Mixing
Why would anyone choose 3DES over AES in software?
Clash Royale CLAN TAG#URR8PPP
up vote
15
down vote
favorite
I'm well aware of what NIST and PCI say about the usage of 3DES and its deprecation/disallowance and I also know that AES is the actual recommended standard for software and hardware encryptions.
I'm seeing many companies still choosing 3DES when they could simply go with the most obvious choice: AES. Why do you think that is? Is there any technical reason why someone could choose 3DES over AES?
aes 3des
edited Aug 11 at 14:56
Peter Mortensen
1092
asked Aug 7 at 18:24
franpen
784
 |Â
show 1 more comment
up vote
15
down vote
favorite
I'm well aware of what NIST and PCI say about the usage of 3DES and its deprecation/disallowance and I also know that AES is the actual recommended standard for software and hardware encryptions.
I'm seeing many companies still choosing 3DES when they could simply go with the most obvious choice: AES. Why do you think that is? Is there any technical reason why someone could choose 3DES over AES?
aes 3des
edited Aug 11 at 14:56
Peter Mortensen
1092
asked Aug 7 at 18:24
franpen
784
12
Usually the most compelling reason of all: "Backwards Compatibility".
– SEJPM♦
Aug 7 at 18:30
Yep, that sounds like the most logical answer. But shouldn’t AES be more important that the technical debt of changing a product or process’s compatibility?
– franpen
Aug 7 at 18:33
5
because it is 1993?
– Richie Frame
Aug 7 at 20:20
For the same reason people still use SHA-1 or even MD5 for integrity or even passwords..
– Seth
Aug 8 at 0:27
1
@franpen: Everything's a tradeoff.
– Lightness Races in Orbit
Aug 8 at 10:55
 |Â
show 1 more comment
up vote
15
down vote
favorite
up vote
15
down vote
favorite
I'm well aware of what NIST and PCI say about the usage of 3DES and its deprecation/disallowance and I also know that AES is the actual recommended standard for software and hardware encryptions.
I'm seeing many companies still choosing 3DES when they could simply go with the most obvious choice: AES. Why do you think that is? Is there any technical reason why someone could choose 3DES over AES?
aes 3des
edited Aug 11 at 14:56
Peter Mortensen
1092
asked Aug 7 at 18:24
franpen
784
I'm well aware of what NIST and PCI say about the usage of 3DES and its deprecation/disallowance and I also know that AES is the actual recommended standard for software and hardware encryptions.
I'm seeing many companies still choosing 3DES when they could simply go with the most obvious choice: AES. Why do you think that is? Is there any technical reason why someone could choose 3DES over AES?
aes 3des
edited Aug 11 at 14:56
Peter Mortensen
1092
asked Aug 7 at 18:24
franpen
784
edited Aug 11 at 14:56
Peter Mortensen
1092
edited Aug 11 at 14:56
Peter Mortensen
1092
edited Aug 11 at 14:56
Peter Mortensen
1092
1092
asked Aug 7 at 18:24
franpen
784
asked Aug 7 at 18:24
franpen
784
asked Aug 7 at 18:24
franpen
784
784
12
Usually the most compelling reason of all: "Backwards Compatibility".
– SEJPM♦
Aug 7 at 18:30
Yep, that sounds like the most logical answer. But shouldn’t AES be more important that the technical debt of changing a product or process’s compatibility?
– franpen
Aug 7 at 18:33
5
because it is 1993?
– Richie Frame
Aug 7 at 20:20
For the same reason people still use SHA-1 or even MD5 for integrity or even passwords..
– Seth
Aug 8 at 0:27
1
@franpen: Everything's a tradeoff.
– Lightness Races in Orbit
Aug 8 at 10:55
 |Â
show 1 more comment
12
Usually the most compelling reason of all: "Backwards Compatibility".
– SEJPM♦
Aug 7 at 18:30
Yep, that sounds like the most logical answer. But shouldn’t AES be more important that the technical debt of changing a product or process’s compatibility?
– franpen
Aug 7 at 18:33
5
because it is 1993?
– Richie Frame
Aug 7 at 20:20
For the same reason people still use SHA-1 or even MD5 for integrity or even passwords..
– Seth
Aug 8 at 0:27
1
@franpen: Everything's a tradeoff.
– Lightness Races in Orbit
Aug 8 at 10:55
12
12
Usually the most compelling reason of all: "Backwards Compatibility".
– SEJPM♦
Aug 7 at 18:30
Usually the most compelling reason of all: "Backwards Compatibility".
– SEJPM♦
Aug 7 at 18:30
Yep, that sounds like the most logical answer. But shouldn’t AES be more important that the technical debt of changing a product or process’s compatibility?
