In TLS, what's the significance of DES CBC3 sha?

867 Asked by ranjan_6399 in SQL Server , Asked on Jan 19, 2022

When researching some TLS compliant software I found some mentions of DES-CBC3. Further research shows that it is probably simply a name of OpenSSL for 3DES-EDE-CBC (under section "CIPHER SUITE NAMES" which I cannot directly link to). It seems to me that executing 3DES-EDE in CBC mode is significantly different from performing DES-CBC three times so the name doesn't make any sense. Is the string DES-CBC3 only specific to (software using) OpenSSL? Is it somehow tied to a specific version of SSL / TLS? Why is it called DES-CBC3?

Answered by Ranjana Admin

DES CBC3 sha, is a shorthand for a few suites in OpenSSL (that doesn't always have an exact one to one mapping between the name used and the suite used, it constructs it from the name and the type of key used for authentication). Nowadays, this name almost always means a suite documented in RFC 6101 where it is called, a slightly better name : SSL_RSA_WITH_3DES_EDE_CBC_SHA. I have no idea how OpenSSL came with its shorthand (and I suspect it dates from before OpenSSL was OpenSSL), but it's a pretty bad one.

The RFC name gives you the hint that it's using 3DES (Triple-DES) in EDE mode.

3DES-EDE is using 3 56 bit keys, the first used in Encryption, the second in Decryption, the third in Encryption. This construct has the advantage that if all three keys are identical, you have DES, which is nice as it permits you to reuse the same hardware to do DES and 3DES.

To answer each point

Only OpenSSL calls it that, not the name used in the actual standard
Valid from SSLv3 and up
You'd need to read the history of OpenSSL back when it was libeay, this is extremely old code, this was likely a mistake but it stuck.

In TLS, what's the significance of DES CBC3 sha?

Your Answer