[cryptography] Repeated Encryptions Considered.... ?

David Johnston dj at deadhat.com
Sun Jun 19 22:00:05 EDT 2011


On 6/19/2011 3:28 PM, Jack Lloyd wrote:
>> the last, if you don't know enough to just pick the strongest cipher and
>> be done with it without compounding?
> In this case, the assumption is that XSalsa20 is stronger than
> AES. AES is just the window dressing for those who insist that it be
> used (eg NIST and co).
>
> -Jack
> _______________________________________________
We don't use AES because NIST says to. We use it because it externalizes 
the security claims. I might claim that XSalsa20 is strong, but lots of 
other people claim that AES is strong and lots of people who don't know 
how to tell the different know that lots of people who do know how to 
tell the difference think AES is strong.

If I put XSalsa20 in a product or standard, where people might expect to 
see AES, and said to the world "Trust me, I know it's ok", I would be 
crucified. I need to make stuff that is both secure and meets peoples 
expectations, however ill founded. Put more simply, no one got fired for 
choosing AES.

Multilayering crypto makes sense in the context that the probability of 
at least one of the algorithms being unbroken is lower that the 
probability of any individual one. However I expect that in any real 
system using ostensibly 'good' crypto, the algorithm is not the weakest 
part of the system. Rather than adding a second layer of crypto, I would 
apply my efforts elsewhere.






More information about the cryptography mailing list