Function: nsm-protocol-check--3des-cipher

nsm-protocol-check--3des-cipher is a byte-compiled function defined in nsm.el.gz.

Signature

(nsm-protocol-check--3des-cipher HOST PORT STATUS &optional SETTINGS)

Documentation

Check for 3DES ciphers.

Due to its use of 64-bit block size, it is known that a ciphertext collision is highly likely when 2^32 blocks are encrypted with the same key bundle under 3-key 3DES. Practical birthday attacks of this kind have been demonstrated by Sweet32[1]. As such, NIST has disallowed its use after December 31, 2023[2].

[1]: Bhargavan, Leurent (2016). "On the Practical (In-)Security of
64-bit Block Ciphers — Collision Attacks on HTTP over TLS and
OpenVPN", https://sweet32.info/
[2]: National Institute of Standards and Technology (Mar 2019).
"Transitioning the Use of Cryptographic Algorithms and Key
Lengths", https://doi.org/10.6028/NIST.SP.800-131Ar2

Source Code

;; Defined in /usr/src/emacs/lisp/net/nsm.el.gz
(defun nsm-protocol-check--3des-cipher (_host _port status &optional _settings)
  "Check for 3DES ciphers.

Due to its use of 64-bit block size, it is known that a
ciphertext collision is highly likely when 2^32 blocks are
encrypted with the same key bundle under 3-key 3DES.  Practical
birthday attacks of this kind have been demonstrated by Sweet32[1].
As such, NIST has disallowed its use after December 31, 2023[2].

[1]: Bhargavan, Leurent (2016).  \"On the Practical (In-)Security of
64-bit Block Ciphers — Collision Attacks on HTTP over TLS and
OpenVPN\", `https://sweet32.info/'
[2]: National Institute of Standards and Technology (Mar 2019).
\"Transitioning the Use of Cryptographic Algorithms and Key
Lengths\", `https://doi.org/10.6028/NIST.SP.800-131Ar2'"
  (let ((cipher (plist-get status :cipher)))
    (and (string-match "\\b3DES\\b" cipher)
         (format-message
          "3DES cipher (%s) is weak"
          cipher))))