Re: Multiple encryption: again, and again, and again...

From: Matthew Skala (mskala_at_ansuz.sooke.bc.ca)
Date: 08/10/03


Date: 10 Aug 2003 09:40:45 -0400

In article <8bc3246e.0308090750.6b50221a@posting.google.com>,
Kev <kev@novercia.f9.co.uk> wrote:
>Now let's imagine that the plaintext is encrypted once with AES, and
>then the resultant ciphertext (pure ciphertext that is - no
>headers/footers) is re-encrypted with Blowfish. This time, the brute

>other. The only way to brute force this time is to take the very first
>Blowfish key, then try every single AES key, then the second Blowfish

A meet-in-the-middle attack is faster than pure brute force: take a
plaintext/ciphertext pair, encrypt plaintext with all possible AES keys,
store them, decrypt plaintext with all possible Blowfish keys, check the
results of that against the stored AES encryptions. The time cost is
(time for brute-forcing AES) plus (time for brute-forcing Blowfish) plus a
little bit of time (probably less than either of those) for doing the
correlation. You also need storage for every possible block - which is an
insanely unrealistic assumption, but no sillier than the assumption you're
already making of the attacker having time to brute-force AES or Blowfish
at all.

For the same reason we use triple DES instead of double DES, it's
necessary to use three stages of this kind of construction to get the
level of security that we'd naively expect to get from two stages.

>concern), if only as a safeguard against future advances it computing
>speed? Or do you think that a single strong 256-bit key is perfectly
>adequate, and safe against potential advances it computing speed, at
>least during our lifetimes?

One reason to avoid multiple layers of encryption is that it's an
inefficient use of key material. The same number of key bits with a
monolithic cipher would provide a better expected level of security, at
least if you're concerned about brute force instead of flaws in a
particular cipher. (Your example was of an attacker powerful enough to
brute-force AES or Blowfish, not an attacker with a magic AES-cancelling
wand or back door who would still have to attack Blowfish in the usual
way.) Since longer keys are harder to distribute securely and attackers
will be attacking key distribution in preference to ciphers anyway,
something that extends keys significantly in order to protect against an
attack you were already protected against adequately anyway, isn't a win.

-- 
Matthew Skala
mskala@ansuz.sooke.bc.ca                    Embrace and defend.
http://ansuz.sooke.bc.ca/


Relevant Pages

  • Re: too much encryption
    ... AES, you see Blowfish gets roughly 64 MB/Sec while AES gets ... presume whatever software you are using is using AES in CBC mode, ... defined as applying the previous ciphertext block to the next plaintext ...
    (comp.os.linux.security)
  • Re: Modes of operation
    ... A block cipher is deterministic: with the same key and the same input ... This is the main reason why, when the AES competition was launched, ... He explicitly recommended Blowfish if what you wanted to do ... worthwhile attacks have been made on Blowfish - although it is pretty ...
    (sci.crypt)
  • Re: FUD about CGD and GBDE
    ... Shortly after AES was gold-plated the earlier mentioned attack ... the attacker a lot less degrees of freedom to figure out. ... Now, if there are any weakness in hooking two AES instances together, ... improved CGD in a fairly obvious way. ...
    (freebsd-hackers)
  • Re: Welche Festplattenverschl├╝sselung ist sicherer?
    ... auf Performance dem AES 256 immer überlegen war. ... Zwischen AES und Blowfish gibt es zwar Unterschiede bei der Performace, ... Notebook, da hier die Gefahr des Diebstahls relativ ...
    (de.comp.security.misc)
  • Re: challenge response calculator using only AES + SHA1
    ... The addition of SHA-1 only serves to complicate, ... In order to break in the attacker has to break either SHA-1 ... AES only method, the attacker has a choice of breaking AES or not getting ...
    (sci.crypt)