[cryptography] Repeated Encryptions Considered.... ?
dj at deadhat.com
Sun Jun 19 22:00:05 EDT 2011
On 6/19/2011 3:28 PM, Jack Lloyd wrote:
>> the last, if you don't know enough to just pick the strongest cipher and
>> be done with it without compounding?
> In this case, the assumption is that XSalsa20 is stronger than
> AES. AES is just the window dressing for those who insist that it be
> used (eg NIST and co).
We don't use AES because NIST says to. We use it because it externalizes
the security claims. I might claim that XSalsa20 is strong, but lots of
other people claim that AES is strong and lots of people who don't know
how to tell the different know that lots of people who do know how to
tell the difference think AES is strong.
If I put XSalsa20 in a product or standard, where people might expect to
see AES, and said to the world "Trust me, I know it's ok", I would be
crucified. I need to make stuff that is both secure and meets peoples
expectations, however ill founded. Put more simply, no one got fired for
Multilayering crypto makes sense in the context that the probability of
at least one of the algorithms being unbroken is lower that the
probability of any individual one. However I expect that in any real
system using ostensibly 'good' crypto, the algorithm is not the weakest
part of the system. Rather than adding a second layer of crypto, I would
apply my efforts elsewhere.
More information about the cryptography