On Fri, Nov 29, 2013 at 09:56:43 CET, anderson jackson wrote: > On Fri, 29 Nov 2013 06:17:31 +0100 Arno Wagner <arno@xxxxxxxxxxx> wrote > > > > The gist is that breaking aes(k1, aes(k2, data)) > > takes only twice as long as breaking aes(k3, data), > > i.e. adds one bit of entropy and is meanigless security-wise. > > > > If you have less than the maximum entropy in your keys, > > then doing aes(k1+k2, data) doubles the entropy, i.e. > > _squares_ the effort needed, up to 2^(number of key bits). > > > > So, really, do not do this. > > Thank you for the clarification and the supplied reference. I see now that my > suggested method is flawed. I will use LUKS instead; I can then combine the > two passphrases and make use of the key strengthening features instead of > choosing less security with no header. > However I am curious, would my suggestion work with two different ciphers? So > twofish(k1, AES(k2, data)) or twofish(k1, Serpent(k2, data) both still plain? > Or does the MITM attack still apply in these scenarios. Yes, it does. But also note: - This attack requires an extreme amount of memory - This is a known-plaintext attack, i.e. the attacker needs to guess one cipher plaintext block correctly. (Easier done than it sounds, filesystems typically have blocks that qualify.) - The attacker needs to be able to brute-force one layer of each cipher and store the full result of one of the two in a table. So practicallity of this attack is low (read: infeasible in practice for the forseeable future). It just shows that an attacker that can crack one layer of a cipher can crack two with about the same computing effort and a lot of additional memory, i.e. that two cipher layers give you a lot less _additional_ security than expected. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
