NIST to Withdraw Special Publication 800-67 Revision 2


View As Web Page


NIST Cybersecurity and Privacy Program

NIST to Withdraw Special Publication 800-67 Revision 2

NIST will withdraw Special Publication (SP) 800-67 Revision 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, on January 1, 2024.


Initially published in 2004, SP 800-67 specifies the Triple Data Encryption Algorithm (TDEA), including its primary component cryptographic engine, the Data Encryption Algorithm (DEA). DEA was originally specified in Federal Information Processing Standards Publication (FIPS) 46, The Data Encryption Standard, which was withdrawn in 2005. TDEA, which uses three DEA keys for its operation, was designed as an interim replacement for DEA.

SP 800-67 was later revised in 2012 and 2017 to require the following limits on the number of data blocks produced:

  • 220 blocks, when two of the three keys are the same (2TDEA) in 2012,
  • 232 blocks, when all three keys are unique (3TDEA) in 2012, and
  • 220 blocks, for 3TDEA in 2017.

The 2017 revision also disallowed the use of 2TDEA.

In 2019, SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, additional limitations were announced on the use of TDEA for applying cryptographic protection (i.e., encryption, key wrapping, and the generation of Message Authentication Codes (MACs)). In particular, this category of use of TDEA will be

  • deprecated for all applications through 2023, and
  • disallowed after December 31, 2023.

TDEA will continue to be allowed for the decryption, key unwrapping, and verification of MACs of already-protected data.

To reinforce the transition away from TDEA, SP 800-67 Rev. 2 will be withdrawn soon after December 31, 2023. However, SP 800-67 Rev. 2 will remain available online for historical purposes.

TDEA Validation

Testing of TDEA through the Cryptographic Algorithm Validation Program (CAVP) will remain available. Per SP 800-131A Rev. 2, any FIPS 140-3 validated modules that include TDEA for applying protection will be moved to the historical list after December 31, 2023. See the Algorithm Historical List Dates expandable table on the Cryptographic Module Validation Program (CMVP) programmatic transitions page for more information about the TDEA transition.

Read More

NIST Cybersecurity and Privacy Program
Questions/Comments about this notice:
CSRC Website questions: