Secure use-cases of block cipher with 64-bit block size

Question

In what cases can we use a weak block cipher like DES ?

More precisely, Are there specific situation in which a weaken block cipher can still be used, for instance for certain types of plaintext ?

Answer 1

We can still safely use 64-bit-block ciphers when used in an otherwise sound protocol, and all of the following three conditions are met:

• The effective key size is made big enough; that disqualifies DES (55-bit), but not Blowfish (up to 448 bits), TEA (128 bits), 3DES (167 bits), and to some degree 2-keys-3DES (111 bits). Note: I computed the effective key size of DES and variants accounting for unused low-order bits of keys, and the complementation property. Theoretical attacks allowing better-than-brute-force key search for 2-key-3DES are not a practical concern for the time being (except from demonstration of security and certification standpoints).
• The number $n$ of blocks that could be used with the same key (legitimately or by an attacker abusing a legitimate device) is low enough to guard against a birthday attack. If we want the maximum odds of the adversary to succeed in this way to be bounded by $2^{-k}$ for some $k>0$, we are safe if we limit $n$ to about $2^{(65-k)/2}$. E.g. if we accept only a one in a million chance than an adversary succeeds by birthday attack, $k\approx 20$, thus we should limit to $2^{22.5}$ blocks; that's only about 45MiB in an encryption application.
• The implementations are suitably protected from various side-channel attacks. When the adversary has physical access to the device implementing the block cipher, this often requires further lowering the number of uses of a given key. 3DES is well analyzed in this regard, Blowfish much less so.

A common example of safe use of 3DES is as session keys (for integrity or confidentiality protection) in Smart Card applications, with the amount of data in the session limited, as in this European Regulation (search CSM_021 thru CSM_031 for a description, CSP_301 and CSM_013 for the limitation of the number of blocks).

Update: A small block size worsen some insecure encryption protocols/modes, such as ECB, especially when used with low entropy in the plaintext. Solution is: use secure encryption protocols/modes; there's then no worry about entropy in the plaintext.

Answer 2

Another way of stating what you're asking is "if I encrypt a random number, how will an attacker know if he's correctly decrypted it?" The answer is "because the attacker may someday learn some of your output."

Consider what would happen if you used the algorithm to encrypt a thousand random numbers, but then you encrypted a message beginning with "Dear Sir". I could break that message and recover the key, then use the recovered key to decrypt all your other messages. I could do the same if I ever learned just one output of your random number generator.

This is a very risky idea. To manage that risk, you need to be able to trust your encryption will secure the plaintext regardless of the attributes of the plaintext. DES is no longer capable of providing that assurance.

There is really no reason to attempt to drag plain old DES into the 21st century. Cryptography isn't like a junkyard, where you save money by picking up a broken algorithm for cheap. If you're designing a new system, it is your duty to select an algorithm that hasn't been broken. If you must use DES for some external reason (and if I were you I would strongly question the validity of such an assertion), at least consider configuring your system to instead use 3DES, with three unique keys.