The impending death of TDEA/TDES

And why it might create a knotty problem for the PCI SSC

On 31 December 2023, according to current PCI SSC doctrine, 3-key triple DES (TDES, TDEA, 3DES) will no longer be classed as Strong Cryptography. This is because after this date TDEA will be Disallowed by NIST. My guess¹ is that for PCI DSS, the PCI SSC may continue to allow the use of TDEA for the protection of PAN in transit only, but it will be not considered Strong Cryptography for stored (at rest) data.

Until the PCI SSC makes a statement, the least anyone should do today is work out where they use TDEA to protect data so they can plan an upgrade to a stronger algorithm (e.g. AES). If the upgrade to protecting data at rest will take longer than 18 months, I’d suggest starting it now.

---

1. PCI DSS and “Strong Cryptography”

For PCI DSS, the PCI SSC has tried valiantly not to be a cryptographic authority and so not dictate what cryptographic algorithms are OK to protect cardholder data. Instead it has relied on the euphemism Strong Cryptography:²

“Cryptography based on industry-tested and accepted algorithms, along with key lengths that provide a minimum of 112-bits of effective key strength and proper key-management practices. […]

At the time of publication, examples of industry-tested and accepted standards and algorithms include AES (128 bits and higher), TDES/TDEA (triple-length keys), RSA (2048 bits and higher), ECC (224 bits and higher), and DSAD-H (2048/224 bits and higher). See the current version of NIST Special Publication 800-57 Part 1 for more guidance on cryptographic key strengths and algorithms.”

The PCI DSS 3.2 glossary also includes this important note:

“Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction-based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure.”

2. NIST disallows TDEA

NIST has stated in SP800-131A³ that after 31 December 2023, the use of TDEA for encrypting data is Disallowed. For the avoidance of doubt, NIST is clear on what this means:

“Disallowed means that the algorithm or key length is no longer allowed for applying cryptographic protection.”

Back in 2017 the PCI SSC blog⁴ considered the then Depreciation⁵ of TDEA and its predicted eventual disallowance by NIST. The blog was very clear:

“Additionally, the concept of “strong cryptography” in PCI DSS and other PCI standards is based on acceptance by authoritative bodies including NIST. Once TDEA is fully disallowed by such authorities, it will no longer be considered “strong cryptography” by PCI SSC.”

3. Industry problems

TDEA is used extensively in the payment industry in places where it is hard to change things such as legacy systems that are incapable of supporting anything else, firmware, and the hardware security modules used by banks and payment processors. So a change of algorithm may not just be a change in software but can entail a complete system change including hardware.

This is particularly the case for the protection of PIN, which I suspect is why the note in the v3.2 definition of Strong Cryptography made special mention of the different level of risk involved in using weaker algorithms between data in transit and data at rest and the specific requirements in the PCI PIN and PTS standards.⁶

4. What I guess will happen

There is no way that the brands will attempt to mandate that the whole industry moves away from TDEA in under 20 months. It would be an unnecessary cost, and frankly not achievable.

We also have to remember that the brands are on a mission to devalue all stolen cardholder data, whether that is PAN or SAD. The move to EMV tokens, EMV transactions and Consumer Device Cardholder Verification Methods⁷ (CDCVM) means the imperative to protect PAN and PIN is less, because increasingly there is little value that criminals can gain from stealing them.

Additionally TDEA is frequently used with algorithms that change the key for every transaction (e.g. DUKPT)⁸ making its use “safe enough” as the benefit to an attacker is marginal based on the cost of the attack.

My prediction is that TDEA for the protection of data in transit will stay, although that could be with the condition that an algorithm such as DUKPT is also used.

However, I predict that TDEA will not be considered Strong Cryptography for the protection of data at rest after it is disallowed by NIST at the end of 2023.

If you use TDEA for this purpose, you should start planning the migration today, at least making sure you know where you use TDEA. And of course this is what the PCI SSC suggested back in 2017.⁹

“While legacy exceptions for hardware implementations of PIN are likely to phase out over a longer period of time, organizations should consider transition planning for all other TDEA implementations.”

As 2023 was a “long time in the future” back in 2017, I suspect this task is at the bottom of some organisation’s todo lists. Now is a great time to start this planning.

5. A knotty problem

The PCI SSC has shied away from being a cryptography authority for PCI DSS, instead using the term Strong Cryptography and pointing to NIST and latterly other standards bodies.

If, as I predict, the PCI SSC diverges from NIST and continues to allow any use of TDEA, it is in danger of becoming a cryptographic authority — defining what algorithms are, and are not, allowed. Many in the industry would welcome this — because leaving decisions about what is, or is not, Strong Cryptography to QSAs who are typically not cryptographically trained has always seemed to be to be an unfortunate consequence of the PCI SSC’s approach. In the past this has led to some QSAs “playing safe” by only allowing the algorithms cited in the examples in the glossary definition of Strong Cryptography, and that approach has its own problems.¹⁰

---

If you found this post useful or informative,  subscribing will encourage me to write more (and if you thought it rubbish, the converse is also true).

1

I don’t have any inside information on this topic, so please don’t interpret this as insight into Mastercard or the PCI SSC’s view. These thoughts are based on what I’ve seen happen before because the brands and the PCI SSC will try to reach a risk-based, pragmatic approach for the industry.

2

PCI DSS and PA DSS Glossary of Terms, Abbreviations, and Acronyms for version 3.2 of PCI DSS →

3

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

4

https://blog.pcisecuritystandards.org/pci-ssc-cryptography-expert-on-triple-dea

5

“Deprecated means that the algorithm and key length may be used, but the user must accept some security risk.” See note 3.

6

If you read PCI DSS carefully, you will notice there is no requirement to protect SAD in transit, PCI DSS requirement 4 only applies to cardholder data (v3.2.1).

7

See https://www.emvco.com/emv_insights_post/cdcvm-promoting-security-reliability-and-convenience/

8

See ANSI X9.24 part 1 →

9

See note 4.

10

Not least because it is a violation of the QSA code of conduct (going above and beyond the Standard). It removes the flexibility the PCI SSC intends, and it doesn’t help in countries where US-approved cryptographic standards may be viewed with a degree of suspicion, or where local algorithms are preferred or mandated.