Re: [cryptography] Compositing Ciphers?

[Collin RM Stocks]

On 09/06/2013 08:27 PM, Jeffrey Walton wrote:

Hi All,

With all the talk of the NSA poisoning NIST, would it be wise to
composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq).

I've been thinking about running a fast inner stream cipher (Salsa20
without a MAC) and wrapping it in AES with an authenticated encryption
mode (or CBC mode with {HMAC|CMAC}).

I'm aware of, for example, NSA's Fishbowl running IPSec at the network
layer (the outer encryption) and then SRTP and the application
level (the inner encryption). But I'd like to focus on hardening one
cipherstream at one level, and not cross OSI boundaries.

I'm also aware of the NSA's lightweight block ciphers
(http://eprint.iacr.org/2013/404). I may have been born at night, but
it was not last night



Just FYI: I spoke to Adi Shamir recently (he is doing a lecture series 
at Courant), and he said he had looked at SIMON and SPECK and did not 
see anything wrong with them. Shamir is, of course, a world-renowned 
cryptanalyst, responsible for breaking FEAL and DES, for example.



Has anyone studied the configuration and security properties of a
inner stream cipher with an outer block cipher?

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Tony Arcieri]

On Fri, Sep 6, 2013 at 5:53 PM, Natanael natanae...@gmail.com wrote:

 Apparently it's called cascade encryption or cascade encipherment


More generally it's known as a product cipher, which underlies things like
Feistel Networks which were used to compose algorithms like DES:

https://en.wikipedia.org/wiki/Product_cipher

If A1 and A2 are secure PRGs, and we encrypt message m under the keystream
of A1(k1) ⊕ A2(k2) [where k1 and k2 are unrelated randomly generated keys],
the resulting cipher is at least as strong as the strongest of the two
ciphers. This can provide a failsafe if a cryptanalysis is found for either
of the two ciphers.

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Nico Williams]

We have a purely (now mostly) all-symmetric key protocol: Needham-Schroeder
-- Kerberos.  Guess what: it doesn't scale, not without a strong dose of PK
(and other things).  Worse, its trusted third parties can do more than
MITM/impersonate you like PKI's: they get to see your session keys (unless
you add PFS, of course).  For PFS you need assymetric crypto.  To scale you
need asymmetric crypto *and* trusted third parties.  To communicate at all
you need peers to communicate with, peers who can turn on you, or just
plain screw up, or get conned.  Square #1, how well we know thee.
 Symmetric-only crypto isn't the answer, and evidently neither is PK
crypto.  With or without crypto, our problems are human problems.

A combination of PK and symmetric crypto is the best we can do in a
classical world, and transitive trust is the only way to scale to billions
(or even just a few tens of thousands) of people.  All of which means that
there will always be some degree of insecurity, as it always was before the
modern era, and as it has to be.  Because we have free will.  I don't know
what a post-quantum number factoring world will look like... a bit bleak I
guess, at least for a while, but hardly much bleaker than much of the past
one hundred years.

BTW, if it's the PRISMs that animate you: that is the land of politics;
and crypto is not the answer you seek, it's just a tool.   A tool that
might play a bi[tg] part in debates and their outcomes, but still, just a
tool, not a panacea.

[In theory Kerberos with hierarchical and web of trust could scale.   No
one has attempted to scale it past a few .EDUs and a few .MILs,.  With
PKINIT and PKCROSS -- bridges to PK[I] -- and trust routing it could
scale, and it'd then have roughly the properties PKI could have / should
have had with OCSP done right (i.e., stapled, and from the get-go).
 Kerberos still has a long life ahead of it in corporate and university
networks, I'm fairly certain of that.  But without PK it can't scale to
Internet scale.  I don't think any other all-symmetric key cryptographic
protocols can do better than Needham-Schroeder.]

Nico
--
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Sandy Harris]

Jeffrey Walton noloa...@gmail.com wrote:

 With all the talk of the NSA poisoning NIST, would it be wise to
 composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq).

 I've been thinking about running a fast inner stream cipher (Salsa20
 without a MAC) and wrapping it in AES with an authenticated encryption
 mode (or CBC mode with {HMAC|CMAC}).

I did a paper on that sort of thing a while back:
http://eprint.iacr.org/2008/473

A much improved version is in the works, but not done.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Nico Williams]

On Fri, Sep 6, 2013 at 7:27 PM, Jeffrey Walton noloa...@gmail.com wrote:
 I've been thinking about running a fast inner stream cipher (Salsa20
 without a MAC) and wrapping it in AES with an authenticated encryption
 mode (or CBC mode with {HMAC|CMAC}).

My own very subjective opinion is that assuming all of: constant time
implementations, an appropriate cipher mode, proper {key management,
RNG, local end-point security}, then AES is perfectly safe.

Of course, that's a lot of assumptions!  You'll almost certainly fail
at the local end-point security part.  Long before your choice of
ciphers is attacked your systems/protocols will have succumbed to
other, cheaper attacks -- assuming they are targeted at all.

 I'm aware of, for example, NSA's Fishbowl running IPSec at the network
 layer (the outer encryption) and then SRTP and the application
 level (the inner encryption). But I'd like to focus on hardening one
 cipherstream at one level, and not cross OSI boundaries.

If you have the hardware for it, that's fine.  I wouldn't bother
composing ciphers in any given layer.

 Has anyone studied the configuration and security properties of a
 inner stream cipher with an outer block cipher?

Well, yes, it's been studied.  Look for papers on 3DES, for example.
Make sure not to make mistakes that leave you susceptible to
meet-in-the-middle type attacks.  But, really, first make sure that
you've covered the other bases, the ones that are going to be your
achilles' heel if you don't, such that your adversaries have no choice
but to attack the crypto.  THEN concern yourself with improving the
crypto.

IMO.  Also, IANAC.

Nico
--
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Jeffrey Walton]

On Fri, Sep 6, 2013 at 8:53 PM, Natanael natanae...@gmail.com wrote:
 http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html
 Apparently it's called cascade encryption or cascade encipherment,
 and the implementations are apparently called robust combiners. And
 by the way, Truecrypt already lets you pick your chosen combo of AES
 and two other ciphers.
Ah, right. I knew that was called cascading. I'm not sure why I called
it compositing (it sucks getting old).

I did not know Truecrypt provided it.

 I think you should worry about your PRNG and it's seed before you
 focus on AES. Your key should both have enough entropy and be secret.
 Is your PRNG backdoored already? And I'm guessing the cipher mode
 probably matters a bit more than the exact choice of algorithm.
I believe the PRNG is good. The PRNG fetches from the OS, fetches from
device sensors (accelerometers, gyroscopes, magnetometers), and
practices hedging.

I'm more worried about key exchange or agreement.

Jeff

 On Sat, Sep 7, 2013 at 2:27 AM, Jeffrey Walton noloa...@gmail.com wrote:
 Hi All,

 With all the talk of the NSA poisoning NIST, would it be wise to
 composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq).

 I've been thinking about running a fast inner stream cipher (Salsa20
 without a MAC) and wrapping it in AES with an authenticated encryption
 mode (or CBC mode with {HMAC|CMAC}).

 I'm aware of, for example, NSA's Fishbowl running IPSec at the network
 layer (the outer encryption) and then SRTP and the application
 level (the inner encryption). But I'd like to focus on hardening one
 cipherstream at one level, and not cross OSI boundaries.

 I'm also aware of the NSA's lightweight block ciphers
 (http://eprint.iacr.org/2013/404). I may have been born at night, but
 it was not last night

 Has anyone studied the configuration and security properties of a
 inner stream cipher with an outer block cipher?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Nico Williams]

On Fri, Sep 6, 2013 at 8:05 PM, Jeffrey Walton noloa...@gmail.com wrote:
 I'm more worried about key exchange or agreement.

The list of things to get right is long.  The hardest is getting the
implementation right -- don't do all that work just to succumb to a
remotely exploitable buffer overflow.  Next up is physical security.
Then key management.  Then all the crypto stuff (ciphers, modes, MACs,
hash functions, ...).  Then the RNG  That's assuming off-the-shelf
crypto algorithms.

And then there's your trusted insiders/counterparties.  They are your
biggest risk of all, or possibly second biggest, after plain old
buffer overflows and similar.

Nico
--
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography