• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Double encryption (Blowfish->Rijndael) Stronger? Or dumb?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Thu Dec 21, 2006 10:41 pm    Post subject: Reply with quote

Hello Justin!
Quote:
Out of curiosity, could you elaborate on your reasoning for preferring Serpent? Does it involve the massive number of rounds it uses, or its “security margin?" It's not impossible for this to be the case (i.e., Serpent being better), but I'm curious about your thoughts, and will share mine, in response.


Well, the number of rounds is a factor, as it is known that more rounds means more security ("given enough rounds, pretty much anything is secure"(c) B.Schneier), and Serpent has a lot of them.
The "security margin" is quite promising too, it certainly makes sense to conclude that Serpent is very robust.

Serpent, as far as I know, has a relatively easy to understand and straightforward structure, that is free from obfuscating and unobvious design routes (a trait which MARS is often accused of), which is believed to make it easier to analyze.

Serpent's design, as far as I know, uses only those primitives that are thought to be best studied and understood by cryptanalysts, which also is likely to facilitate cypher cryptanalysis, and also reduces the possibility that there is some unknown and unpredictable mathematical peculiarity quirk/feature/weakness in one of Serpent's primitives.

And, though argument "from authority" is not a very good one (but most well understood by unprofessionals like me), a lot of cryptography experts consider Serpent to be one of the most (if not the most) secure, most robust and future-proof of the AES candidates (IBM considers it the second most robust after its own MARS Smile ).

Quote:

Also, you can read one of the seminal papers on cascades, by Maurer and Massey, here


I read it long ago. Very hard to fathom with my inferior mathematics skills, so I simply took the notion that a cascade of non-commutative ciphers is at least as good as the first one as a sort of axiom or "cascade mantra"

However, I still do not understand how would one find out if a given cascade X is as strong as the first cipher or actually more strong... Embarassed

Quote:
For good, further reading, you might also be interested in Lars Knudsen's Ph.D. thesis, on block cipher analysis and design: [PS.GZ] [PDF] (He co-designed Serpent, by the way.)


The "meet in the middle" attack on cascades seems totally mind boggling to me... Could you please be so kind to explain why and when such things begin to happen (in terms a psychiatrist is likely to understand)? And are "encrypt-encrypt" cascades of architecturally different ciphers with really independent keys (like "AES-Twofish" in TC) susceptible to this phenomenon?

Quote:
he logical application of a cascade might be for long-term storage of information (i.e., forty, fifty, sixty years), but as cryptography goes, predicting that far into the future is a bit far-fetched.


Wow. That sounds scary. I mean, AES 256 is allowed to protect top secret data, which is likely to have a very long lifespan... If it fails in some 30-40 years from now, some people both in NSA and other three-letter-agencies might end up in trouble...

Quote:
This is a reasonable thought, but there are no guarantees for it. There are tons of variables to consider, with little to nothing in the way of cryptographic proof.


And what can probably go wrong when you cascade something the way it is done in TC for instance, i.e. when output of first cipher is encrypted as any mere plaintext with the second cipher which uses a totally independent key, with the ciphers being significantly architecturally different (belonging to different structural families, the first being, for instance an SPN, while the second being a Feistel)?

As I see it...
In this setup, existence (and occurrence probability) of a peculiar interaction between first cipher's output and the second cipher (with them being different and using independent keys) that would actually decrease security, i.e. will result in the final ciphertext being less secure than one resulting from simply encrypting the ciphertext solely by strongest of cascade's component is, in my ignorant opinion, much the same as the likehood of that one can decrypt or weaken (introduce correlations, etc.) ciphertext of one well-designed (not intentionally engineered specifically for such a trick) cipher by encrypting it with another, significantly structurally different cipher using an independent key.

So, in such a system, it boils down to the question of whether you can decrypt or weaken the cyphertext supplied by, for instance, SPN operating with key A, by feeding this "SPN cyphertext" into a Feistel operating with a totally independent key B...


Am I badly misunderstanding something?

Quote:
So far as I know, it doesn't offer proper integrity preservation, such as a MAC, or some form of authenticated encryption, would; on the other hand, adding a MAC could become incredibly costly, very quickly. I'm a zealot when it comes to authentication, though, since I've seen countless systems fall because of the lack of it. Some may state that it's only important with a network protocol, but there are threat models to support the disk encryption case.


Well, I also am a victim of the "authentication only important with a network protocol" misconception...
I am very interested, the concept of a threat model that deals with disk-encryption authentication very new and even surprising... Could you please tell more?

Quote:
TrueCrypt, for the most part, seems to have potential.


Yeah, TC seems a very nice tool... too bad no renowned professional, like Schneier or Ferguson, have peer-reviewed it yet... In fact, I know of no separately published peer review of current TC code whatsoever... a pity.


Last edited by a_Lex on Fri Dec 22, 2006 8:48 am; edited 3 times in total
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Fri Dec 22, 2006 3:39 am    Post subject: Reply with quote

Void_Runner wrote:
Yeah, it TC seems a very nice tool... too bad no renowned professional, like Schneier or Ferguson, have peer-reviewed it yet... In fact, I know of no separately published peer review of current TC code whatsoever... a pity.

It's not exactly a scientific publication, but there has recently been a review made of open source encrypted filesystems (including TrueCrypt) done by Peter Gutmann (author of cryptlib, the Gutmann method of erasing data, and contributor to PGP 2), which included code reviews and had its results published in Linux Magazine Issue 72 (Nov 2006). I don't have the magazine next to me right now to quote from it, but I do remember that according to the author, TrueCrypt is a quality product, standing above the other reviewed products (which included CryptoFS, DM-Crypt and Loop-AES) both in terms of cryptographic and code quality.
Back to top
View user's profile Send private message
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Sat Dec 23, 2006 7:58 pm    Post subject: Reply with quote

capi

Too bad they don't have that article in PDF form yet...
Back to top
View user's profile Send private message
Ralle
Just Arrived
Just Arrived


Joined: 21 Sep 2003
Posts: 0


Offline

PostPosted: Tue Jan 02, 2007 5:46 pm    Post subject: Re: Double encryption (Blowfish->Rijndael) Stronger? Or d Reply with quote

xyzzy wrote:
Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?

If someone could brute force the final output (AES), is the password revealed? Or would "they" have to brute force the resulting Blowfish output as well?

Thanks in advance


I'd say, theoretically, you have no idea whether it's stronger or weaker. Im no crypthologist, and my knowledge is limited, but i'd say with two ciphers a(m) and b(m) you have no idea how c=a(b(m)) will act, unless you analyze the combined function on your plaintext.
Lets take two very crappe ciphers for example. a=ROT-2 and b=ROT+2.
On their own they have some cryptographic value, pretty crappy i know, but when combined:
a(b(m))=m.
Combining 2 functions, you don't know how works might have some weird results. You might end up with part of the functions equaling themselves out. You might end up with something much stronger. You will effectively invent a completely new algorithm, that might just decrypt with a totally new key.
Who knows.
Before you analyze the combined effect of the 2 ciphers, it'll be impossible to say.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Goto page Previous  1, 2
Page 2 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register