Arggh! Of course, this superencryption wouldn't help against the CBC padding
attacks, because the attacker would learn plaintext without bothering with the
other layers of encryption. The only way to solve that is to preprocess the
plaintext in some way that takes the attacker's power to induc
For hash functions, MACs, and signature schemes, simply concatenating
hashes/MACs/signatures gives you at least the security of the stronger one.
Joux multicollisions simply tell us that concatenating two or more hashes of
the same size doesn't improve their resistance to brute force collsion s
On 9/17/13 at 4:18 PM, leich...@lrw.com (Jerry Leichter) wrote:
MAC'ing the actual data always seemed more "logical" to me, but
once you look at the actual situation, it no longer seems like
the right thing to do.
When I chose MAC then encrypt I was using the MAC to check the
crypto code. CR
On Sep 17, 2013, at 7:18 PM, Jerry Leichter wrote:
> On Sep 17, 2013, at 6:21 PM, John Kelsey wrote:
>>> I confess I'm not sure what the current state of research is on MAC
>>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>>
>> Encrypt then MAC has a couple of big advanta
On Sep 17, 2013, at 6:21 PM, John Kelsey wrote:
>> I confess I'm not sure what the current state of research is on MAC
>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>
> Encrypt then MAC has a couple of big advantages centering around the idea
> that you don't have to wor
On Sep 17, 2013, at 11:41 AM, "Perry E. Metzger" wrote:
>
> I confess I'm not sure what the current state of research is on MAC
> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of big advantages centering around the idea that
you don't have to
On 9/17/13 at 2:48 AM, i...@iang.org (ianG) wrote:
The problem with adding multiple algorithms is that you are also adding
complexity. ...
Both Perry and Ian point out:
And, as we know, the algorithms rarely fail. [but systems do] ...
Absolutely! The techniques I suggested used the simples
On 2013-09-17 07:37, Peter Gutmann wrote:
> Tony Arcieri writes:
>> On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz wrote:
>>> After Rijndael was selected as AES, someone suggested the really paranoid
>>> should super encrypt with all 5 finalests [...].
>>
>> I wish there was a term for this sort of
On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz
wrote:
> Authentication is achieved by signing the entire exchange with
> DSA. -- Change the protocol to sign the exchange with both RSA
> and DSA and send and check both signatures.
Remember to generate the nonce for DSA using a deterministic me
On Sep 17, 2013, at 5:49 AM, ianG wrote:
>>
>> I wish there was a term for this sort of design in encryption systems
>> beyond just "defense in depth". AFAICT there is not such a term.
>>
>> How about the Failsafe Principle? ;)
>
> A good question. In my work, I've generally modelled it such t
On 17/09/13 01:40 AM, Tony Arcieri wrote:
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz mailto:fra...@pwpconsult.com>> wrote:
After Rijndael was selected as AES, someone suggested the really
paranoid should super encrypt with all 5 finalests in the
competition. Five level super encryp
Hi Bill,
On 17/09/13 01:20 AM, Bill Frantz wrote:
The idea is that when serious problems are discovered with one
algorithm, you don't have to scramble to replace the entire crypto
suite. The other algorithm will cover your tail while you make an
orderly upgrade to your system.
Obviously you
On Mon, Sep 16, 2013 at 12:44 PM, Bill Frantz wrote:
> Symmetric encryption:
>
> Two algorithms give security equal to the best of them. Three
> protect against meet-in-the-middle attacks. Performing the
> multiple encryption at the block level allows block cyphers to
> be combined with s
Tony Arcieri writes:
>On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz wrote:
>> After Rijndael was selected as AES, someone suggested the really paranoid
>> should super encrypt with all 5 finalests in the competition. Five level
>> super encryption is probably overkill, but two or three levels can
On 9/16/13 at 4:02 PM, leich...@lrw.com (Jerry Leichter) wrote:
The feeling these days among those who do such work is that
unless you're going to use a specialized combined encryption
and authentication mode, you might as well use counter mode
(with, of course, required authentication). For
On Mon, Sep 16, 2013 at 4:02 PM, Jerry Leichter wrote:
> On Sep 16, 2013, at 6:20 PM, Bill Frantz wrote:
>>> Joux's paper "Multicollisions in iterated hash functions"
http://www.iacr.org/archive/crypto2004/31520306/multicollisions.ps
>>> shows that "finding ... r-tuples of messages that all hash t
On Sep 16, 2013, at 6:20 PM, Bill Frantz wrote:
>> Joux's paper "Multicollisions in iterated hash functions"
>> http://www.iacr.org/archive/crypto2004/31520306/multicollisions.ps
>> shows that "finding ... r-tuples of messages that all hash to the same value
>> is not much harder than finding ...
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz wrote:
> After Rijndael was selected as AES, someone suggested the really paranoid
> should super encrypt with all 5 finalests in the competition. Five level
> super encryption is probably overkill, but two or three levels can offer
> some real advanta
On Sep 16, 2013, at 12:44 PM, Bill Frantz wrote:
> After Rijndael was selected as AES, someone suggested the really paranoid
> should super encrypt with all 5 finalests in the competition. Five level
> super encryption is probably overkill, but two or three levels can offer some
> real advantag
On 9/16/13 at 12:36 PM, leich...@lrw.com (Jerry Leichter) wrote:
On Sep 16, 2013, at 12:44 PM, Bill Frantz wrote:
After Rijndael was selected as AES, someone suggested the really paranoid
should super encrypt with
all 5 finalests in the competition. Five level super encryption
is probably ov
20 matches
Mail list logo