– franpen
Aug 7 at 18:33
Yep, that sounds like the most logical answer. But shouldn’t AES be more important that the technical debt of changing a product or process’s compatibility?
– franpen
Aug 7 at 18:33
5
5
because it is 1993?
– Richie Frame
Aug 7 at 20:20
because it is 1993?
– Richie Frame
Aug 7 at 20:20
For the same reason people still use SHA-1 or even MD5 for integrity or even passwords..
– Seth
Aug 8 at 0:27
For the same reason people still use SHA-1 or even MD5 for integrity or even passwords..
– Seth
Aug 8 at 0:27
1
1
@franpen: Everything's a tradeoff.
– Lightness Races in Orbit
Aug 8 at 10:55
@franpen: Everything's a tradeoff.
– Lightness Races in Orbit
Aug 8 at 10:55
 |Â
show 1 more comment
1 Answer
1
active
oldest
votes
up vote
22
down vote
accepted
In my opinion, there are no reason to choose 3DES over AES, ever.
Especially if it is in software, since 3DES performances have always been terrible. Furthermore, most CPUs ship with AES accelerators nowadays, which means that AES is even faster.
But, sadly, change management is hard, certain smart card or hardware module do not support AES, but support 3DES... so if you can avoid changing your hardware, you might just keep going with 3DES, as it is not practically broken.
Also, most software development team do not have a cryptography enthusiast / a cryptographer and might just be continuing to use the good old algorithm they are used to, or that their system is based on. Not necessarily a good reason, but change is hard, especially when it comes to software, so most of the time, people prefer to avoid any change that would prevent backwards compatibility or any other such things.
Notice that nowadays, you can still find two-key 3DES out there, for these exact same reasons!
On the theoretical side, 3DES features 64 bits blocks, thus it is not suited for today high throughput data transfer protocols, since it could lead to block collisions, while AES is safe on that side with its 128 bits blocks.
On that topic, I refer you to one of my answers for more details on whether or not 3DES is safe.
answered Aug 7 at 18:46
Lery
3,117928
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
1
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
1
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
2
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
 |Â
show 1 more comment
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
22
down vote
accepted
In my opinion, there are no reason to choose 3DES over AES, ever.
Especially if it is in software, since 3DES performances have always been terrible. Furthermore, most CPUs ship with AES accelerators nowadays, which means that AES is even faster.
But, sadly, change management is hard, certain smart card or hardware module do not support AES, but support 3DES... so if you can avoid changing your hardware, you might just keep going with 3DES, as it is not practically broken.
Also, most software development team do not have a cryptography enthusiast / a cryptographer and might just be continuing to use the good old algorithm they are used to, or that their system is based on. Not necessarily a good reason, but change is hard, especially when it comes to software, so most of the time, people prefer to avoid any change that would prevent backwards compatibility or any other such things.
Notice that nowadays, you can still find two-key 3DES out there, for these exact same reasons!
On the theoretical side, 3DES features 64 bits blocks, thus it is not suited for today high throughput data transfer protocols, since it could lead to block collisions, while AES is safe on that side with its 128 bits blocks.
On that topic, I refer you to one of my answers for more details on whether or not 3DES is safe.
answered Aug 7 at 18:46
Lery
3,117928
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
1
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
1
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
2
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
 |Â
show 1 more comment
up vote
22
down vote
accepted
In my opinion, there are no reason to choose 3DES over AES, ever.
Especially if it is in software, since 3DES performances have always been terrible. Furthermore, most CPUs ship with AES accelerators nowadays, which means that AES is even faster.
But, sadly, change management is hard, certain smart card or hardware module do not support AES, but support 3DES... so if you can avoid changing your hardware, you might just keep going with 3DES, as it is not practically broken.
Also, most software development team do not have a cryptography enthusiast / a cryptographer and might just be continuing to use the good old algorithm they are used to, or that their system is based on. Not necessarily a good reason, but change is hard, especially when it comes to software, so most of the time, people prefer to avoid any change that would prevent backwards compatibility or any other such things.
Notice that nowadays, you can still find two-key 3DES out there, for these exact same reasons!
On the theoretical side, 3DES features 64 bits blocks, thus it is not suited for today high throughput data transfer protocols, since it could lead to block collisions, while AES is safe on that side with its 128 bits blocks.
On that topic, I refer you to one of my answers for more details on whether or not 3DES is safe.
answered Aug 7 at 18:46
Lery
3,117928
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
1
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
1
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
2
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
 |Â
show 1 more comment
up vote
22
down vote
accepted
up vote
22
down vote
accepted
In my opinion, there are no reason to choose 3DES over AES, ever.
Especially if it is in software, since 3DES performances have always been terrible. Furthermore, most CPUs ship with AES accelerators nowadays, which means that AES is even faster.
