The use of DES-CBC3 for TLS

All we need is an easy explanation of the problem, so here it is.

When researching some TLS compliant software I found some mentions of DES-CBC3. Further research shows that it is probably simply a name of OpenSSL for 3DES-EDE-CBC (under section “CIPHER SUITE NAMES” which I cannot directly link to).

It seems to me that executing 3DES-EDE in CBC mode is significantly different from performing DES-CBC three times so the name doesn’t make any sense.

I’ve got the following related questions:

  1. Is the string DES-CBC3 only specific to (software using) OpenSSL?
  2. Is it somehow tied to a specific version of SSL / TLS?
  3. (Optionally) Does anybody know why it is called DES-CBC3?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

DES-CBC3, is a shorthand for a few suites in OpenSSL (that doesn’t always have an exact one to one mapping between the name used and the suite used, it constructs it from the name and the type of key used for authentication). Nowadays, this name almost always means a suite documented in RFC 6101 where it is called, a slightly better name : SSL_RSA_WITH_3DES_EDE_CBC_SHA. I have no idea how OpenSSL came with its shorthand (and I suspect it dates from before OpenSSL was OpenSSL), but it’s a pretty bad one.

The RFC name gives you the hint that it’s using 3DES (Triple-DES) in EDE mode.

3DES-EDE is using 3 56 bit keys, the first used in Encryption, the second in Decryption, the third in Encryption. This construct has the advantage that if all three keys are identical, you have DES, which is nice as it permits to reuse the same hardware to do DES and 3DES.

To answer each point

  1. Only OpenSSL calls it that, not the name used in the actual standard
  2. Valid from SSLv3 and up
  3. You’d need to read the history of OpenSSL back when it was libeay, this is extremely old code, this was likely a mistake but it stuck.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply