To 3DES or not to 3DES?

[MrControversial]

I'm linking three small health centers via VPN. What encryption scheme should I use? The slowest site of them all will be using 512K DSL (only thing available besides crappy Shat-a-lite), so I've been thinking about using regular old DES although the Firewall/Router supports 3DES.

The reason I'm thinking about using DES over 3DES is that I'm afraid of performance penalties. The reason I want 3DES is the added security of course (I mean, if it comes for "free", why not use the best?). Or maybe I'm thinking backwards. Is the latency delta between 3DES and DES noticable over a moderate WAN link (such as 512K DSL)? Or is it much ado about nothing (sorry about all the Shakespeare references)? I heard that the performance penalty is especially noticable when the WAN link has a high throughput, such as T-series. That makes sense since the more traffic that comes in, the more encryption/decryption is needed.

My short question is, can I use 3DES encryption over DSL without seeing any noticable performance hit?

 

[ITJunkie]

I may be wrong but I thought the encryption was done on the hardware so the bandwidth issue should be null. One thing to keep in mind while making the choice is HIPAA requirements for encryption.

 

[MrControversial]

HIPPA leaves the encryption standard up to us. They list DES as one of them.

Maybe you're right about performance, but I reasoned that the data has to be encrypted and decrypted so that adds to the latency.

As a trivial example if data has to go from point A to B, with no encryption it goes A --> B. With encryption it's: encrypt --> A ---> decrypt --> B, so of course it's going to be slower with encryption.

 

[spidey07]

most all (if not all) VPNs are 3DES

 

[gaidin123]

All vpns add some sort of delay when it comes to processing encrypted data at the endpoints. I don't think you are going to see any noticeable difference between DES and 3DES unless you have some really low end hardware on your low bandwidth link.

The only way to know for sure is test it with both. Both DES and 3DES are easily crackable. If you're transporting HIPAA data I'd go with the strongest encryption your endpoints can negotiate.

Gaidin

 

[Boscoh]

DES is considered to be insecure. Someone built a purpose-built machine (~10 years ago?) that brute-forced DES in just a couple of days. There are other methods of attacking DES that are faster than brute-force but to my knowledge none of those methods are practical yet.

3DES has more overhead associated with it, but with todays processors it's not as much as it used to be. AES is pretty much the new standard, and 128-bit AES is considered as secure as 168-bit 3DES, but with less overhead. In all my tests, 256-bit AES has roughly the same overhead as 3DES.

It'd be best to use 128-bit AES. But if you cant, use 3DES and not DES.

 

[Boscoh]

Originally posted by: gaidin123


The only way to know for sure is test it with both. Both DES and 3DES are easily crackable.

I think you're incorrect about 3DES being easily crackable. Do you have any links, or can you explain?

 

[gaidin123]

Originally posted by: Boscoh
I think you're incorrect about 3DES being easily crackable. Do you have any links, or can you explain?

I was wrong on 3DES being easily crackable. I was mainly thinking that AES was designed to replace the DES standard in general including 3DES but it looks like it was designed to replace just DES and coexist with 3DES for some time still with the intention of eventually migrating to AES. This wikipedia article on 3DES makes some mention of a parallelizable attack on 3DES and the fact that AES is replacing 3DES slowly. It looks like the NIST expects people to migrate to AES but plans on that taking quite a few years still.

This gets a little off topic but I believe AES is approved for classified, secret, and top secret (based on key length) info whereas 3DES is not but I could be wrong.

So, in this case, DES is probably enough for a 512kbps vpn but it can be cracked in less than a day if someone had some decent resources. If 3DES doesn't slow you down much I'd go for that or AES if you have the option.

Gaidin

 

[Boscoh]

Originally posted by: gaidin123


I was wrong on 3DES being easily crackable. I was mainly thinking that AES was designed to replace the DES standard in general including 3DES but it looks like it was designed to replace just DES and coexist with 3DES for some time still with the intention of eventually migrating to AES. This wikipedia article on 3DES makes some mention of a parallelizable attack on 3DES and the fact that AES is replacing 3DES slowly. It looks like the NIST expects people to migrate to AES but plans on that taking quite a few years still.

Yeah there is no practical attack on 3DES other than brute forcing the key. However, if an attacker can somehow get access to the S-Boxes used to create the key then you're screwed.

This gets a little off topic but I believe AES is approved for classified, secret, and top secret (based on key length) info whereas 3DES is not but I could be wrong.

The last I heard, AES was approved for government use with non-classified material. The ciphers used to protect classified, secret, top secret material is actually classified in itself.

So, in this case, DES is probably enough for a 512kbps vpn but it can be cracked in less than a day if someone had some decent resources. If 3DES doesn't slow you down much I'd go for that or AES if you have the option.

If you've just got to use DES, rotate your keys about once every 15 minutes and use perfect forward secrecy to insure that no portion of the previous key is used to generate the next one.

 

[stash]

The last I heard, AES was approved for government use with non-classified material

Actually, the NSA has certified AES for use with classified material. 128-bit AES is certified for material up to and including the SECRET level, and 256-bit is certified to be strong enough for TOP SECRET material.

 

[MrControversial]

I rechecked the docs and it supports: DES, 3DES, and 128/192/256 AES.

I guess I'll go 128-bit AES. I'll balance it out by using Aggressive IKE which is faster than Standard IKE.