by the National Institute of Standards and Technology.
Why is Triple DES not secure? ›
Weak security: The DES algorithm, which crypto/des implements, is considered weak and outdated. It uses a 56-bit key size, which is now vulnerable to brute-force attacks.
Our results show that 80-bit security can be attacked by distributed GPU clusters. Thus, we recommend Present with 80-bit key and other cryptographic algorithms with 80-bit or shorter keys to be removed from ISO/IEC and other standards. 112-bit security of 3des can be broken in 8 years with RTX 3070 GPUs.
Is 3DES FIPS compliant? ›
Triple-DES is a FIPS-certified algorithm, and therefore can obtain a FIPS certificate.
What encryption standard is currently recommended by NIST? ›
Currently the only NIST-Approved 128 bit symmetric key algorithm is AES.
Is 3DES PCI compliant? ›
Non-compliance: Depending on your organization's industry or regulatory requirements, using deprecated encryption standards like 3DES may lead to non-compliance with data security standards such as GDPR or PCI DSS. This could result in legal consequences or financial penalties.
Is 3DES ECB safe? ›
Is 3DES safe to use in ECB mode? No block cipher is safe to be used in ECB mode, as you will always see which plaintext blocks appear multiple times. Additionally deterministic encryption (such as when ECB is used) cannot achieve security against chosen-plaintext attacks (a rather weak security notion).
