I was reading this question where the author wanted to know whether layered encryption would be better than a long password. The answers to this question all said the same thing: It would be easier for an attacker because he could guess the passphrases one by one.
However, this led me to think: Why exactly should a confirmation be given when the password is correct? And what ciphers are actually good for this kind of layered encyption?
Why exactly should a confirmation be given when the password is correct?
The attacker only gets such confirmation if the message is protected against modification using some kind of MAC or if the attacker can conclude from the decrypted data if he got the right key. The latter is unlikely if the decrypted data are not the final layer but only the result of another encryption. But it could be likely for the last step of the layered decryption.
And what ciphers are actually good for this kind of layered encyption?
Encryption methods which don't have any detection of message modification by themselves are suitable for this. These are methods like AES-CBC or 3DES and others which don't have message authentication integrated.
But that does not mean that such layered encryption with multiple smaller keys would actually be better than a single encryption with a longer key (equivalent to the length of all the smaller key together). It only would not be that worse in terms of key security. But it would still be more complex to implement - which also means also more likely to implement it wrong.
Or in other words: don't do it.
