• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Double encryption (Blowfish->Rijndael) Stronger? Or dumb?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
xyzzy
Just Arrived
Just Arrived


Joined: 26 Sep 2006
Posts: 0


Offline

PostPosted: Tue Sep 26, 2006 10:19 pm    Post subject: Double encryption (Blowfish->Rijndael) Stronger? Or dumb? Reply with quote

Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?

If someone could brute force the final output (AES), is the password revealed? Or would "they" have to brute force the resulting Blowfish output as well?

Thanks in advance
Back to top
View user's profile Send private message
alex_pinto
Just Arrived
Just Arrived


Joined: 26 Sep 2006
Posts: 0


Offline

PostPosted: Thu Sep 28, 2006 2:43 pm    Post subject: Re: Double encryption (Blowfish->Rijndael) Stronger? Or d Reply with quote

xyzzy wrote:
Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?

If someone could brute force the final output (AES), is the password revealed? Or would "they" have to brute force the resulting Blowfish output as well?

Thanks in advance


In general, I think it shouldn't matter. Your key is still the same so if the attacker knows you have cascaded two cipher systems, and he should by Kerkhoff's principle, then you are in the same position as in the start: the attack difficulty is only the attack on the key. If you are considering a brute force attack, it only makes your testing take a little more time, but that wouldn't be significative when you have to do a search that is exponential in the size of the key.

On the other hand, if you change keys, that would be something else. That's what makes 3Des, so far, secure, when DES is not. It is 3 DES applied in succession, but there are two different keys. You get from a 56-bit key size to a 112-bit key, which is much harder to break.

having to make 3 encryptions instead of 1 does not affect the cost of the brute search attack.

In fact, it makes me think if keeping the same key for both algorithms wouldn't make the system as secure as only the least secure of the two. I'm not sure in this, I'd have to think about it.

Alex
Back to top
View user's profile Send private message
jansson_markus
Just Arrived
Just Arrived


Joined: 28 Dec 2004
Posts: 0
Location: Finland

Offline

PostPosted: Thu Sep 28, 2006 10:03 pm    Post subject: Re: Double encryption (Blowfish->Rijndael) Stronger? Or d Reply with quote

xyzzy wrote:
Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?

It is atleast as secure as the strongest of the ciphers used.

Quote:
If someone could brute force the final output (AES), is the password revealed?

They cannot bruteforce AES alone if two ciphers are used together. Infact, he cannot even know he has bruteforced AES since even AES decrypted the data would still be pseudorandom (because its still encrypted with Blowfish).

Quote:
Or would "they" have to brute force the resulting Blowfish output as well?

Yes.

But lets get one thing cleared right now:
If you use two different ciphers to encrypt same data (first with cipher1 and then with cipher2), you should use two unique keys too. You can easily create to independent keys by simply hashing the passphrase+0 and hashing passphrase+1. Voila. Then, as long as the passphrase and hash used are strong, there is conciderable increase in the security of the ciphertext. Attacker trying to break the ciphertext would have to find either
1) Passphrase (which is very hard if its good)
2) Have cryptoanalytic attack that works against BOTH of the ciphers used. If he has attack1 that breaks cipher1 and attack2 that breaks cipher2, he still cannot crack the ciphertext, because he would need to have attack that would work against BOTH ciphers at the same time.[/quote]
Back to top
View user's profile Send private message Visit poster's website
xyzzy
Just Arrived
Just Arrived


Joined: 26 Sep 2006
Posts: 0


Offline

PostPosted: Fri Sep 29, 2006 6:53 pm    Post subject: Thanks Markus and Alex... Reply with quote

Hey Guys,

Thanks for the good input, I appreciate it. My understanding now is that if I could do whatever encryption scheme in complete secrecy, then transmit the result, I could do so with good confidence.

BUT, if I have a public webpage for people to send email to me through a form submission, and the source code is visible, then any special scheme is really pointless because the brute force attack is merely an attack on the password. even if I sha-256 it, all they have to do is put in a password, the page will sha it for them, then use that output to try to decrypt the message. The only thing I'm doing is causing the computer to do more work, ha ha!

The main goal I had was to make it easy for non-technical people to be able to securely email me through my page by only requiring one passphrase.

I think I'll just ensure the users have really good passwords and leave it at that.

Regards! Smile
Back to top
View user's profile Send private message
jansson_markus
Just Arrived
Just Arrived


Joined: 28 Dec 2004
Posts: 0
Location: Finland

Offline

PostPosted: Sat Sep 30, 2006 1:44 am    Post subject: Re: Thanks Markus and Alex... Reply with quote

xyzzy wrote:
The main goal I had was to make it easy for non-technical people to be able to securely email me through my page by only requiring one passphrase.

And how would YOU know the passphrase in order to decrypt the messages?!? If you know it, how can you be sure nobody else knows it?

