On Mar 2, 2012, at 2:59 AM, Marsh Ray wrote:
> On 03/01/2012 09:31 PM, Jeffrey Walton wrote:
>> Interesting. I seem to recall that cascading ciphers is frowned upon
>> on sci.crypt. I wonder if this is mis-information....
>
> Not mis-information. You could easily end up enabling a meet-in-the-middle
> attack just like double DES.
>
> https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
Meet-in-the-middle attacks don't weaken things; they merely don't give you as
much advantage as one might suppose. Note, though, that you need 2^n storage.
This is Suite B/Top Secret, which means 256-bit AES, which means that you would
need 2^260 bytes of storage. That's too much, even for NSA, so those attacks
aren't even relevant.
Where NSA has a strong edge over most civilian crypto folks is that they
understand that they're dealing with a *system* -- not just a cipher, but key
exchange, key storage, timing attacks and other side channels, buggy
implementations, very fallible (or corrupt[ed]) people, etc. Maybe SRTP is
weak in a way they haven't found. Maybe IPsec is. They've looked at both and
don't think so, but they can't rule it out. But if you combine both *and* you
do it in a way you think actually buys you something, you've protected yourself
against a lot of those failures. Both would have to fail, and in a compatible
way, for there to be a weakness.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
