This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

NIST to withdraw approval for Triple-DES algorithm

The National Institute of Science and Technology (NIST) is officially sunsetting the use of the old DES Data Encryption Algorithm (DEA). Although the single-key version of it was withdrawn almost 20 years ago, the stronger three-key versions (2TDEA and 3TDEA) have been permitted to give organizations a chance to transition. That transition period is now officially over and the withdrawal of the special publication will be effective on January 1, 2024. 

DES is an outdated encryption algorithm developed by IBM that was the standard (unclassified) encryption algorithm adopted by U.S. government agencies in the mid-late 1970's (FIPS Pub. 46) but has largely been replaced with the "Advanced Encryption Standard" generally known as AES. The move comes after multiple revisions of NIST's guidance in SP8--67, which successively added additional limitations on this old algorithms use. The withdrawal of the standards means that DEA will only be permitted for limited purposes, like decryption and continued functionality with data that already used DEA, but not used to protect any new data after December 31, 2023. 

While few businesses, if any, should still be using DES in any form, businesses should verify that legacy systems (and systems used by their vendors) have transitioned off of it. This is especially important for businesses that may be in the supply chain for products and services used by the United States federal government, as these services will need to be updated prior to the effective date of the withdrawal. 

NIST will withdraw Special Publication (SP) 800-67 Revision 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, on January 1, 2024. Initially published in 2004, SP 800-67 specifies the Triple Data Encryption Algorithm (TDEA), including its primary component cryptographic engine, the Data Encryption Algorithm (DEA). DEA was originally specified in Federal Information Processing Standards Publication (FIPS) 46, The Data Encryption Standard, which was withdrawn in 2005. TDEA, which uses three DEA keys for its operation, was designed as an interim replacement for DEA.