[cryptography] Compositing Ciphers?

Jeffrey Walton noloader at gmail.com
Fri Sep 6 22:01:29 EDT 2013

On Fri, Sep 6, 2013 at 8:58 PM, Nico Williams <nico at cryptonector.com> wrote:
> On Fri, Sep 6, 2013 at 7:27 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> I've been thinking about running a fast inner stream cipher (Salsa20
>> without a MAC) and wrapping it in AES with an authenticated encryption
>> mode (or CBC mode with {HMAC|CMAC}).
> My own very subjective opinion is that assuming all of: constant time
> implementations, an appropriate cipher mode, proper {key management,
> RNG, local end-point security}, then AES is perfectly safe.
> Of course, that's a lot of assumptions!  You'll almost certainly fail
> at the local end-point security part.
Yeah, I agree.

I only have so much control over the OS (more with Linux, less with
Apple or Microsoft). Dr. Gutmann paints an ominous picture in his
book, estimating between 1 and 2 million bugs for an OS with 50 - 100
million lines of code (cf., page 370).

But I control 100% of the channel and bulk data transfer.

I guess it boils down to: accept defeat or keep fighting.

>> I'm aware of, for example, NSA's Fishbowl running IPSec at the network
>> layer (the "outer" encryption") and then SRTP and the application
>> level (the "inner" encryption). But I'd like to focus on hardening one
>> cipherstream at one level, and not cross OSI boundaries.
> If you have the hardware for it, that's fine.  I wouldn't bother
> composing ciphers in any given layer.
So would that be a recommendation for encryption at two different
levels (network and application) like the NSA's Fishbowl architecture?

I could set up the VPN with only mild discomfort. But Apple and
Microsoft VPN software are a "trust us" black box, so I'm not sure it
adds any real value when viewed with suspicion. (And I can't roll my
own in-app VPN software because of restrictions on raw sockets and

>> ... But, really, first make sure that
> you've covered the other bases, the ones that are going to be your
> achilles' heel if you don't, such that your adversaries have no choice
> but to attack the crypto.  THEN concern yourself with improving the
> crypto.
Yes, agreed. But you can't turn off tunnel vision or OCD.


More information about the cryptography mailing list