Re: [cryptography] Compositing Ciphers?
On 09/06/2013 08:27 PM, Jeffrey Walton wrote: Hi All, With all the talk of the NSA poisoning NIST, would it be wise to composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq). I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. I'm also aware of the NSA's lightweight block ciphers (http://eprint.iacr.org/2013/404). I may have been born at night, but it was not last night Just FYI: I spoke to Adi Shamir recently (he is doing a lecture series at Courant), and he said he had looked at SIMON and SPECK and did not see anything wrong with them. Shamir is, of course, a world-renowned cryptanalyst, responsible for breaking FEAL and DES, for example. Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 5:53 PM, Natanael natanae...@gmail.com wrote: Apparently it's called cascade encryption or cascade encipherment More generally it's known as a product cipher, which underlies things like Feistel Networks which were used to compose algorithms like DES: https://en.wikipedia.org/wiki/Product_cipher If A1 and A2 are secure PRGs, and we encrypt message m under the keystream of A1(k1) ⊕ A2(k2) [where k1 and k2 are unrelated randomly generated keys], the resulting cipher is at least as strong as the strongest of the two ciphers. This can provide a failsafe if a cryptanalysis is found for either of the two ciphers. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
We have a purely (now mostly) all-symmetric key protocol: Needham-Schroeder -- Kerberos. Guess what: it doesn't scale, not without a strong dose of PK (and other things). Worse, its trusted third parties can do more than MITM/impersonate you like PKI's: they get to see your session keys (unless you add PFS, of course). For PFS you need assymetric crypto. To scale you need asymmetric crypto *and* trusted third parties. To communicate at all you need peers to communicate with, peers who can turn on you, or just plain screw up, or get conned. Square #1, how well we know thee. Symmetric-only crypto isn't the answer, and evidently neither is PK crypto. With or without crypto, our problems are human problems. A combination of PK and symmetric crypto is the best we can do in a classical world, and transitive trust is the only way to scale to billions (or even just a few tens of thousands) of people. All of which means that there will always be some degree of insecurity, as it always was before the modern era, and as it has to be. Because we have free will. I don't know what a post-quantum number factoring world will look like... a bit bleak I guess, at least for a while, but hardly much bleaker than much of the past one hundred years. BTW, if it's the PRISMs that animate you: that is the land of politics; and crypto is not the answer you seek, it's just a tool. A tool that might play a bi[tg] part in debates and their outcomes, but still, just a tool, not a panacea. [In theory Kerberos with hierarchical and web of trust could scale. No one has attempted to scale it past a few .EDUs and a few .MILs,. With PKINIT and PKCROSS -- bridges to PK[I] -- and trust routing it could scale, and it'd then have roughly the properties PKI could have / should have had with OCSP done right (i.e., stapled, and from the get-go). Kerberos still has a long life ahead of it in corporate and university networks, I'm fairly certain of that. But without PK it can't scale to Internet scale. I don't think any other all-symmetric key cryptographic protocols can do better than Needham-Schroeder.] Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
Jeffrey Walton noloa...@gmail.com wrote: With all the talk of the NSA poisoning NIST, would it be wise to composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq). I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). I did a paper on that sort of thing a while back: http://eprint.iacr.org/2008/473 A much improved version is in the works, but not done. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 7:27 PM, Jeffrey Walton noloa...@gmail.com wrote: I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). My own very subjective opinion is that assuming all of: constant time implementations, an appropriate cipher mode, proper {key management, RNG, local end-point security}, then AES is perfectly safe. Of course, that's a lot of assumptions! You'll almost certainly fail at the local end-point security part. Long before your choice of ciphers is attacked your systems/protocols will have succumbed to other, cheaper attacks -- assuming they are targeted at all. I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. If you have the hardware for it, that's fine. I wouldn't bother composing ciphers in any given layer. Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? Well, yes, it's been studied. Look for papers on 3DES, for example. Make sure not to make mistakes that leave you susceptible to meet-in-the-middle type attacks. But, really, first make sure that you've covered the other bases, the ones that are going to be your achilles' heel if you don't, such that your adversaries have no choice but to attack the crypto. THEN concern yourself with improving the crypto. IMO. Also, IANAC. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 8:53 PM, Natanael natanae...@gmail.com wrote: http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html Apparently it's called cascade encryption or cascade encipherment, and the implementations are apparently called robust combiners. And by the way, Truecrypt already lets you pick your chosen combo of AES and two other ciphers. Ah, right. I knew that was called cascading. I'm not sure why I called it compositing (it sucks getting old). I did not know Truecrypt provided it. I think you should worry about your PRNG and it's seed before you focus on AES. Your key should both have enough entropy and be secret. Is your PRNG backdoored already? And I'm guessing the cipher mode probably matters a bit more than the exact choice of algorithm. I believe the PRNG is good. The PRNG fetches from the OS, fetches from device sensors (accelerometers, gyroscopes, magnetometers), and practices hedging. I'm more worried about key exchange or agreement. Jeff On Sat, Sep 7, 2013 at 2:27 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, With all the talk of the NSA poisoning NIST, would it be wise to composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq). I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. I'm also aware of the NSA's lightweight block ciphers (http://eprint.iacr.org/2013/404). I may have been born at night, but it was not last night Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 8:05 PM, Jeffrey Walton noloa...@gmail.com wrote: I'm more worried about key exchange or agreement. The list of things to get right is long. The hardest is getting the implementation right -- don't do all that work just to succumb to a remotely exploitable buffer overflow. Next up is physical security. Then key management. Then all the crypto stuff (ciphers, modes, MACs, hash functions, ...). Then the RNG That's assuming off-the-shelf crypto algorithms. And then there's your trusted insiders/counterparties. They are your biggest risk of all, or possibly second biggest, after plain old buffer overflows and similar. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography