Question on 3DES keys

Question

The official NIST publication I saw says for federal applications 3DES with three keys should be used. I have such questions:

• what does it mean federal? Does it mean for industrial applications that requirement doesn't hold? What security do I get with 2 keys? by two keys I mean when K1==K3, but K2 is different? Is it average security?

• Three key approach with (globally) fixed second key which is still different from each K1 and K3 pair: Imagine I have server which communicates with many clients. Is it ok if with each client i it uses distinct (K1[i],K3[i]) pairs (but K3[i]==K1[i] for each pair), and K2 I take such that it is different from each (K1[i], K3[i]) key pair in my system, but it is fixed (globally) for all clients?

EDIT: The crypto will be done by dongle so that someone will decompile my soft and get 2nd key doesn't hold as mentioned in one of the answers.

Answer 1

For high security applications using 3DES, NIST recommends using keying option 1 (all keys are different). This is simply because it's the safest. For any application, keying option 1 should be used. If you set K1==K3, then you are reducing your key size to 112 bits, which is less than the smallest key size for AES. Worse still, due to cryptanalysis done on DES, setting K1==K3 (known as keying option 2), NIST has said this has an effective security of 80 bits. This is barely an improvement on plain DES.

So in short, yes, NIST claims for federal applications you should use 3 different keys. But this is true for any application.

Your second proposal has an effective security of 56 bits, which is just plain DES. A globally fixed K2 means that it has no security, and once one client is broken and decompiled (and trust me, this will happen), then they have K2 for all clients. This effectively makes it have 0 bits of security. K3, being the same as K1, also has 0 bits of security. The only security comes from K1, which is 56 bits. The EFF showed us that a 56 bit key is insecure and is susceptible to a brute force attack.

You really shouldn't be using 3DES though. It's only used in legacy applications where there are absolutely no other options. AES is currently the standard. If you must, and only if you must use 3DES, use 3 distinct keys that are randomly generated per session.