3DES
CryptographyTriple Data Encryption Standard -- a symmetric cipher applying DES three times with different keys (112 or 168 effective bits), widely deployed in legacy payment and SIM card applications but being phased out in favor of AES.
What Is 3DES?
Triple Data Encryption Standard (3DES3DESCryptographyLegacy triple-DES symmetric cipher in payment smart cards.Click to view →, also known as TDEA or DES-EDE) is a symmetric cipher that applies the DES algorithm three times in succession with two or three independent keys, providing 112 or 168 bits of effective security. 3DES was the primary symmetric encryption algorithm in smart card systems from the 1990s through the mid-2010s, securing EMV payment transactions, SIM card authentication, and GlobalPlatform secure channels.
While 3DES is being phased out in favor of AES, it remains embedded in billions of deployed cards and legacy terminal infrastructure.
How 3DES Works
3DES processes 64-bit data blocks through three DES passes:
| Keying Option | Keys | Operation | Effective Security |
|---|---|---|---|
| Keying Option 1 | K1, K2, K3 (168-bit) | E(K1) - D(K2) - E(K3) | 168-bit |
| Keying Option 2 | K1, K2, K1 (112-bit) | E(K1) - D(K2) - E(K1) | 112-bit |
| Keying Option 3 | K1, K1, K1 (56-bit) | Equivalent to single DES | Deprecated |
The Encrypt-Decrypt-Encrypt (EDE) sequence ensures backward compatibility with single DES when all three keys are identical (Keying Option 3), though this option provides no additional security and is not used in practice.
3DES in Smart Card Protocols
| Protocol | 3DES Role |
|---|---|
| EMV | Session key derivation, issuer script encryption, MAC computation |
| SIM / USIM | Ki-based network authentication (COMP128, Milenage) |
| GlobalPlatformGlobalPlatformSoftwareCard application management standard.Click to view → SCP02 | Secure channel encryption and MAC (legacy, replaced by SCP03) |
| MIFARE DESFire EV1 | File-level encryption and mutual authentication |
| BAC | ePassportePassportApplicationPassport with embedded contactless chip.Click to view → session key derivation from MRZ data |
Why 3DES Is Being Retired
Several factors drive the migration from 3DES to AESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view →:
- Performance -- 3DES requires three DES passes per block, making it roughly 3x slower than AES-128 in both hardware and software.
- Block size -- 3DES operates on 64-bit blocks, making it vulnerable to birthday attacks (Sweet32) after 2^32 blocks (~32 GB) of data under the same key.
- NIST deprecation -- NIST SP 800-131A deprecated 3DES two-key (112-bit) after 2023 and plans to disallow all 3DES by 2025.
- Crypto coprocessor -- modern smart card chips allocate more silicon to AES accelerators than to legacy DES engines.
Migration Timeline
The transition is well underway but not complete:
- SCP03 replaced SCP02 as the default GlobalPlatform secure channel, using AES.
- MIFARE DESFire EV3 supports AES-only mode.
- EMVEMVApplicationGlobal chip payment card standard.Click to view → contactless kernels increasingly default to AES session keys.
- ePassport PACEPACEApplicationStrong ePassport authentication protocol.Click to view → uses AES, replacing BACBACApplicationePassport security using MRZ data.Click to view →'s 3DES-based key derivation.
Legacy EMV contact cards and deployed SIMSIMApplicationSmart card for mobile network authentication.Click to view → populations will continue using 3DES until natural card replacement cycles complete, likely through 2030.
Related Content
EMV Payment Card Architecture
Standards & Protocols…requests, TC for approved offline, AAC for declined) using 3DES or AES under a card-unique derived key — a key-derivation…
GlobalPlatform Card Management
Standards & Protocols…Secure Channel Protocol (SCP) session. SCP01 and SCP02 use 3DES; SCP03 — the current mandatory baseline for new…
EMV Contactless Kernel Deep Dive
Standards & Protocols…authorisation. The 8-byte ARQC is computed on-card using 3DES (legacy) or AES (newer M/Chip 5 cards) with the issuer…
Secure Channel Protocols (SCP02/SCP03)
Standards & Protocols…encryption of card responses SCP02 Architecture SCP02 uses 3DES (Triple DES) with 16-byte static keys. The Issuer Security…
Smart Card Cryptography
Security…AES-256 in high-assurance key storage and wrapping, and 3DES is retained only for legacy EMV and SCP02 backward…
Key Management for Smart Cards
Security…scheme Algorithm Domain EMV Visa / MasterCard 3DES + KCMVP Legacy payment GlobalPlatform SCP02 3DES-CBC…
HSM Integration for Smart Cards
Security…L || PIN || F..F (padded to 8 bytes) Encrypted PIN Block = 3DES(PEK, PIN_Block XOR PAN_Data) The HSM PIN injection…
JavaCard Applet Development
Programming…primitives javacardx.crypto Cipher (symmetric) AES/3DES cipher objects javacard.framework.service BasicService ,…
Часто задаваемые вопросы
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.