Forum Discussion

HTTP500_195339's avatar
HTTP500_195339
Icon for Nimbostratus rankNimbostratus
Apr 02, 2015

DES-CBC3-SHA listed as 192 bits but SSL Labs reports as 112 bit

In the table here under the BIG-IP 11.5.0 - 11.5.2 section it lists the DES-CBC3-SHA ciphers as 192 bits.

 

However a SSL Labs scan will report the following:

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 [bits]

 

I'm not a crypto-nerd but if I read this explanation correctly that particular cipher has an effective security of 112 bits but if the encryption is achieved by using 3 56 bit keys (3 X 56 = 168) why is F5 reporting 192 bits?

 

11.5.1
ciphers
tls_rsa_with_3des_ede_cbc_sha

3 Replies

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Apr 09, 2015

    there was a thread about that here

     

    It seems to be a "bug".. 192 comes from 3x64 (64 is the block size).

     

    If in theory it's 168 bits key length, it has been degraded to 112 due to vulnerabilities.

     

    From NIST 800-57:

     

    "One might expect that 3TDEA would provide 56×3 = 168 bits of strength. However, there is an attack on 3TDEA that reduces the strength to the work that would be involved in exhausting a 112 bit key"

     

  • Baalawi_242346's avatar
    Baalawi_242346
    Historic F5 Account
    Sep 15, 2016

    This link will answer your question:

     

    SOL17296: The BIG-IP system incorrectly reports a 192-bit key length for cipher suites using 3DES (DES-CBC3)

     

    https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17296.html