But, sadly, change management is hard, certain smart card or hardware module do not support AES, but support 3DES... so if you can avoid changing your hardware, you might just keep going with 3DES, as it is not practically broken.
Also, most software development team do not have a cryptography enthusiast / a cryptographer and might just be continuing to use the good old algorithm they are used to, or that their system is based on. Not necessarily a good reason, but change is hard, especially when it comes to software, so most of the time, people prefer to avoid any change that would prevent backwards compatibility or any other such things.
Notice that nowadays, you can still find two-key 3DES out there, for these exact same reasons!
On the theoretical side, 3DES features 64 bits blocks, thus it is not suited for today high throughput data transfer protocols, since it could lead to block collisions, while AES is safe on that side with its 128 bits blocks.
On that topic, I refer you to one of my answers for more details on whether or not 3DES is safe.
answered Aug 7 at 18:46
Lery
3,117928
In my opinion, there are no reason to choose 3DES over AES, ever.
Especially if it is in software, since 3DES performances have always been terrible. Furthermore, most CPUs ship with AES accelerators nowadays, which means that AES is even faster.
But, sadly, change management is hard, certain smart card or hardware module do not support AES, but support 3DES... so if you can avoid changing your hardware, you might just keep going with 3DES, as it is not practically broken.
Also, most software development team do not have a cryptography enthusiast / a cryptographer and might just be continuing to use the good old algorithm they are used to, or that their system is based on. Not necessarily a good reason, but change is hard, especially when it comes to software, so most of the time, people prefer to avoid any change that would prevent backwards compatibility or any other such things.
Notice that nowadays, you can still find two-key 3DES out there, for these exact same reasons!
On the theoretical side, 3DES features 64 bits blocks, thus it is not suited for today high throughput data transfer protocols, since it could lead to block collisions, while AES is safe on that side with its 128 bits blocks.
On that topic, I refer you to one of my answers for more details on whether or not 3DES is safe.
answered Aug 7 at 18:46
Lery
3,117928
answered Aug 7 at 18:46
Lery
3,117928
answered Aug 7 at 18:46
Lery
3,117928
answered Aug 7 at 18:46
Lery
3,117928
3,117928
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
1
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
1
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
2
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
 |Â
show 1 more comment
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
1
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
1
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
2
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
That was an amazing response. Thank you. One question though: If there were any hardware that didn't support AES, like a POS, for example, would you recommend to update that piece of hardware in order to encrypt its data with AES-128? Would the cost of doing that be worthy even if 3DES hasn't been broken yet?
– franpen
Aug 7 at 19:15
1
1
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
That would mostly depend on the threat model of that POS... It will mostly depend on the estimated cost of an attack, the estimated cost of the upgrade, and the estimated loss in case of an attack... Practical security is sadly not as elegant as theoretical cryptography and is generally based on many trade-offs. 3DES won't be broken by bruteforce attacks in the next decades, IMO. And I doubt a POS is generating a large amount of traffic. So, unless there is a theoretical breakthrough (unlikely), that means you still got time...
– Lery
Aug 7 at 19:20
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
Yeah, there's time, but most applications I've seen use 3DES with TLS which, as I've come to conclude, could make them vulnerable. Also, in your answer about whether or not 3DES is safe, you say NIST still recommends it, but that doesn't apply nowadays, as NIST itself has said 3DES is gonna be deprecated. So with all of this in mind, I really think in most cases the cost of going to AES is totally worth it. Specially when dealing with confidential information.
– franpen
Aug 7 at 19:38
1
1
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
I don't know if it is still true, but about five years ago, large parts of the credit card network were protected by single DES - the banks decided that the cost of replacing the terminals was too high, and just left it as-is (new POS terminals tend to support AES, but old ones don't).
– Martin Bonner
Aug 8 at 13:22
2
2
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
@franpen : Why? They know how much the POS terminals cost, they know how much it will cost to install them, and they know how much they lose from cyberfraud. Then they make a business decision.
– Martin Bonner
Aug 8 at 14:24
 |Â
show 1 more comment
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61373%2fwhy-would-anyone-choose-3des-over-aes-in-software%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
12
Usually the most compelling reason of all: "Backwards Compatibility".
– SEJPM♦
Aug 7 at 18:30
Yep, that sounds like the most logical answer. But shouldn’t AES be more important that the technical debt of changing a product or process’s compatibility?
– franpen
Aug 7 at 18:33
5
because it is 1993?
– Richie Frame
Aug 7 at 20:20
For the same reason people still use SHA-1 or even MD5 for integrity or even passwords..
– Seth
Aug 8 at 0:27
1
@franpen: Everything's a tradeoff.
– Lightness Races in Orbit
Aug 8 at 10:55