An important security property all symmetric ciphers should offer is immunity to chosen-plaintext attack, if the attacker controls "message", it shouldn't make the cipher more easy to crack.
But in this case, the attacker can obtain all the 2^56 possible encryption of message by enumerating key1, put it in a lookup table (assume the table-lookup time is O(1)) , then we can try all possible decryption of ciphertext by enumerating key2. Then compare it with the lookup-table for a match, bingo!
If key is 56-bit, the attacker gets 2^56 outputs for the left side, 2^56 outputs for the right side, total number of operations is 2 x 2^56 == 2^57, not 2^112.
To increase the security claim to 2^112, we need triple encryption, not double encryption, thus 2DES is never used.
The idea that simple double-encryption doesn't work because of such a simple attack shocked a lot of newcomers.
* Meet-in-the-Middle attack.
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
This attack is surprisingly simple, if you encrypt the message twice by
Then, An important security property all symmetric ciphers should offer is immunity to chosen-plaintext attack, if the attacker controls "message", it shouldn't make the cipher more easy to crack.But in this case, the attacker can obtain all the 2^56 possible encryption of message by enumerating key1, put it in a lookup table (assume the table-lookup time is O(1)) , then we can try all possible decryption of ciphertext by enumerating key2. Then compare it with the lookup-table for a match, bingo!
If key is 56-bit, the attacker gets 2^56 outputs for the left side, 2^56 outputs for the right side, total number of operations is 2 x 2^56 == 2^57, not 2^112.
To increase the security claim to 2^112, we need triple encryption, not double encryption, thus 2DES is never used.
The idea that simple double-encryption doesn't work because of such a simple attack shocked a lot of newcomers.