> IDEA and 3DES for example are perfectly secure for that usage.
I wouldn’t use the phrase “perfectly secure”. They are both 64-bit block ciphers so vulnerable to generic collision attacks like https://sweet32.info/. This is why NIST deprecated 3DES and reduced the allowed limit of data encrypted with a single key to 2^20 blocks = 8MB. Many emails with attachments exceed that size.
Now, you may say that such attacks are largely theoretical and the actual amount of (known plaintext) that needs to be captured is much larger in practice, but this is quite a step from “perfectly secure”, especially when you are considering the NSA as your adversary.
I can't find any indication that this has transitioned from the proposal stage to an actual recommendation. But at any rate, this proposal is based on sweet32[1] which was a oracle attack which required 785 GB of traffic to demonstrate. Off the top of my head, recommendations for things like email (and file encryption), which are not vunerable to that sort of oracle attack, suggest a maximum for 64 bit block length ciphers of something like 4 GB. Email tends to be a maximum of 50 MB. That would be after base64 encoding.
Yes, it became part of the standard in rev 2. 3DES will be completely forbidden for federal use after the end of the year. Sweet32 was a demo, attacks get better. And there are other generic attacks against overuse of 64-bit blockciphers. Outside of a few usecases in constrained environments there’s no good reason to use a 64-bit blockcipher anymore (and there are better choices than DES/IDEA for those cases).
Just to be clear, you are asking how all this evidence refutes your totally unsupported assertion that 3DES is “perfectly secure” against the NSA? When even the NSA, who co-designed DES in the first place, forbid its continued use?
I wouldn’t use the phrase “perfectly secure”. They are both 64-bit block ciphers so vulnerable to generic collision attacks like https://sweet32.info/. This is why NIST deprecated 3DES and reduced the allowed limit of data encrypted with a single key to 2^20 blocks = 8MB. Many emails with attachments exceed that size.
Now, you may say that such attacks are largely theoretical and the actual amount of (known plaintext) that needs to be captured is much larger in practice, but this is quite a step from “perfectly secure”, especially when you are considering the NSA as your adversary.
Edit: spelling/typos