3DES Configuration

What to expect:

3DES has been proven to be insecure. There are attacks possible against 3DES such as sweet32 which render the algorithm weak. But since 3DES is still used in today's Internet for backward compatibility reasons, we are suggesting use of 3DES only if absolutely necessary (AES is currently heading to be the recommended standard because it will provide more security in the long term). If 3DES is being used, care must be taken to ensure that it is properly configured.

In particular, if we are using 3DES to encrypt data in a TLS session between a webserver and the client, there should be security mechanisms put in place that will ensure that there cannot be more than around a 100 requests generated by client towards the server. Most standard webservers software set the limit to 100, so their default configuration is not vulnerable. What this essentially translates to is to ensure that the keys used by 3DES are rotated often. However, avoid using 3DES unless you know for sure that these types of attacks will not apply to you. It’s safer to use an algorithm such as AES that is secure in all scenarios (given what we know today) rather than an algorithm such as 3DES that is secure in most scenarios.

Examples to change the limit:-
In case of scenarios where client VPN solutions (non HTTPS based) are used, lifetimes can be set on the TLS session on the VPN Gateway to force the client to re-establish the TLS session. These lifetimes are usually provided on the basis of the amount of data transferred on a TLS session (data-limit) or the amount of time a TLS session has bee up idle or active (time-based). Make sure to read the configuration documents of the vendor in order to understand what is done. Choosing between the two lifetimes or both is based on your design.

VPN lifetime changes:-
For data storage, 3DES is considered to be strong enough for now. But it is still a recommendation to refresh the keys that AES uses every once in a while. The refresh rate should be dependent on how sensitive your information is.

To read more about the attack, follow the link: https://www.synopsys.com/blogs/software-security/sweet32-retire-3des/

Upgrade/Patch Management

Concept: : Upgrade to 3DES will likely not occur for any products. A lot of popular vendors such as OpenSSL have deprecated 3DES. Therefore, all products that use latest versions of OpenSSL to implement 3DES in software (a very popular and recommended choice) will most likely not be having any support for 3DES. It is therefore recommended that one understands if 3DES is still supported by the product you are going to use and upgrade/downgrade as necessary. Other implications with such downgrades/upgrades should be carefully considered too.

Note: A major source for 3DES traffic is considered to come from Windows XP + Internet Explorer 8. Our immediate recommendation for such users is to use Mozilla Firefox instead (and also move away from XP).