Given two 56-bit keys, $k_1$ and $k_2$, why does $E_{k_1}(E_{k_2}(M))$ only give 57 bits of security?
So basically I'm unsure why it only gives 57 bits of security; I understand that one key will provide 56 bits. Only thing I can think of is that when adding another 56 bit it will cycle through all the bits and realize they are the same so it just adds 1 extra bit, for the second keyblock instead of another 56 bits?
If I'm wrong, could someone please explain it simply and step-by-step?
Decrypt the ciphertext with every possible key and store the result: $2^{56}$ decryptions. Now encrypt the (known) plaintext of the ciphertext with every possible key: $2^{56}$ encryptions. Now you have to check every entry, which is in both lists and try it with another plaintext-ciphertext pair. If you can successfully decrypt that, you are very likely to have found the correct key. All in all $2^{56} + 2^{56} = 2^{57}$ DES operations (encryptions and decryptions), much less than $2^{112}$. You need some work to search inside the list and check every possible key, but for DES this is not really much work.
All this is called Meet-in-the-middle attack.
