I'm wondering what the general opinion of folks is for repeated encryptions - either accidentally or on purpose. Applied Cryptography devotes a chapter to it, and I'm more interested in cascades - multiple algorithms: RC4 k1(AES k2(plaintext)) . The general opinion I've heard is "It's a bad idea, you shouldn't do it" - but I want to revisit that.
There are legitimate reasons for *not* doing it, but they're more about the engineering. Twice as much code, twice as many possibilities for bugs. Twice the key material, twice the key storage. More work, no practical security gained. None of these address the idea that the double encryption aids any sort of chosen-plaintext/known-plaintext/chosen-ciphertext/or other attack. (Although the exposure of a oracle enabling an attack in such a system *would* be system-specific, and there's no standardized system for this to my knowledge - so it may be a case of 'Create one, and give an incentive to break it.') I got in a discussion recently about this, in the specific case of encrypting something in javascript, and then again in SSL. Trying to avoid the argument over javascript crypto I thought it was absurd that NOT using SSL was a reasonable decision. The response was the 'don't double encrypt' argument, without any real facts to back it up. Applied Crypto shows how it doesn't always provide the security you expect it - but it doesn't go so far as to say it *decreases* security. Even the notion of a block cipher being a group (I don't know of any semi-popular ones that are) wouldn't decrease security, just keep it at the strength of a single encrypt. And double-encrypt in this context *is* used all the time - any S/Mime/OpenPGP mail traveling over SSL or any encrypted file over SSH. -tom _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
