7

I was just wondering if I add more security by combining two or more symmetric encryption algorithms on a plain text.

For example: Plaintext → AES → Twofish → Serpent

Of course a different key and IV (produced with a cryptographic secure prng) is used for each algorithm. Speed fortunately is not important.

Or does this form of combination has other implications I do not see?

There is a question like that here at Crypto.SE (Is TrueCrypt's multiple/cascading encryption safe?) but it focuses on using the same key.

Community
  • 1
Chris
  • 325
  • 3
  • 7

2 Answers2

8

I can see based upon your question that you're not already a crypto-expert. Given that, I think the single most useful answer I can give you is this:

Multiple encryption addresses a problem that mostly doesn't exist. Modern ciphers rarely get broken -- at least, not in the Swordfish sense. You're far more likely to get hit by malware or an implementation bug than you are to suffer from a catastrophic attack on AES.

That's a quote from http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html, which is an excellent article on this topic.

Moreover, if you have to ask this question, you should not be using multiple encryption. It's a little bit tricky, and you're more likely to screw something up than to get any meaningful security gain.

Bottom line: No, you can't add more security by using multiple encryption. The block cipher isn't the weak link, and strengthening the strongest link in a system does not add more security. Modern block ciphers appear to be effectively unbreakable; if that's correct, multiple encryption is pointless. So, my recommendation is: don't do it. It doesn't solve any real-world problem, it doesn't add much benefit, and it adds the extra risk that you might screw something up. Use standard well-vetted cryptographic solutions, like TLS, Truecrypt, GPG, etc.

D.W.
  • 36,365
  • 13
  • 102
  • 187
  • 2
    The point about 'fixing a problem that doesnt exist' is probably the best item of discussion for the original post – Richie Frame Sep 12 '13 at 18:51
  • 1
    Not what I wanted to hear, but you are likely to be right.... Thanks! – Chris Sep 13 '13 at 08:08
  • 1
    I think you mistyped "strengthening the weak link in a system does not add more security", since it is quite straightforward that it does. Perhaps you meant "the strongest link"? :) – Stephen Touset Apr 01 '14 at 17:46
  • 1
    @StephenTouset, oh, right, thank you! Boy that was a dumb thing to write. :-) I appreciate the comment. – D.W. Apr 02 '14 at 03:25
  • -1 This answer seems so wrong. If you already know how to do single encryption securely, I really don't see what's so tricky about multiple encryption. (And if you don't, then question is moot.) For double-encryption to be secure, all you have to do is to make sure the two layers are totally unrelated/independent (so: avoid sharing initialization vectors, don't use variants of the same algorithm, etc.) Which is pretty trivial. I do not see how someone who is smart enough to use either one of the algorithms correctly individually would make a broken combination. Care to explain? – user541686 Feb 01 '17 at 12:54
  • @Mehrdad, Let's set aside for a moment whether you are likely to get something wrong. The crucial part of my argument is that you are more likely to get something wrong than to get some benefit. If the probability of benefit is close to zero, it doesn't take much of a chance of getting something wrong to make my statement accurate. More importantly, I'd especially like to draw your attention to the "single most useful answer" I highlighted at the top of the answer. – D.W. Feb 01 '17 at 17:46
  • What exactly makes you think it is so dramatically unlikely that an organization like the NSA has broken AES (either in theory or in practice) that it is more likely for you to somehow break it by adding another layer of encryption? To me it sounds like doing the latter requires breaking AES too, and I'm not sure how much you can rely on the first part at all... It seems like an unfounded assertion to me. – user541686 Feb 01 '17 at 19:29
  • @Mehrdad, feel free to write your own answer if you think you can provide a better answer to the question. I can only share my own judgement/assessment. I recognize that others might well have different views. – D.W. Feb 01 '17 at 20:11
  • @D.W.: That's such an awful response. We're not trying to exercise our first amendment rights here; we're trying to get to a correct answer. If you think this question is actually subjective (do you?) then we need to close it. Otherwise it makes no sense to tell me to write an answer that says the exact opposite of yours. (cont'd) – user541686 Feb 01 '17 at 20:19
  • 1
    @D.W.: (cont'd) So I'm saying you should be able to defend your answer if you think it's actually right, and I'm pointing out that (a) for a second layer of encryption to break a previous one, you would need to have somehow broken the previous one already, and (b) you haven't provided a single justification why we should believe you that it's so unlikely for NSA to have broken AES in the first place (and why (a) doesn't make this irrelevant anyway). At the bare minimum, you need links. But a sound argument would be better. Your response to this is just "go write your own answer"? Really? – user541686 Feb 01 '17 at 20:20
  • (And yes, I you do have 1 link, but that's just a [for this purpose] random dude observing the fact that broken ciphers have been historically rare, and assuming that that predicts the future. It doesn't take a cryptographer to make that observation, just a nive dude with some Googling skills. And that exact reasoning would have led us to believing that RSA is secure, too, until Snowden made us realize the NSA has likely broken the common implementations. So either you need some kind of solid backing for this argument, or not make it in the first place.) – user541686 Feb 01 '17 at 20:35
2

Block ciphers are already built of multiple components: AES = fixed 8-bit sbox, MDS matrix multiplication, 8-bit rotations Twofish = key dependent sboxes, MDS matrix, 1 and 8-bit rotations, PHT

Chaining ciphers adds more components, more rounds, more complexity

Depending on chaining implementation, a different IV is not required for each cipher. For example, the first algorithm uses the selected mode, and the next in the chain only use ECB; or the other way around. Choosing the modes and the order they are chained is important.

Different keys should be used, otherwise there is no increase in effective key space, just cipher complexity and round count.

As long as the algorithms are not some kind of inversion of eachother, it effectively increases the total keyspace of the cipher chain, in addition to increasing the round count. Additionally, the different building blocks make certain attacks more difficult, where the similarity between rounds is exploited. It is better to build a cipher with more complexity than rely on the complexity of the chain, as one complete weak cipher may be "peeled off".

Rounds of one cipher cancelling out rounds of another is a distinct concern, and if the ciphers are the same (DES to 2DES, 3DES,.. NDES) there are attacks that will exploit this and reduce the effective key space. Assuming the underlying block ciphers are strong against all attacks, the upper bound on the chain security will be the combined upper bounds of each cipher's security, but can be lower in practice, especially if implemented poorly.

I tried to summarize points in one of the comments to the original post, certain points may be unclear or not touched upon

Richie Frame
  • 13,097
  • 1
  • 25
  • 42
  • side note, I use a 2 cipher chain construction with AES as both primitives in 2 different modes of operation, first CTR, then OCB, each with 128-bit keys, which should provide better diffusion than 256-bit AES in OCB only, and allows multicore optimization as well as precomputation. – Richie Frame Sep 12 '13 at 18:47
  • 2
    This reply contains suggestions which I would recommend against. "Complete weak cipher may be peeled off". This is true, however, the reason multiple ciphers practice is not recommended is that implementation mistake may allow breaking entire chain. If multiple different kind of modes are used, it is important to carefully meet requirements of each mode. – user4982 Sep 12 '13 at 20:07
  • The only suggestion I thought I made was "Different keys should be used", which is actually more of a statement. I did touch upon the importance of mode selection, and as always, implementation mistakes can break any cryptosystem regardless of cipher(s) used. Chaining or cascading does carry its own set of possible mistakes, I tried not to give any instructions on how to implement chaining or cascading securely. – Richie Frame Sep 13 '13 at 03:54