Thats why PKI has been invented. Use that.
Back to top
View user's profile Send private message Visit poster's website
Dwonis
Just Arrived
Just Arrived


Joined: 27 Jul 2003
Posts: 0
Location: Canada

Offline

PostPosted: Tue Oct 24, 2006 8:43 am    Post subject: Re: Double encryption (Blowfish->Rijndael) Stronger? Or d Reply with quote

jansson_markus wrote:
xyzzy wrote:
Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?

It is atleast as secure as the strongest of the ciphers used.
No! If you're using the same key for both algorithms, there is no such guarantee.

You are composing two functions, A_k(m) and B_k(m):

E_k(m) = B_k(A_k(m))

Your proposition is that, no matter how B_k is defined, the above construction is at least as secure the following construction:

E_k(m) = A_k(m)

That just isn't true (assuming A_k is invertible, which it is, or else it wouldn't be useful for encryption).

Proof: Let B_k be the inverse of A_k. Then E_k(M) = B_k(A_k(M)) = M.

To generalize, if you're using AES and then Blowfish with the same key, then you don't know that Blowfish isn't undoing part of the AES encryption, thereby weakening it.

If you want to compose two encryption algorithms using the same key, then you're inventing a new algorithm, which needs to be analyzed separately.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Wed Nov 08, 2006 11:05 pm    Post subject: Reply with quote

Wow! My favorite "cascade encryption" (I asked about it long ago) has floated up right at the moment I returned to the forum!
Must be a sign from Azatoth... Laughing
All right, let us put it this way:

There are cascades implemented in the famous software True Crypt.

They are independent-keyed (each cypher has a key of its own)

Here are 2 questions:
1)
Does the cascade structure as seen in TC strengthen the security (let us not consider the increase in overall lenght of key, as having a 256 bit symmetric key is quite enough if the cypher is secure), is it reasonable to use this cascade system?

2)
For instance, if, hypothetically, a severe flaw will be found in AES256, will the data encrypted with TrueCrypt's AES-Twofish-Serpent cascade remain secure?
Back to top
View user's profile Send private message
Dwonis
Just Arrived
Just Arrived


Joined: 27 Jul 2003
Posts: 0
Location: Canada

Offline

PostPosted: Wed Nov 08, 2006 11:59 pm    Post subject: Reply with quote

If the keys for each of the ciphers are truly independently generated, then the construction would be secure (I think; assuming no input-dependant message expansion or compression takes place). However, if you used a PRNG to generate the keys, then all bets would be off, since the PRNG would act as part of the key scheduling algorithm for your newly-created cipher monstrosity.

Adding complexity isn't being conservative. If AES isn't strong enough for you, then the cipher primitives involved are probably the least of your concerns.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Thu Nov 09, 2006 12:22 am    Post subject: Reply with quote

Quote:
However, if you used a PRNG to generate the keys, then all bets would be off, since the PRNG would act as part of the key scheduling algorithm for your newly-created cipher monstrosity.

Could you be so kind to elaborate on this? I''m a layperson, you see...

As for using a PRNG... Well, as far as I understand any encryption software uses a random number generator (True crypt's number generator )

However, I fail to see why the use of the abovelinked system compromises the cascade key independence

So the question is, would "all bets be off" whith TC'S AES-Twofish-Serpent "cipher monstrosity" in the hypothetical situation of a severe vulnerability being found in AES?

Quote:
If AES isn't strong enough for you, then the cipher primitives involved are probably the least of your concerns.


It is quite strong enough, we are merely discussing a hypothetical situation where some future mathematic discovery badly compromises AES Wink
Back to top
View user's profile Send private message
Dwonis
Just Arrived
Just Arrived


Joined: 27 Jul 2003
Posts: 0
Location: Canada

Offline

PostPosted: Fri Nov 10, 2006 9:18 am    Post subject: Reply with quote

A pseudo-random number generator (PRNG) is a deterministic function that takes a small number of bits (the seed) and turns it into a large number of bits (the "random" numbers). Stream ciphers (e.g. RC4, AES-CTR, etc) do the same thing. If you're using a PRNG to generate keys for a cipher cascade, then you're really just inventing your own encryption algorithm, because the keys generated by a PRNG are not independent.

According to the link you provided, TrueCrypt uses an entropy pool to generate random numbers. Assuming it never provides more entropy than is contained in the pool, that's a real random number generator, not a PRNG, so my criticism would not apply.

A cascade is not necessarily more secure than single encryption, however.


Last edited by Dwonis on Tue Feb 13, 2007 12:59 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Sun Nov 12, 2006 11:06 am    Post subject: Reply with quote

Quote:
According to the link you provided, TrueCrypt uses an entropy pool to generate random numbers. Assuming it never provides more entropy than is contained in the pool, that's a real random number generator, not a PRNG, so my criticism would not apply.


