[cryptography] Compositing Ciphers?

Nico Williams nico at cryptonector.com
Fri Sep 6 20:58:03 EDT 2013

On Fri, Sep 6, 2013 at 7:27 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> I've been thinking about running a fast inner stream cipher (Salsa20
> without a MAC) and wrapping it in AES with an authenticated encryption
> mode (or CBC mode with {HMAC|CMAC}).

My own very subjective opinion is that assuming all of: constant time
implementations, an appropriate cipher mode, proper {key management,
RNG, local end-point security}, then AES is perfectly safe.

Of course, that's a lot of assumptions!  You'll almost certainly fail
at the local end-point security part.  Long before your choice of
ciphers is attacked your systems/protocols will have succumbed to
other, cheaper attacks -- assuming they are targeted at all.

> I'm aware of, for example, NSA's Fishbowl running IPSec at the network
> layer (the "outer" encryption") and then SRTP and the application
> level (the "inner" encryption). But I'd like to focus on hardening one
> cipherstream at one level, and not cross OSI boundaries.

If you have the hardware for it, that's fine.  I wouldn't bother
composing ciphers in any given layer.

> Has anyone studied the configuration and security properties of a
> inner stream cipher with an outer block cipher?

Well, yes, it's been studied.  Look for papers on 3DES, for example.
Make sure not to make mistakes that leave you susceptible to
meet-in-the-middle type attacks.  But, really, first make sure that
you've covered the other bases, the ones that are going to be your
achilles' heel if you don't, such that your adversaries have no choice
but to attack the crypto.  THEN concern yourself with improving the

IMO.  Also, IANAC.


More information about the cryptography mailing list