 > there is an attack that effectively limits it to twice the effective bits of DES* Meet-in-the-Middle attack.https://en.wikipedia.org/wiki/Meet-in-the-middle_attackThis attack is surprisingly simple, if you encrypt the message twice by ciphertext = encrypt(encrypt(message, key1), key2) Then, decrypt(ciphertext, key2) == encrypt(message, key1) An important security property all symmetric ciphers should offer is immunity to chosen-plaintext attack, if the attacker controls "message", it shouldn't make the cipher more easy to crack.But in this case, the attacker can obtain all the 2^56 possible encryption of message by enumerating key1, put it in a lookup table (assume the table-lookup time is O(1)) , then we can try all possible decryption of ciphertext by enumerating key2. Then compare it with the lookup-table for a match, bingo!If key is 56-bit, the attacker gets 2^56 outputs for the left side, 2^56 outputs for the right side, total number of operations is 2 x 2^56 == 2^57, not 2^112.To increase the security claim to 2^112, we need triple encryption, not double encryption, thus 2DES is never used.The idea that simple double-encryption doesn't work because of such a simple attack shocked a lot of newcomers. Search: