In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The 56-bit key of the Data Encryption Standard (DES) is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power; Triple DES increases the effective security to 112 bits. A CVE released in 2016, CVE-2016-2183, disclosed a major security vulnerability in the DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of 3DES, led to NIST deprecating 3DES in 2019 and disallowing all uses (except processing already encrypted data) by the end of 2023. It has been replaced with the more secure, more robust AES.

While US government and industry standards abbreviate the algorithm's name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers.

In 1978, a triple encryption method using DES with two 56-bit keys was proposed by Walter Tuchman; in 1981, Merkle and Hellman proposed a more secure triple-key version of 3DES with 112 bits of security.

The Triple Data Encryption Algorithm is variously defined in several standards documents:

The original DES cipher's key size of 56 bits was considered generally sufficient when it was designed, but the availability of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm.

A naive approach to increase the strength of a block encryption algorithm with a short key length (like DES) would be to use two keys ${\displaystyle (K1,K2)}$ instead of one, and encrypt each block twice: ${\displaystyle E_{K2}(E_{K1}({\textrm {plaintext}}))}$. If the original key length is ${\displaystyle n}$ bits, one would hope this scheme provides security equivalent to using a key ${\displaystyle 2n}$ bits long. Unfortunately, this approach is vulnerable to the meet-in-the-middle attack: given a known plaintext pair ${\displaystyle (x,y)}$, such that ${\displaystyle y=E_{K2}(E_{K1}(x))}$, one can recover the key pair ${\displaystyle (K1,K2)}$ in ${\displaystyle 2^{n+1}}$ steps, instead of the ${\displaystyle 2^{2n}}$ steps one would expect from an ideally secure algorithm with ${\displaystyle 2n}$ bits of key.

Therefore, Triple DES uses a "key bundle" that comprises three DES keys, ${\displaystyle K1}$, ${\displaystyle K2}$ and ${\displaystyle K3}$, each of 56 bits (excluding parity bits). The encryption algorithm is:

That is, encrypt with ${\displaystyle K1}$, decrypt with ${\displaystyle K2}$, then encrypt with ${\displaystyle K3}$.