In message <[EMAIL PROTECTED]>, Eivind Eklund writes:
>On Sat, May 20, 2000 at 10:40:01AM -0700, David Honig wrote:
>> At 11:07 AM 5/20/00 -0400, Steven M. Bellovin wrote:
>> >concern buggy crypto modules, and ask yourself how using triple AES
>> >would have helped.))
>>
>> Was this a slip of the finger or are you proposing a 3x256-bit key
>> mode for the reeealy paranoid?
>
>3x256 bit isn't enough for the reeeeally paranoid.
>
>For protection against the intelligence agencies, I do not trust any single
>cipher. I want at least three different ciphers (ones that are generally
>considered pretty secure), each running in EDE (3x) mode, and preferrably
>with different design principles.
... Etc.
You miss my point entirely. At even the level I suggest (and no,
"triple AES" was not a typo), the cipher is not the weakest link. Have
you guarded against TEMPEST? Tailored viruses? Physical bugs in your
keyboard? Cameras in your ceiling? Differential power analysis?
Bribing or suborning your co-conspirators? A subpoena attack? In some
countries, rubber hose cryptanalysis? Bugs in your software or your
procedures? Plaintext left lying around? What about the cryptographic
protocols you wrap around the cipher? For that matter, how are you
going to guard or remember your private and/or symmetric key?
Good ciphers are certainly very important, but they're far from the
only cause of security problems In most cases, they're not even the major
issue. In fact, adding too much complexity -- in, say, the software
you need to implement your three rounds of cipher, your key mix, your
public key ciphers, your Merkle puzzles -- can itself be problem.
--Steve Bellovin