Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    4
    Rep Power
    0

    Double encryption(Blowfish->Rijndael) Stronger? Or dumb?


    Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?

    If someone could brute force the final output (AES), is the password revealed? Or would "they" have to brute force the resulting Blowfish output as well?

    Thanks in advance
  2. #2
  3. Crypto-Con
    Devshed Supreme Being (6500+ posts)

    Join Date
    Apr 2004
    Location
    Frisco, Texas
    Posts
    6,704
    Rep Power
    1236
    Hey, there's an attack that breaks a double encryption scheme with basically just double the time complexity.

    Assuming you have a block of plaintext (which is usually not hard to obtain), you take that block and encrypt it with every possible key (or a dictionary of keys) and store all the encrypted blocks. You then brute force the ciphertext by decrypting it with every possible key (or a dictionary of keys) and comparing the decrypted result with all the encrypted blocks looking for a match. If you find a match, you have your two keys.

    The setup takes a while longer, but if you fork the BF decrypting and the encrypted block look-up to different machines, you can run the actual attack in basically just double the amount of time, since you're just BFing one side, then BFing the other. Basically you're just meeting in the middle.

    The security offered is basically just twice the original security -- not much by the standards we like to think in. If you assume that your adversary doesn't have the resources to launch such an attack then it's very effective, but if they didn't have the resources to launch that attack they wouldn't be able to attack one layer encryption either, so the double layer would be pretty pointless.

    However, if you add a third layer of encryption, then you're talking -- this is the idea behind 3DES. You apply the encryption function the first layer, the decryption function (different key) for the second layer, then the encryption function (original or different key, your choice) for the third and last layer. Although you could use different encryption algorithms (AES, Blowfish, Twofish, etc) for each layer if you wanted.
    Last edited by B-Con; September 27th, 2006 at 12:51 AM.
    - "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.
    - Why know the ordinary when you can understand the extraordinary?
    - Sponsor my caffeine addiction! (36.70 USD received so far -- Latest donor: Mark Foxvog.
    )
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    110
    Rep Power
    53
    Originally Posted by xyzzy1002
    Considering the same passphrase is used for both, would encrypting text be more secure if the output of one cipher (Blowfish) was encrypted with another (AES Rijndael)?
    If you are to apply such sheme, I would strongly suggest that you do not use the same key. If you only have one key, you can derivate sub-keys from your original key. This might not be more secure theoretically, however obfuscation can be quite powerful.

    You should consider B-Con's suggestion to tripple-crypt the plaintext, e.g. using

    AES-Encrypt -> Serpent-Decrypt -> Twofish-Encrypt

    with 3 different keys would give you a satisfying result.

    Using "special schemes" like this one is untested ground. Theoretically it may give you a higher level of protection but you won't get any cryptography professional to use them. 256 bit AES should be sufficient and is "politically correct".
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    4
    Rep Power
    0

    Thanks to you both! I appreciate it!


  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    4
    Rep Power
    0
    Originally Posted by B-Con
    Hey, there's an attack that breaks a double encryption scheme with basically just double the time complexity.

    Assuming you have a block of plaintext (which is usually not hard to obtain), you take that block and encrypt it with every possible key (or a dictionary of keys) and store all the encrypted blocks. You then brute force the ciphertext by decrypting it with every possible key (or a dictionary of keys) and comparing the decrypted result with all the encrypted blocks looking for a match. If you find a match, you have your two keys.

    The setup takes a while longer, but if you fork the BF decrypting and the encrypted block look-up to different machines, you can run the actual attack in basically just double the amount of time, since you're just BFing one side, then BFing the other. Basically you're just meeting in the middle.

    The security offered is basically just twice the original security -- not much by the standards we like to think in. If you assume that your adversary doesn't have the resources to launch such an attack then it's very effective, but if they didn't have the resources to launch that attack they wouldn't be able to attack one layer encryption either, so the double layer would be pretty pointless.

    However, if you add a third layer of encryption, then you're talking -- this is the idea behind 3DES. You apply the encryption function the first layer, the decryption function (different key) for the second layer, then the encryption function (original or different key, your choice) for the third and last layer. Although you could use different encryption algorithms (AES, Blowfish, Twofish, etc) for each layer if you wanted.

    Hey B-Con, I tried your suggestion and as a result, have new respect for the Rijndael cipher. I used the password, "a" and encrypted the text, "a", ten times and got a different output each time. Now that's cool. So I gather from this, that the only way to hack this message is by routinely guessing at the password? What's the latest figures on comercially available computers and the time it takes to brute force a password? (and is it in English? I don't get the 2 to the 58 figures.) Looking for how many hours or days, etc. Nist was saying something about 19 million years or some such...

    Thanks in advance!


    ZZZZZ DTLUD GVBXD BABSH UCIGQ WLJRB ADDPW WAIGL EHTTW FXATT UAQTL
    FQLDM WUMSK LLEWC NDNIU FWUJG UJVVN FXCRV GNDHK WXFXU VZZZZ YYYYY

    ZZZZZ UQKVI HKQHF VFNRP PUCTB NVUUU FFVIC TWHDJ IDPPX EGHMW HSOGJ
    QATGW AHONK LKQWX JAHAP DNTNB TWTCR ORWWA QPGLQ GADIW VZZZZ YYYYY

    ZZZZZ VVPMG IWVBB VFHUN OFMMC QDKWW VHCSG SJFWI CPUXT SBIIV CMNDL
    TXVWJ GKMUA MJDTR GBXVU CAPGU IBJCQ NVDUT GBJNM RSTEK LZZZZ YYYYY

    ZZZZZ BXJKC LSMCX AANCG KSOLV VFSAX FFSEG SBHCV AJLTD RWALN WAHXI
    QGWAF HPOFJ TFBVX OHCAO WCVID MAMDN GTXKA IQEMM TEEDB TZZZZ YYYYY

    ZZZZZ EKROE CNSLG ACIAT OQLTU ALOOA FBHHA OIPIH WHJEX LDIRM VPJXL
    UFUJI HPDLX XSDFW CAXBV BBOLU VFXDT SSMNA LLDXL RPUBX NZZZZ YYYYY

    ZZZZZ AWRBI NLBLC XBCVM MBLUF RLLWS VBXRB ADOIU HFUFF QVHWN EMKAE
    WRKDK XLEGH XQSGN HLMKJ XWKJV XVMBX UVWXV GBIXL GEAIK UZZZZ YYYYY

    ZZZZZ ERSWC JKRGH UWBSU HSMGG WWSUU VABQB MDIVL CLKFE RWHJR XMORM
    UFMTM LLCRD NTPAW EDMDM JGIOH QUMWK MQMVQ ERDDJ FRVLB VZZZZ YYYYY

    ZZZZZ WJOQE CKSAG TIICU IPIRC KFTED IEEQW SGLTS WLLBW TTIHA TTSUO
    DHUTX EHPHW LJCHC OWOIL JFIKA QXJMU MWFBU LBJGI FXDLK QZZZZ YYYYY

    ZZZZZ FNIXA MWPKJ CWION NDEIG SWLQR BGAFC MDJCI FPKRQ EHOQA BXURP
    UHSVK COBIC TKXGN DLFAS JLQIW LFJWA FQDVS EPAMN DVHVP WZZZZ YYYYY

    ZZZZZ CPSAF FOQAW VSATQ RAAJA QHHOB VBGPD PAKGM TCGPV OFNLD FALTK
    WDATA DJAMU WLQSX EXGHR UGQUW TTKXA HAKQW HQGAJ EQFAB QZZZZ YYYYY
  10. #6
  11. Crypto-Con
    Devshed Supreme Being (6500+ posts)

    Join Date
    Apr 2004
    Location
    Frisco, Texas
    Posts
    6,704
    Rep Power
    1236
    Originally Posted by xyzzy1002
    What's the latest figures on comercially available computers and the time it takes to brute force a password? (and is it in English? I don't get the 2 to the 58 figures.) Looking for how many hours or days, etc.
    Depends on what you mean by "commerically availible". Do you mean commercially availible desktops from dell.com, or supercomputers bought by big-companies?

    In the case of the former, we're talking centuries and millinia. If you mean the latter, we're still talking years and decades, depending on exactly how many of them you have and of what caliber they are.
    - "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.
    - Why know the ordinary when you can understand the extraordinary?
    - Sponsor my caffeine addiction! (36.70 USD received so far -- Latest donor: Mark Foxvog.
    )
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    110
    Rep Power
    53
    Originally Posted by xyzzy1002
    *snipp* So I gather from this, that the only way to hack this message is by routinely guessing at the password? What's the latest figures on comercially available computers and the time it takes to brute force a password? *snipp* Looking for how many hours or days, etc. Nist was saying something about 19 million years or some such...
    Just some thoughts..

    You should always consider that the "bad guy" might know something you don't - like a faster way to brute force passwords with AES chipher. Combining different ciphers in unorthodox ways may eliminate such factors, but then again - it might open new "holes".

    Take a look at Serpent (another AES candidate) if it's security you're after. Serpent is actually considered more secure than Rijndael.

    Safe key storage can be a more important factor than the cipher / scheme selection. If you are to implement such a complex scheme as described earlier, it would probably be easier for the bad guy to obtain your key (or password).

    You can secure your key(s) in a tamper resistant HSM or a smart card to make things more secure. All cryptographic would need to be done inside the HSM to prevent exposing of the keys in plain text from electronic eavesdropping.

    Choosing a password is also important. For this sort of applications you must use a true random device to create a password that unlocks your key(s). The password may not be memorized and must be stored in parts in high security locations. Not a single person shall be able to obtain the complete password. Humans are fragile, and information is so easy to obtain with a small induction of pain.

    In other words.. if you want security, you'd need to consider more than ciphers and schemes.
  14. #8
  15. Crypto-Con
    Devshed Supreme Being (6500+ posts)

    Join Date
    Apr 2004
    Location
    Frisco, Texas
    Posts
    6,704
    Rep Power
    1236
    Originally Posted by coredev
    Serpent is actually considered more secure than Rijndael.
    That's a subjective opinion, and not everyone totally agrees on that. Serpent isn't a bad choice, though, it definitely ranks right there with Rijendael, at a minimum.
    - "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.
    - Why know the ordinary when you can understand the extraordinary?
    - Sponsor my caffeine addiction! (36.70 USD received so far -- Latest donor: Mark Foxvog.
    )
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    4
    Rep Power
    0

    Thanks...


    Hey Guys,

    Thanks for the good input, I appreciate it. As far as Serpent vs. Rijndael, I read that Serpent wasn't as secure as Rijndael, but another place that it was more secure but slower...

    I recall when PGP hit the streets, the gov't was not happy. But now NIST is freely and openly showing the way to things like AES. Does this mean that they A) can crack it open like cheap lobster and don't care if we all use it? Or B) realize it's probably a losing battle to keep people from using encryption (but why distribute it). I doubt anyone on the "outside" will ever know. And if anyone has any secrets worthy of the "big guns", then you're screwed anyway so not to worry really. :-)

    CoreDev, you have some very valid points, encryption is merely a slice of the pie-chart. Personal security, physical access to the computer, secure connections, etc are all "sections" to a greater whole. If nothing else, it keeps us busy trying to ensure all the holes are plugged. Anyone have a spare thumb?

    B-Con, thanks for the straight answer about how long it would take to break the code. I just don't want the commies to read my mail, and I feel that AES with a good password is probably enough to keep them guessing, at least long enough for the info to become invalid...

    My understanding now is that if I could do whatever encryption scheme (blowfish-sha-256 password-AES-Serpent) in complete secrecy, then transmit the result, I could do so with good confidence.

    BUT, if I have a public webpage for people to send email to me through a form submission, and the source code is visible, then any special scheme is really pointless because the brute force attack is merely an attack on the password. even if I sha-256 it, all they have to do is put in a password, the page will sha it for them, then use that output to try to decrypt the message. The only thing I'm doing is causing the computer to do more work, ha ha!

    The main goal I had was to make it easy for non-technical people to be able to securely email me through my page by only requiring one passphrase.

    I think I'll just ensure the users have really good passwords and leave it at that.

    Regards! :-)
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    110
    Rep Power
    53
    Originally Posted by B-Con
    That's a subjective opinion, and not everyone totally agrees on that. Serpent isn't a bad choice, though, it definitely ranks right there with Rijendael, at a minimum.
    Yes, sorry, I agree that it's subjective. I have no proof that Serpent is more secure than Rijndael. My thoughts are based on this, which is in turn seemes to be based on subjective thoughts.

    Brgs Robert.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2006
    Posts
    42
    Rep Power
    8
    Yes, but is better to change the pass phrase a bit... Double encryption results in a cypher that is at least as secure as the most secure of the two cyphers used. Double the time? I do not agree - it depends on the complexity of the two cyphers. The further apart they are mathematically, the greater the complexity IFF you use them correctly...

    If you use the same key for both cyphers, then it really isn't worth it, but if you use a different key for each cypher (or use the same cypher with different keys, for that matter) then the complexity goes way up, If key 1 is n bits long, and key 2 is m bits long, then the complexity is 2^(m+n). This is because you don't know when you have broken the first key - both keys must be broken at the same time before you get plaintext.

    Ron.
    Last edited by rascalcode; November 25th, 2006 at 06:55 AM. Reason: (bad logic)
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    13
    Rep Power
    0
    Originally Posted by B-Con
    However, if you add a third layer of encryption, then you're talking -- this is the idea behind 3DES. You apply the encryption function the first layer, the decryption function (different key) for the second layer, then the encryption function (original or different key, your choice) for the third and last layer. Although you could use different encryption algorithms (AES, Blowfish, Twofish, etc) for each layer if you wanted.
    Sorry for resurrecting an old thread, but I just found this and I have questions about it.

    So well...does that mean that when you go do the decryption process, you can to roll backwards? so...you need to use whatever algorithm was using in the 3rd layer to decrypt; then encrypt it again using the same algorithm in the second, and the finally decrypt it again using the algorithm that was used in the first?

    How can you be sure that the randomization of the initialization vectors (for AES for example) is consistent enough that you would be able to fully decrypt it back to the original plaintext?

    Does this mean that technically you can add any number of layers you want to it? And would adding more layers necessarily guarantee more security for the additional complexity or would it just be more complex, but the increase in security is NOT proportional to the increase in complexity?

    Wouldn't that mean that key and/or passphrase management is actually the (no pun intended) key to the whole thing? The content itself isn't always necessarily the most important, but if you lose your keys, the chances of you breaking back into your house is well....super slim.
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2009
    Posts
    191
    Rep Power
    50
    To start, I will disagree with B-Con's original reply from years ago. The argument that triple encryption is necessary, makes sense if and only if the motivation is to protect against exhaustive search (that is, testing every possible key).

    When 3-DES was standardized, exhaustive search was the motivation, because the DES key was too short to be secure against modern computer power. (The expected average search to crack DES is 2^55).

    However, this does not apply to today's block ciphers. Unless the cipher is broken, the average search complexity is at least 2^127. This is not only impractical to compute today, but is very likely to remain so for many years to come. Therefore, double encryption to increase the exhaustive search cost doesn't make sense.

    The only sensible reason I know for double encrypting with distinct modern block ciphers, is as a form of "insurance" against a cryptographic break against one of the ciphers. Suppose a break is found in cipher A that reduces the search complexity from 2^127 to 2^70 -- 2^70 is near the range of affordability, and will become less expensive year by year. But if data is double-encrypted with ciphers A and B, it will remain secure even after A is broken.

    In fact, even if BOTH ciphers are eventually broken, the remaining search complexity for double encryption could very well keep the message confidential against all practical attacks.

    Although the added protection of using multiple distinct ciphers doesn't necessarily require that each cipher be used with its own key, if someone is taking the time and trouble for double encryption, I think it prudent to use two different keys as well.
    _____________________________________________

    Initialization vectors, needed for some block cipher modes, don't need to be kept secret. It is OK to send the IV "in the clear" along with message, because as you noted, the IVs MUST match. For example, the first "block" can simply be the IV.

    But it is a good idea to apply message authentication (such as a MAC or digital signature) to ensure that neither the IV nor ciphertext have been tampered with, or are forgeries. In fact, authentication is a recommended practice whether you send an IV with the message or not.
    _____________________________________________

    Yes, key management is the key. It's the biggest practical problem in cryptography, and failures in key management mean loss of confidentiality and/or data -- no matter how good the ciphers may be.

    But the risks of key management failure are no better or worse, whether single or multiple encryption is used. Even with single encryption, if the key is truly lost, recovery of the data is a practical impossibility.
  26. #14
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    13
    Rep Power
    0
    So if you HAVE to transmit keys (say via email) - what would be the best practices for doing so? How can you keep it secure, yet reasonable and practical?
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2009
    Posts
    191
    Rep Power
    50
    Oy, that's a Very Big Topic. Of course, emailing key information for a block cipher is desperately insecure! Never, ever do such a thing, unless you are OK with the whole world being able to read the encrypted messages.

    Read up on "public key cryptography," which I'll call PKC for short. Although PKC offers some powerful tools for key distribution, it does NOT truly solve the key management problem -- still the great unsolved problem of cryptography.

    To give the short version of the story, you can use PKC to send a secret (for example, an AES key) by email, with confidence that a snoop who intercepts the message cannot extract the secret. BUT, there are numerous ways to do PKC wrong, that WILL compromise security. And even if you do everything right, whoever is receiving the key (or negotiating the key, if it is a key-exchange protocol) could be deceived by an impostor pretending to be the other trusted party -- and end up sending secrets to an enemy, or accepting encrypted messages from an enemy, thinking they came from a trusted party.

    Trying to solve the impostor problem gets into authentication, chains of trust, hierarchies of signed certificates, and a whole host of other issues. And despite a whole lot of really smart people doing a whole lot of work to try and make all this stuff secure, there are still plenty of ways it can go wrong -- and sometimes does go wrong in the real world.

    If you are working in a situation where security is of real, practical importance, then the wise thing to do is to use systems and tools that are already available, AFTER taking the time to learn how to use them properly, and to understand what are the traps you must avoid.

    If for whatever reason, you simply CANNOT USE EXISTING TOOLS, then you had better be prepared to spend at least a few months studying how all these things work, and how they fail. And then, you must be prepared for a high degree of risk that your home-made system will have some simple mistake that makes it terribly insecure compared to off-the-shelf systems like OpenSSL and gpg.

    In the field of security -- ESPECIALLY cryptography -- if you get one thing wrong, it usually won't matter that you got 9,999 other things right. The tiniest mistake can sink the whole great ship.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo