I am sympathetic with your observation that a three-pass CBC > using
the basic DES code book is easier and faster than performing CBC > using
an EDE codebook, given current DES chips, ...
I would not be so quick to cede the speed field to three-pass CBC as to
EDE2 with chaining. Most of the time used in high speed cryptographic
processes using moderate to high speed DES chips is consumed by I/O.
That is, getting data in and out of the DES chips is the most
significate time consumer in a hardware environment. Given that, the
three-pass CBC would be substantially slower than EDE2 (or EDE3 with the
CEI chip) even if the chaining needed to be performed externally. Dont
forget that chaining is just an X-or operation that most CPU's can do
with great facility.
In the "Known plaintext" attack that cryptographers love to use, (since
it is the simplest case to analyse) chaining has no cryptographic value
whatsoever. It certainly does not improve the cryptographic strength
relative to the difference available with EDE. Also, since PEM requires
an integrity check, I can think of no particular value to CBC over ECB
in the PEM case at all, at least in the case of plaintext IV's.
Tom Jones - ViaCrypt div. of Lemcom Sys