Re: Are key files better than passwords?



Maaartin wrote:
Would a combination of AES-TWOFISH (included in Truecrypt) be considered a cascade cipher?

Sure, http://www.truecrypt.org/docs/?s=cascades

I have googled this term and I mostly got definitions that I did not
understand (ie keys of the component ciphers are independent)

That's simple:
1. In case of Truecrypt: The keys are independent only in the sense
that they're all derived by a secure method from you key.
But that should be fine.
2. Only in case of independent keys there's a proof that cascade is at
least as good as the best cipher included.

Would a combination of three ciphers (maximum allowed by Truecrypt) be
better than two?

Sure, but according to
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security
+ The design and strength of all key lengths of the AES algorithm
(i.e., 128, 192 and 256) are sufficient to protect classified
information up to the SECRET level. TOP SECRET information will
require use of either the 192 or 256 key lengths.
So, are you sure, you need more than top secret?
Do you think, there's no point weaker than the cipher?
OTOH, on my new computer there's no need to use anything weaker than
three ciphers in chain, the CPU is mostly idle, anyway.

I'm just curious as to what might be so important as to have it
withstand 50 years (which I think = nothing).

Maybe I haven't read it carefully enough, but I see no statement about
the necessity of *preservation* of the data in 50 years.
The OP only requires it to stay *secret* that long. Or did I
misunderstood him or you?

A simple example: Imagine I get some personal data of my customers.
I'm forced by law to keep it secret and there's no mitigation allowing
me to publish it after 10 years. Well, using encryption good enough
for top secret must be good enough, but there's an old german saying
"we are all in the hands of God, whether at sea or in court".

You cant have a secret without preserving it also. Otherwise it gets lost.

He stated that he need it to be very secure (he used 50 years as a gauge of something being very secure) because he is paranoid about people decrypting the data. So it can't be because he is forced to by law.

He also mentioned "they" which leads one to believe that someone has an interest in what he has encrypted. I don't believe a normal everyday person has anything that "they" would really want to spend years of effort to crack. Unless it is something that you are not supposed to be in possession of in the first place...
.