Well, good...

Quote:
A cascade is not necessarily more secure than single encryption, however.


I understand that, and that is exactly what makes me ask if there is a way to find out whether a certain cascade is more secure than single encryption...
Namely, are cascades found in TC more secure than single-algorhythm encryption, and which of the cascades provided should be considered preferable?
Back to top
View user's profile Send private message
Dwonis
Just Arrived
Just Arrived


Joined: 27 Jul 2003
Posts: 0
Location: Canada

Offline

PostPosted: Thu Nov 23, 2006 11:26 pm    Post subject: Reply with quote

I should also mention that hard disk encryption has special vulnerabilities that do not apply to other modes of encryption, if an attacker has the ability to look at your encrypted hard drive more than once. The problems stem from the fact that ciphertexts are related (when you change a byte on your encrypted hard drive, the entire drive is not re-encrypted).

There is a good paper on the topic: New Methods in Hard Disk Encryption.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Fri Nov 24, 2006 4:30 pm    Post subject: Reply with quote

Very interesting read... thank you

So can we consider TC cascades "safe" as a matter of scientific fact?

Also, I never managed to fully comprehend the principle thet a non-commutative cascade is at least as strong as the first cypher...
How can we determine if our non-comm cascade is more secure than the first cypher in it or not?

For instance, if a flaw, a vulnerability is found (in some future , 5-10 years in the future) in the first cypher in my cascade, will the remaining "flawless" two mebers of cascade still protect my security?
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil

Offline

PostPosted: Thu Dec 07, 2006 3:22 am    Post subject: Some thoughts. Reply with quote

Dwonis wrote:

Adding complexity isn't being conservative. If AES isn't strong enough for you, then the cipher primitives involved are probably the least of your concerns.


Dwonis nailed it with this comment. Complexity and conservatism are polar entities; they're complete opposites. From experience, when cryptanalyzing systems and rounding out the necessary design goals, many environments are so constraint-ridden that recommending a cascade of primitives would get a laugh, at best. Fortunately, block ciphers, such as the AES, are built to hold their own; in the case of the AES, it has been successful thus far, given what we know. It's a nice blend of efficiency and security, which makes it suitable in a plethora of environments.

Many often overlook the success of the AES selection process, as well as the AES (Rijndael) itself. Keep in mind that Rijndael was like prey thrown to the piranhas; it was picked apart by the most intellectually ruthless cryptographers around. It survived that and was selected as a standard. That's not all, though. The day it became a standard, it also became the target of cryptographic targets. As such, a massive amount of cryptanalytical attention was turned towards the AES - more than any other of the competing designs.

I've written an article about this before, but unless the AES is unsuitable for your environment, I'd suggest using it, and it alone (i.e., no ad-hoc, layered construction). Although multiple encryption and cascade-based designs can have application value, when you start doing crazy things with primitives, that they weren't intended for, security guarantees are usually lost, and the end result can actually be worse than the individual primitives themselves. Simplicity is paramount, and I've said it many times before: If you can build a system where cryptography is the weakest link, then I have only one thing to imperatively plead - teach me. In reality, it's almost always the other way around.

These are just some thoughts to consider. Cheers.
Back to top
View user's profile Send private message Visit poster's website
a_Lex
Just Arrived
Just Arrived


Joined: 12 Jun 2006
Posts: 2


Offline

PostPosted: Sat Dec 09, 2006 4:08 am    Post subject: Reply with quote

Thanks for the reply, Justin!

Quote:
Dwonis nailed it with this comment. Complexity and conservatism are polar entities; they're complete opposites. From experience, when cryptanalyzing systems and rounding out the necessary design goals, many environments are so constraint-ridden that recommending a cascade of primitives would get a laugh, at best.


Well, I completely agree such an approach is far from being resource-wise, and I am quite confident that AES is secure, It is approved for handling US's TOP SECRETs after all (Though, I think that Serpent is somewhat more robust and future-proof) so I am taking the cascade problem from a pretty theoretical "what if" angle.

I also understand that complexity is opposite conservativeness, so I am willing to understand exactly what is the "sanity margin" of complexity here (under the assumption of abundant computational resources), i.e. is it worth cascading when you can afford that.

Also, I am curious not about "cascading in general", but, more precisely, about a very certain implementation found in TrueCrypt program.

Quote:
If you can build a system where cryptography is the weakest link, then I have only one thing to imperatively plead - teach me.


Well, I have an idea, but it is of little use until AI Complete is invented (And, my guess is it will be of even less use after that event)...
Keep humans out of the system Laughing

Returning on cascade topic, What do you think of TrueCrypt cascades in particular?
Their cascade implementation seems to make sense, but I am too far from being a professional to pass such judgment.
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil

Offline

PostPosted: Sat Dec 16, 2006 10:05 am    Post subject: Some late-night thoughts. Reply with quote

Dwonis wrote:
If you're using a PRNG to generate keys for a cipher cascade, then you're really just inventing your own encryption algorithm, because the keys generated by a PRNG are not independent.


