[...] > That is not how it works, unfortunately. While your idea is > somewhat intuitive, there is no way to brute-force even > a 128 bit AES key. Hence such an attacker must know some > weakness in the cipher. But the thing is that possibly > there is a key k3 so that > > aes(k1, aes(k2, data)) = aes(k3, data) > > and hence layering the same cipher may completely worthless. > AFAIK this type of approach was abandoned quite a while ago > in the research community. > > Just use a single AES layer and pump up the passphrase entropy > by doing > > aes(k1+k2, data) > > which is massively more secure unless k1, k2 have entropy in > the size of the key-length. Just found a reference: http://en.wikipedia.org/wiki/Meet-in-the-middle_attack The gist is that breaking aes(k1, aes(k2, data)) takes only twice as long as breaking aes(k3, data), i.e. adds one bit of entropy and is meanigless security-wise. If you have less than the maximum entropy in your keys, then doing aes(k1+k2, data) doubles the entropy, i.e. _squares_ the effort needed, up to 2^(number of key bits). So, really, do not do this. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
