Triple DES
Warning
Use AES instead. This module is provided only for legacy purposes.
Triple DES (or TDES or TDEA or 3DES) is a symmetric block cipher standardized by NIST in SP 800-67 Rev1, though they will deprecate it soon.
TDES has a fixed data block size of 8 bytes. It consists of the cascade of 3 Single DES ciphers (EDE: Encryption - Decryption - Encryption), where each stage uses an independent DES sub-key.
The standard defines 3 Keying Options:
Option 1: all sub-keys take different values (parity bits ignored). The TDES key is therefore 24 bytes long (concatenation of K1, K2, and K3) , to achieve 112 bits of effective security.
Option 2: K1 matches K3 but K2 is different (parity bits ignored). The TDES key is 16 bytes long (concatenation of K1 and K2), to achieve 90 bits of effective security. In this mode, the cipher is also termed 2TDES.
Option 3: K1 K2, and K3 all match (parity bits ignored). As result, Triple DES degrades to Single DES.
This implementation does not support and will purposefully fail when attempting to configure the cipher in Option 3.
As an example, encryption can be done as follows:
>>> from Crypto.Cipher import DES3
>>> from Crypto.Random import get_random_bytes
>>>
>>> # Avoid Option 3
>>> while True:
>>> try:
>>> key = DES3.adjust_key_parity(get_random_bytes(24))
>>> break
>>> except ValueError:
>>> pass
>>>
>>> cipher = DES3.new(key, DES3.MODE_CFB)
>>> plaintext = b'We are no longer the knights who say ni!'
>>> msg = cipher.iv + cipher.encrypt(plaintext)
Module’s constants for the modes of operation supported with Triple DES:
- var MODE_ECB:
- var MODE_CBC:
- var MODE_CFB:
- var MODE_OFB:
- var MODE_CTR:
- var MODE_OPENPGP:
- var MODE_EAX:
- Crypto.Cipher.DES3.adjust_key_parity(key_in)
Set the parity bits in a TDES key.
- Parameters:
key_in (byte string) – the TDES key whose bits need to be adjusted
- Returns:
a copy of
key_in, with the parity bits correctly set- Return type:
byte string
- Raises:
ValueError – if the TDES key is not 16 or 24 bytes long
ValueError – if the TDES key degenerates into Single DES
- Crypto.Cipher.DES3.new(key, mode, *args, **kwargs)
Create a new Triple DES cipher.
- Parameters:
key (bytes/bytearray/memoryview) – The secret key to use in the symmetric cipher. It must be 16 or 24 byte long. The parity bits will be ignored.
mode (One of the supported
MODE_*constants) – The chaining mode to use for encryption or decryption.
- Keyword Arguments:
iv (bytes, bytearray, memoryview) – (Only applicable for
MODE_CBC,MODE_CFB,MODE_OFB, andMODE_OPENPGPmodes).The initialization vector to use for encryption or decryption.
For
MODE_CBC,MODE_CFB, andMODE_OFBit must be 8 bytes long.For
MODE_OPENPGPmode only, it must be 8 bytes long for encryption and 10 bytes for decryption (in the latter case, it is actually the encrypted IV which was prefixed to the ciphertext).If not provided, a random byte string is generated (you must then read its value with the
ivattribute).nonce (bytes, bytearray, memoryview) – (Only applicable for
MODE_EAXandMODE_CTR).A value that must never be reused for any other encryption done with this key.
For
MODE_EAXthere are no restrictions on its length (recommended: 16 bytes).For
MODE_CTR, its length must be in the range [0..7].If not provided for
MODE_EAX, a random byte string is generated (you can read it back via thenonceattribute).segment_size (integer) – (Only
MODE_CFB).The number of bits the plaintext and ciphertext are segmented in. It must be a multiple of 8. If not specified, it will be assumed to be 8.mac_len : (integer) – (Only
MODE_EAX) Length of the authentication tag, in bytes. It must be no longer than 8 (default).initial_value : (integer) – (Only
MODE_CTR). The initial value for the counter within the counter block. By default it is 0.
- Return:
a Triple DES object, of the applicable mode.