I agree with the preference for independent keys, but for reference's sake, I'll point out that in a paper by Knudsen and Damgård, entitled, “Enhancing the Strength of Conventional Cryptosystems,” they demonstrate a case for pseudo-random number generation. In short, if the pseudo-random case is indistinguishable from the independent case, then it's good enough. Have a look at subsections 2.3 and 3.2, as they seem to convey the premise rather well. It's 4:29AM, so forgive any errors, but I'll try to explain the gist of it. We have a cascade Y, composed of N_c ciphers, and X, the i'th cipher amongst these N_c ciphers in the cascade. Assume that we generate 3 keys from 2 X keys, pseudo-randomly, using a generator based on the security of X. If the adversary is trying to break Y, he must treat the 3 keys as if they were actually random, implying that he must break X. If he wishes to exploit the dependency between the keys, he must break the generator, which is based on the security of X. The thought is that if X is secure enough, then there is a security connection between X and Y. For a cryptographically-secure pseudo-random number generator (Manuel Blum and Silvio Micali analyzed complexity-theoretic aspects of this, relative to the above paper), this should be fine, even though I usually suggest independent keys.

Void_Runner wrote:
Thanks for the reply, Justin!


Sure thing. Smile

Void_Runner wrote:

Well, I completely agree such an approach is far from being resource-wise, and I am quite confident that AES is secure, It is approved for handling US's TOP SECRETs after all (Though, I think that Serpent is somewhat more robust and future-proof) so I am taking the cascade problem from a pretty theoretical "what if" angle.


Out of curiosity, could you elaborate on your reasoning for preferring Serpent? Does it involve the massive number of rounds it uses, or its “security margin?” It's not impossible for this to be the case (i.e., Serpent being better), but I'm curious about your thoughts, and will share mine, in response.

Also, you can read one of the seminal papers on cascades, by Maurer and Massey, here: [PS] [PDF]

For good, further reading, you might also be interested in Lars Knudsen's Ph.D. thesis, on block cipher analysis and design: [PS.GZ] [PDF] (He co-designed Serpent, by the way.)

These papers might be a bit dated, but in this field, don't mind a little dust on the bottle. You'll find some of the most fundamental concepts inside.

Void_Runner wrote:

I also understand that complexity is opposite conservativeness, so I am willing to understand exactly what is the "sanity margin" of complexity here (under the assumption of abundant computational resources), i.e. is it worth cascading when you can afford that.


My intention isn't to discourage the application of cascades, by any means, in such a way as to imply that they're pointless. However, the security of the block cipher is usually the last place that an insecurity will arise. Keep in mind that implementing a cascade adds more complexity, by adding more code, as well as more security requirements. Most cryptographic systems that fail do so because of an implementation flaw. It seems much more sensible to focus more attention on other aspects, rather than try to make a strong thing stronger. But, setting everything aside, if you can afford it, and you do it right, then I suppose it's okay. Even then, I generally don't suggest it, because it increases the size of the implementation (i.e., more to analyze) and adds more security requirements (i.e., more to satisfy). The logical application of a cascade might be for long-term storage of information (i.e., forty, fifty, sixty years), but as cryptography goes, predicting that far into the future is a bit far-fetched. The mantra is, "If one component cipher fails, the others will remain secure, thus keeping my information secure." This is a reasonable thought, but there are no guarantees for it. There are tons of variables to consider, with little to nothing in the way of cryptographic proof.

Void_Runner wrote:

Returning on cascade topic, What do you think of TrueCrypt cascades in particular?
Their cascade implementation seems to make sense, but I am too far from being a professional to pass such judgment.


TrueCrypt's implementation has been wrong before, with issues surrounding its use of CBC mode; this was fixed in November of '05, I believe, when they replaced it with LRW mode. So far as I know, it doesn't offer proper integrity preservation, such as a MAC, or some form of authenticated encryption, would; on the other hand, adding a MAC could become incredibly costly, very quickly. I'm a zealot when it comes to authentication, though, since I've seen countless systems fall because of the lack of it. Some may state that it's only important with a network protocol, but there are threat models to support the disk encryption case. I imagine LRW will suffice in various situations.

Cascades are the last I'd worry about implementing, though, should I want to design such an application. To be fair, though, I don't trust my ability to write secure code, so writing a cryptographic implementation for serious use is something I'd not attempt anyhow, since that's not my forte. As such, I can't really comment on their cascade implementation. The documentation is above par, and from what I have read, it sounds sensible. TrueCrypt, for the most part, seems to have potential.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register