However, Triple DES has a really ... the security of the system thanks to "block collision". This attack led to the removal of Triple DES from the DEFAULT cipher list in the 1.1.0 release of OpenSSL. The attack can also be mitigated by rekeying after a given amount of encrypted data. As a consequence of that, Triple DES was still in the TLS1.2 standard, but has not made it into the TLS1.3 one. So in the end, Triple DES is still considered secure if ... More on crypto.stackexchange.com

Short version: Uhh, not ‘99; way before. I was present at DES’ official death in 1993, but earlier, in the late ‘80s, I’d heard of an even-earlier succesful crack against DES. I’ve long had an affection for DES. I started learning crypto back when DES was the state of the art, so I’ve worked a bit with it. I studied DES’ S-boxes quite closely, and I once had to fix a bug in the DES library call for the DEC version of 4.3 BSD UNIX. BTW, when you look closely at DES’ design, a surprising bit of elegance appears. It turns out that the cipher’s mysterious & clunky pre- & post-processing steps cancel each other out, so that when we compose DES with itself, as in 3-DES, the composed clunky steps in the middle just disappear, leaving an uninterrupted 48-round Feistel network, with a very tidy key-schedule. Presumably, this served to allow DES’ formal cryptanalysis to extend naturally to 3DES. I have two stories about breaking DES: I was present on the night DES died, at the Crypto ’93 conference in Santa Barbara. On Wednesday night of that week, I went to the Rump Session, where Weiner presented his hardware design for a cheap-enough, fast-enough exhaustive search engine, for finding DES keys. The rump session was for authors whose papers had almost been accepted for the conference. They each had just 10 minutes in which to present. The annual Crypto ‘XX conference is really a math conference, so we expected everyone in the room, presenters and audience, to be a mathematician, but Weiner didn’t get that memo. Maybe twenty or thirty of us were crammed into a tiny, dimly-lit lecture room, sitting on random chairs, both hard and soft, plus a small sofa. There was a beer keg, and we drank our beer from small, flimsy, clear-plastic water cups. When Weiner stood up and put his first slide on the overhead projector, he said at the outset that he was a hardware engineer. So, expecting uninformed foolshness, I and some others turned to look back to the door, thinking to leave and freshen up our beers. But, the back of the room was crowded, standing room only, and I didn’t want to lose my seat, so I decided to grit my teeth for the 10 minutes and stay. The other doubters stayed, too. Weiner was a young guy like me, maybe in his early thirties. IIRC, he had short, dark, curly hair, and was clean-shaven. He spoke very quickly about a custom, high-speed DES chip, how much it would cost in bulk, how many of them he could fit on an 18″ circuit board, and how many such boards would fit in a standard 6-foot rack. Ho-hum, where’s my beer? He showed us circuit diagrams, chip layouts on the boards, and how tightly the boards could fit in the rack. He talked about the power supply, and about how many fans would be needed to dump the chips’ heat. His slides had very little math or crypto notation. But then, finally, he put up a slide with some math, showing his statistical calculation of the box’ reliability. He took into account the mean time between failure (MTBF) for the custom LSI chips, the support components, the power supply. The math was easy to follow, and with that he suddenly had us, with his thoroughness; our skepticism and apathy fell away. The cost of the box was to be $1M, and the key-extraction time was to be just a few hours. In that hot, crowded liitle room, full of sweaty cryptographers and beer cups, the atmosphere suddenly became electric. With the MTBF calculation, we all knew Weiner was right, DES was dead, and that we had witnessed its death. Over 20 years, DES had withstood fifty man-years of professional cryptanalytic effort, more than any other cipher. But we were there to see DES fall. I left the rump session that night exhilarated, dazed, and sad. I understood DES’ internals pretty well, and I had come to like it, despite its odd quirks. I still like it now, but 3DES is just too slow for modern use, and it’s fatally vulnerable to memory-timing attacks. But DES was the first cipher I learned well. Second DES story, as promised: A few years earlier, in the late ‘80s when I was working at MIT on my upgrades to the Kerberos protocol, my officemate Bob was an IBM engineer, on loan to us because IBM was one of the two corporate sponsors for our campus-networking project. Bob was about 10 years older than me. Bob and I looked completely different: he was 6′4″ (190 cm), lanky, and impossibly handsome, with a big, square jaw, ruddy face, and an unruly thatch of thick, coarse brown hair. He always wore a jacket and tie, chinos, and well-polished loafers. I’ve never once seen Bob in blue jeans, never mind a T-shirt. He always looked as if he had just stepped out of a Ralph Lauren clothing ad. By contrast, I was a hippie biker: tall and thin like Bob, but with a waist-length ponytail, a chest-length beard, and a jeweled gold tooth in the front of my mouth, from a misconceived street fight in the ghetto, ten years before. I only ever wore jeans and a T-shirt to work, with motorcycle boots on my feet and my scraped and battered bike jacket on my back. But Bob and I got along well, because in college he had been a hippie like me, he rode a bike, and like me, he still swore like a sailor. Finally, he loved Hunter S. Thompson just as much as I did. When I named one of my research machines “drgonzo.athena.mit.edu”, Bob understood why and heartily approved. So one day, Bob and I were drinking coffee and chatting at our desks in Building E-40. This being 1988 or 1989, DES was still sound, trusted, and in good standing as the symmetric-key cipher du jour. In fact, at that time DES was pretty much the only widely-used cipher for civilian work. We all were working on the Arpanet, which still was closed to everyone except researchers, and the Web hadn’t yet brought RSA into prominence. I was describing something of my kerberos work to Bob, and somehow, DES came up. He said to me, “Lemme tell you a story about DES. I’m not sure i’m allowed to tell you this...” Bob leaned back in his desk chair, and through the window behind him, I could see down to the street level outside, where some students were walking in the summer sunshine along Wadsworth St. into Kendall Square. He continued, with his big hands clasped behind his head. “A few years ago, after DES was developed at one of our research labs, some IBM researchers were experimenting one day with a newer cipher, bouncing encrypted packets off of an IBM network satellite, up in a geostationary orbit. “After a couple days of this, they got a telephone call from the NSA. The NSA guy said, ‘We picked up some traffic from your satellite. You’re not using DES. Stop it.’ ” Bob grinned widely, leaned back a bit farther in his chair, and waggled his shaggy eyebrows at me. “So maybe this kerberos stuff isn’t so airtight after all.” Bob was fun to drink with, too. 1199 words. My longer posts are here [ https://dondavislong.quora.com/ ]. More on quora.com

I'm voting to close this question as off-topic because it is not about programming. It might be more appropriate on Information Security. ... Triple-DES is still in use today but is widely considered a legacy encryption algorithm. More on stackoverflow.com

I know DES is outdated, but will is is secure in CBC mode? Can anyone help me understand why not? More on crypto.stackexchange.com