Package Cryptodome :: Package Cipher :: Module DES3

Module DES3

Triple DES symmetric cipher

Triple DES (or TDES or TDEA or 3DES) is a symmetric block cipher standardized by NIST. It has a fixed data block size of 8 bytes.

TDES consists of the concatenation of 3 simple Single DES ciphers (encryption - decryption - encryption), where each stage uses an indipendent sub-key.

A TDES key is therefore 24 (8+8+8) bytes long. However, like Single DES, only 7 out of 8 bits are actually used: the remaining ones are parity bits (which practically all TDES implementations ignore). Theoreticaly, Triple DES achieves up to 112 bits of effective security.

Triple DES can also operate with a 16 bytes key (Option 2, also termed 2TDES), in which case subkey K1 equals subkey K2. The effective security is as low as 90 bits.

Thi implementation checks and enforces the condition K1 != K2 != K3 (Option 3), as it degrades Triple DES to Single DES.

Use AES, not TDES. This module is provided for legacy purposes only.*

As an example, encryption can be done as follows:

>>> from Cryptodome.Cipher import DES3
>>> from Cryptodome.Random import get_random_bytes
>>>
>>> # When generating a Triple DES key you must check that
>>> # subkey1 != subkey2 and subkey2 != subkey3
>>> while True:
>>>     try:
>>>         key = DES3.adjust_key_parity(get_random_bytes(24))
>>>         break
>>>     except ValueError
>>>         pass
>>>
>>> cipher = DES3.new(key, DES3.MODE_CFB)
>>> plaintext = b'We are no longer the knights who say ni!'
>>> msg = cipher.nonce + cipher.encrypt(plaintext)
Functions
 
adjust_key_parity(key_in)
Return the TDES key with parity bits correctly set
 
new(key, mode, *args, **kwargs)
Create a new TDES cipher
Variables
  MODE_ECB = 1
Electronic Code Book (ECB). See Cryptodome.Cipher._mode_ecb.EcbMode.
  MODE_CBC = 2
Cipher-Block Chaining (CBC). See Cryptodome.Cipher._mode_cbc.CbcMode.
  MODE_CFB = 3
Cipher FeedBack (CFB). See Cryptodome.Cipher._mode_cfb.CfbMode.
  MODE_OFB = 5
Output FeedBack (OFB). See Cryptodome.Cipher._mode_ofb.OfbMode.
  MODE_CTR = 6
CounTer Mode (CTR). See Cryptodome.Cipher._mode_ctr.CtrMode.
  MODE_OPENPGP = 7
OpenPGP Mode. See Cryptodome.Cipher._mode_openpgp.OpenPgpMode.
  MODE_EAX = 9
EAX Mode. See Cryptodome.Cipher._mode_eax.EaxMode.
  block_size = 8
Size of a data block (in bytes)
  key_size = (16, 24)
Size of a key (in bytes)
Function Details

new(key, mode, *args, **kwargs)

 

Create a new TDES cipher

Parameters:
  • key (byte string) - The secret key to use in the symmetric cipher. It must be 16 or 24 bytes long. The parity bits will be ignored. The condition K1 != K2 != K3 must hold.
  • mode (a MODE_* constant) - The chaining mode to use for encryption or decryption.
  • iv (byte string) - (Only MODE_CBC, MODE_CFB, MODE_OFB, MODE_OPENPGP).

    The initialization vector to use for encryption or decryption.

    For MODE_OPENPGP, IV must be 8 bytes long for encryption and 10 bytes for decryption (in the latter case, it is actually the encrypted IV which was prefixed to the ciphertext).

    For all other modes, it must be 8 bytes long.

    If not provided, a random byte string will be generated (you can read it back via the iv attribute).

  • nonce (byte string) - (Only MODE_EAX and MODE_CTR) A value that must never be reused for any other encryption.

    For MODE_CTR, its length must be in the range [0..7].

    For MODE_EAX, there are no restrictions, but it is recommended to use at least 16 bytes.

    If not provided for MODE_EAX, a random 16 byte string is generated (you can read it back via the nonce attribute).

  • mac_len (integer) - (Only MODE_EAX). Length of the authentication tag, in bytes. It must be no larger than 8 (which is the default).
  • segment_size (integer) - (Only MODE_CFB).The number of bits the plaintext and ciphertext are segmented in. It must be a multiple of 8. If not specified, it will be assumed to be 8.
  • initial_value (integer) - (Only MODE_CTR). The initial value for the counter within the counter block. By default it is 0.
Returns:

a DES cipher object, of the applicable mode:

Raises:
  • ValueError - when the key degrades to Single DES.

Attention: it is important that all 8 byte subkeys are different, otherwise TDES would degrade to single DES.