17

I've occasionally read the suggestion to enhance security by either doubling up on encryption algorithms (encrypt a message once with one algorithm, then encrypt the ciphertext again with a different encryption algorithm) or by periodically cycling through a list of encryption algorithms.

I suspect that this is not appreciably more secure than a single, well-chosen and well-implemented encryption algorithm, but I'm not sure that I could argue my case.

Does doubling up or cycling encryption algorithms improve security? Why or why not?

Josh Kelley
  • 342
  • 1
  • 9

4 Answers4

21

Cascading or cycling encryption algorithms increases implementation complexity, and that's really bad for security. Algorithm intrinsic security (provided that you use published, well-analyzed algorithms, not homemade designs) is invariably far greater than implementation security: most implementations may leak various elements, including secret key bits, through execution timing, cache memory access or insufficiently strict behavior when encountering incorrect data.

If you have covered all the implementation hazards, then it becomes time to worry about the algorithms themselves; at that point, you are a trained cryptographer and you know better than relying on irrational tricks such as cascading or doubling. Basically, the one thing that algorithm doubling or cycling guarantees is that whoever makes the suggestion is not overly competent in the area of cryptographic implementation, and therefore you do not want to use his code.

Historically, cascading or cycling are ways to cope with weak encryption algorithms; this is about assuming that any algorithm will be broken, and you try to do damage control. This somehow negates all research on cryptography since the 70s'. In practice, security issues are in how an algorithm is used (e.g. chaining mode with block ciphers), how an algorithm is implemented, and, most importantly, how keys are managed (creation, storage, destruction...). In order to have the algorithm itself be a weak point, you have to make huge efforts (e.g. designing your own algorithm, as the DVD consortium did). As an example, when modern game consoles are hacked, the algorithm themselves (AES, ECDSA...) are not broken, but circumvented (for ECDSA and Sony/PS3, this was a downright implementation bug).

What you do want is to have algorithm agility: you define the protocol such that the used algorithm is a configurable parameter. Therefore, if a given algorithm turns out to be flaky (which does not happen often at all), then you can switch to another.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    Good answer. If you do it wrong, repeating an algorithm can actually weaken the encryption. If you do it right, it's called Key Stretching: http://en.wikipedia.org/wiki/Key_stretching – user502 Apr 06 '11 at 13:44
  • But when cryptographers embed iterative algorithms into cryptography (as many do from my limited understanding) they DO increase security because they are audited and reviewed. – Andrew Russell May 13 '11 at 01:52
  • @AndrewRussell Using iterative algorithms and cascading different ciphers are completely unrelated concepts. For example, repeating a single AES round 14 times gives you a strong cipher, but interlacing AES and Threefish rounds may actually give you a broken cipher. – forest Sep 22 '18 at 05:41
1

I would argue that chaining encryption rounds is a legitimate way to increase effective key length when using a cipher with a fixed size key. Break a longer key into parts and use the parts in different rounds.

It's the reason for the existence of triple-DES. 56 bits seemed sufficient in 1977 but is now subject to brute-force attack on modern hardware.

Hugh Allen
  • 354
  • 1
  • 7
  • But for triple des, the proposal was actually engineered and verified by cryptographers, so should be sound and improve security over des alone. – Andrew Russell May 13 '11 at 01:49
  • 2
    @Andrew: indeed, this is _triple_ DES because cryptographers studied the question and pointed out that _double_ DES was not as strong as what could be initially believed. Cascading algorithm is not an easy thing to do properly. – Thomas Pornin Oct 06 '11 at 15:19
-1

Cascading encryption algorithms do make the ciphertext more secure, provided that both encryption algorithms are radically different and both had extensive peer reviews. My arguments for that are the following:

  1. Provided that encryption algorithm #1 is really secure one, encrypting the plaintext with it will produce a pseudo-random ciphertext. At this point in time, the ciphertext can not be cracked in any reasonable amount of time.

  2. Assuming that encryption algorithm #2 is also securely encrypting the ciphertext of the previous operation with encryption algorithm #2, it will produce a pseudo-random ciphertext that can not be cracked in any reasonable amount of time.

  3. Should encryption algorithm #1 or encryption algorithm #2 have weaknesses discovered in them, at any moment in the future your plaintext will still be secure by the encryption of the other.

  4. One can argue, that even if both encryption algorithm #1 or encryption algorithm #2 had weaknesses discovered in them at any moment in the future, your plaintext may still be secure because [sic, of points 1-3?].

The truth is, there are people who do not want you or anybody to cascade encryption algorithms, because that could make them impossible to crack. Imagine someone cascading encryption algorithms like crazy, e.g:

AES -> Blowfish -> DES -> Serpent -> Twofish -> Triple DES

How can anybody break this encryption?

Of course, other issues like side channel attacks and implementation weaknesses are to be taken into consideration, as you might know security is a huge topic.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
EKanadily
  • 99
  • 1
  • "How can anybody break this encryption?" -- I think that's what people say just before they get owned. There are no known crypto algorithms that are immune to hubris. – u2702 Aug 19 '13 at 22:15
  • agree ,no encryption is immune to cracking except perhaps one time pad. but it all comes down to how difficult it is. – EKanadily Aug 20 '13 at 06:48
  • Except @EKanadily I just tele-photoed your one-time-pad ROTFLMHO. – Andrew Russell Sep 24 '18 at 21:35
-1

Daily rotate a simple cipher that permutes 2048 bit blocks before and after your regular encryption and warehouse them in a separate location from your encrypted data.

That alone is going to be annoying as all get out to someone attempting to crack your hardened cipher.

Chad Brewbaker
  • 99
  • 1