Deprecated Triple DES (3DES/DESede) Encryption Algorithm

Medium Risk Cryptographic Vulnerabilities

java3desdesededeprecatedsweet32weak-crypto

What it is

Triple DES (3DES/DESede) is a deprecated encryption algorithm with a 64-bit block size, making it vulnerable to birthday attacks like SWEET32. After encrypting ~32GB of data with the same key, collision attacks become feasible, allowing attackers to recover plaintext. Modern applications must use AES encryption instead of 3DES for adequate cryptographic strength.

Language:

import javax.crypto.*;
import javax.crypto.spec.*;

// VULNERABLE: Using deprecated 3DES algorithm
KeyGenerator keyGen = KeyGenerator.getInstance("DESede");
keyGen.init(168); // 3DES key size (112-bit effective)
SecretKey secretKey = keyGen.generateKey();

// 3DES cipher with vulnerable 64-bit block size
Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
byte[] encrypted = cipher.doFinal(plaintext);

// SWEET32 attack becomes feasible after ~32GB encrypted

import javax.crypto.*;
import javax.crypto.spec.*;
import java.security.SecureRandom;

// SECURE: Using AES-GCM for encryption and authentication
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // AES-256 key size
SecretKey secretKey = keyGen.generateKey();

// Generate random 96-bit IV for GCM
byte[] iv = new byte[12];
new SecureRandom().nextBytes(iv);

// AES-GCM provides authenticated encryption
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec gcmSpec = new GCMParameterSpec(128, iv);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec);
byte[] encrypted = cipher.doFinal(plaintext);

// Store IV with encrypted data for decryption

💡 Why This Fix Works

The vulnerable code uses deprecated 3DES with a 64-bit block size, vulnerable to SWEET32 birthday attacks after encrypting large amounts of data. The secure version uses AES-256 with GCM mode, providing strong encryption (128-bit blocks) and built-in authentication.

Why it happens

Using KeyGenerator.getInstance('DESede') for encryption keys.

Root causes

Using DESede KeyGenerator

Using KeyGenerator.getInstance('DESede') for encryption keys.

DESede Cipher Instance

Using Cipher.getInstance with DESede or TripleDES algorithms.

Legacy System Compatibility

Maintaining 3DES for compatibility with old systems instead of migrating.

Fixes

Replace with AES-GCM

Use AES with GCM mode which provides both encryption and authentication.

Use 256-bit Keys

Generate 256-bit keys with KeyGenerator.getInstance('AES').

Generate Random IVs

Use SecureRandom to generate unique 96-bit IVs for each encryption.

Detect This Vulnerability in Your Code

Sourcery automatically identifies deprecated triple des (3des/desede) encryption algorithm and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities