[cryptography] Repeated Encryptions Considered.... ?

Tom Ritter tom at ritter.vg
Sat Jun 18 23:44:36 EDT 2011


I'm wondering what the general opinion of folks is for repeated
encryptions - either accidentally or on purpose.  Applied Cryptography
devotes a chapter to it, and I'm more interested in cascades -
multiple algorithms: RC4 k1(AES k2(plaintext)) .  The general opinion
I've heard is "It's a bad idea, you shouldn't do it" - but I want to
revisit that.

There are legitimate reasons for *not* doing it, but they're more
about the engineering. Twice as much code, twice as many possibilities
for bugs.  Twice the key material, twice the key storage.  More work,
no practical security gained.  None of these address the idea that the
double encryption aids any sort of
chosen-plaintext/known-plaintext/chosen-ciphertext/or other attack.
(Although the exposure of a oracle enabling an attack in such a system
*would* be system-specific, and there's no standardized system for
this to my knowledge - so it may be a case of 'Create one, and give an
incentive to break it.')

I got in a discussion recently about this, in the specific case of
encrypting something in javascript, and then again in SSL.  Trying to
avoid the argument over javascript crypto I thought it was absurd that
NOT using SSL was a reasonable decision.  The response was the 'don't
double encrypt' argument, without any real facts to back it up.
Applied Crypto shows how it doesn't always provide the security you
expect it - but it doesn't go so far as to say it *decreases*
security.  Even the notion of a block cipher being a group (I don't
know of any semi-popular ones that are) wouldn't decrease security,
just keep it at the strength of a single encrypt.  And double-encrypt
in this context *is* used all the time - any S/Mime/OpenPGP mail
traveling over SSL or any encrypted file over SSH.

-tom



More information about the cryptography mailing list