Editing Triple DES (section)

== Keying options ==
The standards define three keying options:
; Keying option 1
: All three keys are independent. Sometimes known as 3TDEA<ref name="NIST57r4">{{cite web
| url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf |archive-url=https://web.archive.org/web/20160207114509/http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf |archive-date=2016-02-07 |url-status=live
| title=NIST Special Publication 800-57: Recommendation for Key Management Part 1: General
| first=Elaine
| last=Barker
| edition=4
| date=January 2016
| publisher=[[NIST]]
| access-date=2017-09-05}}</ref> or triple-length keys.<ref name=cryptography_world>{{cite web
| url=http://www.cryptographyworld.com/des.htm
| title=The Cryptography Guide: Triple DES
| publisher=Cryptography World
| archive-url=https://web.archive.org/web/20170312125442/http://www.cryptographyworld.com/des.htm
| archive-date=2017-03-12
| url-status=dead
| access-date=2017-09-05}}</ref><!--
--><p>This is the strongest, with 3 × 56 = 168 independent key bits. It is still vulnerable to the [[meet-in-the-middle attack]], but the attack requires 2<sup>2 × 56</sup> steps.</p>
; Keying option 2
: K<sub>1</sub> and K<sub>2</sub> are independent, and K<sub>3</sub> = K<sub>1</sub>. Sometimes known as 2TDEA<ref name="NIST57r4"/> or double-length keys.<ref name=cryptography_world/><!--
--><p>This provides a shorter key length of 56 × 2 or 112&nbsp;bits and a reasonable compromise between DES and keying option 1, with the same caveat as above.<ref>{{cite book
| title=Introduction to Modern Cryptography
| first1=Jonathan
| last1=Katz
| first2=Yehuda
| last2=Lindell
| date=2015
| publisher=[[CRC Press|Chapman and Hall/CRC]]
| page=223
| isbn=9781466570269}}</ref> This is an improvement over "double DES" which only requires 2<sup>56</sup> steps to attack. NIST disallowed this option in 2015.<ref name="NIST57r4"/></p>
; Keying option 3
: All three keys are identical, i.e. K<sub>1</sub> = K<sub>2</sub> = K<sub>3</sub>.<!--
--><p>This is backward-compatible with DES, since two of the operations cancel out. ISO/IEC 18033-3 never allowed this option, and NIST no longer allows K<sub>1</sub> = K<sub>2</sub> or K<sub>2</sub> = K<sub>3</sub>.<ref name="NIST57r4" /><ref name="NIST67r2" /></p>

Each DES key is 8 [[odd parity|odd-parity]] bytes, with 56&nbsp;bits of key and 8&nbsp;bits of error-detection.<ref name="ANSIx952"/> A key bundle requires 24&nbsp;bytes for option 1, 16 for option 2, or 8 for option 3.

NIST (and the current TCG specifications version 2.0 of approved algorithms for [[Trusted Platform Module]]) also disallows using any one of the 64 following 64-bit values in any keys (note that 32 of them are the binary complement of the 32 others; and that 32 of these keys are also the reverse permutation of bytes of the 32 others), listed here in hexadecimal (in each byte, the least significant bit is an odd-parity generated bit, which is discarded when forming the effectively 56-bit key):
 01.01.01.01.01.01.01.01, FE.FE.FE.FE.FE.FE.FE.FE, E0.FE.FE.E0.F1.FE.FE.F1, 1F.01.01.1F.0E.01.01.0E,
 01.01.FE.FE.01.01.FE.FE, FE.FE.01.01.FE.FE.01.01, E0.FE.01.1F.F1.FE.01.0E, 1F.01.FE.E0.0E.01.FE.F1,
 01.01.E0.E0.01.01.F1.F1, FE.FE.1F.1F.FE.FE.0E.0E, E0.FE.1F.01.F1.FE.0E.01, 1F.01.E0.FE.0E.01.F1.FE,
 01.01.1F.1F.01.01.0E.0E, FE.FE.E0.E0.FE.FE.F1.F1, E0.FE.E0.FE.F1.FE.F1.FE, 1F.01.1F.01.0E.01.0E.01,
 01.FE.01.FE.01.FE.01.FE, FE.01.FE.01.FE.01.FE.01, E0.01.FE.1F.F1.01.FE.0E, 1F.FE.01.E0.0E.FE.01.F1,
 01.FE.FE.01.01.FE.FE.01, FE.01.01.FE.FE.01.01.FE, E0.01.01.E0.F1.01.01.F1, 1F.FE.FE.1F.0E.FE.FE.0E,
 01.FE.E0.1F.01.FE.F1.0E, FE.01.1F.E0.FE.01.0E.F1, E0.01.1F.FE.F1.01.0E.FE, 1F.FE.E0.01.0E.FE.F1.01,
 01.FE.1F.E0.01.FE.0E.F1, FE.01.E0.1F.FE.01.F1.0E, E0.01.E0.01.F1.01.F1.01, 1F.FE.1F.FE.0E.FE.0E.FE,
 01.E0.01.E0.01.F1.01.F1, FE.1F.FE.1F.FE.0E.FE.0E, E0.1F.FE.01.F1.0E.FE.01, 1F.E0.01.FE.0E.F1.01.FE,
 01.E0.FE.1F.01.F1.FE.0E, FE.1F.01.E0.FE.0E.01.F1, E0.1F.01.FE.F1.0E.01.FE, 1F.E0.FE.01.0E.F1.FE.01,
 01.E0.E0.01.01.F1.F1.01, FE.1F.1F.FE.FE.0E.0E.FE, E0.1F.1F.E0.F1.0E.0E.F1, 1F.E0.E0.1F.0E.F1.F1.0E,
 01.E0.1F.FE.01.F1.0E.FE, FE.1F.E0.01.FE.0E.F1.01, E0.1F.E0.1F.F1.0E.F1.0E, 1F.E0.1F.E0.0E.F1.0E.F1,
 01.1F.01.1F.01.0E.01.0E, FE.E0.FE.E0.FE.F1.FE.F1, E0.E0.FE.FE.F1.F1.FE.FE, 1F.1F.01.01.0E.0E.01.01,
 01.1F.FE.E0.01.0E.FE.F1, FE.E0.01.1F.FE.F1.01.0E, E0.E0.01.01.F1.F1.01.01, 1F.1F.FE.FE.0E.0E.FE.FE,
 01.1F.E0.FE.01.0E.F1.FE, FE.E0.1F.01.FE.F1.0E.01, E0.E0.1F.1F.F1.F1.0E.0E, 1F.1F.E0.E0.0E.0E.F1.F1,
 01.1F.1F.01.01.0E.0E.01, FE.E0.E0.FE.FE.F1.F1.FE, E0.E0.E0.E0.F1.F1.F1.F1, 1F.1F.1F.1F.0E.0E.0E.0E
With these restrictions on allowed keys, Triple DES was reapproved with keying options 1 and 2 only. Generally, the three keys are generated by taking 24&nbsp;bytes from a strong random generator, and only keying option 1 should be used (option 2 needs only 16 random bytes, but strong random generators are hard to assert and it is considered best practice to use only option 1).