[147154] in cryptography@c2.net mail archive
[Cryptography] The paranoid approach to crypto-plumbing
daemon@ATHENA.MIT.EDU (Bill Frantz)
Mon Sep 16 13:34:07 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 16 Sep 2013 09:44:01 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
After Rijndael was selected as AES, someone suggested the really
paranoid should super encrypt with all 5 finalests in the
competition. Five level super encryption is probably overkill,
but two or three levels can offer some real advantages. So
consider simple combinations of techniques which are at least as
secure as the better of them.
Unguessable (aka random) numbers:
Several generators, each reseeded on its own schedule, combined
with XOR will be as good as the best of them.
Symmetric encryption:
Two algorithms give security equal to the best of them. Three
protect against meet-in-the-middle attacks. Performing the
multiple encryption at the block level allows block cyphers to
be combined with stream cyphers. RC4 may have problems, but
adding it to the mix isn't very expensive.
Key agreement:
For forward security, using both discrete log and elliptic
curve Diffie-Hellman modes combined with XOR to calculate
keying material is as good as the better of them. Encrypting a
session key with one public key algorithm and then encrypting
the result with another algorithm has the same advantage for
"the normal mode" of TLS key agreement if you don't want
forward security (which I very much want).
MACs:
Two MACs are better than one. :-)
All this has costs, some of them significant, but those costs
should be weighted against the security risks. Introducing a new
algorithm with interesting theoretical security properties is a
lot safer if the data is also protected with a well-examined
algorithm which does not have those properties.
Cheers - Bill (who has finally caught up with the list)
---------------------------------------------------------------------------
Bill Frantz | Re: Computer reliability, performance, and security:
408-356-8506 | The guy who *is* wearing a parachute is
*not* the
www.pwpconsult.com | first to reach the ground. - Terence Kelly
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography