On 2011-06-20 8:12 AM, Sampo Syreeni wrote:
Now that you gave me the opportunity, I do have to add one point about cascaded cipher strength which I forgot to mention. Namely, one of the simplest, most common, oldest, and also most fatal mistakes here is that symmetric ciphers *can* leak information about the key. Thus, if you happen to place a leaky cipher last, it might enable somebody to figure out the key, in *particular* if the earlier cipher is strong, so that pseudorandomness assumptions apply, statistically speaking. Often you'd be using the same key, or the same source data for the key derivation function, all over your cascade, which could jeopardize even the strongest one in the chain if the last one leaked.
Typically one derives a shared secret by public key operations, and then encryption and authentication keys by hashing the shared secret. If the hash is truly one way, then leaking one encryption key will not endanger the others.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
