As I understand the analyses I have read, single-pass DES inherently only
provides a 56-bit-key's worth of security, since even with a larger
key size, differential cryptanalysis brings it down to 2^56 trial keys.
This is a rat hole, but a sufficiently common misconception that I couldn't let
it escape unchallenged.
Shamir's attack on a modified DES with 768 bit "unexpanded" keys using
differential cryptanalysis can in fact "break" the modified DES with
computational power of something under 2^60 blocks, suggesting that using
longer
keys in that obvious way is not a good long term solution to getting a better
algorithm. The attack requires massive amounts of chosen plaintext, however,
so
it's not fair to say that such a scheme would only have only 56-bits worth of
security.
But I agree that the PEM community should not be trying to invent new and
better
crypto algorithms; we should go with the "tried and true". In this case, EDE
is
the best we're likely to find.
--Charlie
(kaufman(_at_)zk3(_dot_)dec(_dot_)com)