-1

If I had to store a text file with some confidential information on the cloud, would encrypting the file multiple times (say, 3) with different passwords using WinRAR (AES with a 256 bit key) provide more security than encrypting it just once?

Assumptions:
I'm assuming that someone will eventually break into this service or my account on the cloud service and gain access to the encrypted data.

I'm also assuming that the current version of the software used (WinRAR 5.11) is secure and doesn't have any vulnerabilities that can be exploited to make password bruteforcing easier (e.g. under 1 hour for WinZip 8 and earlier versions)

EDIT: I checked the linked question, but I'm not referring to the key derivation function (KDF) used. If I understand correctly, in the linked question, the password is only used once and KeePass does a few things to slow down a bruteforce attack using rainbow tables with the KDF.

What if all the three passwords that I use for each of the 3 rounds of encryption are fairly strong and different from each other? And even if KDF is used here (seems like it is), it's used separately on each of the three different passwords.

(e.g. AES256(password3, AES256(password2, AES256(password1, data)))))

Does that make it more or less secure if hardware 'accelerator' beasts like this one try to attack it?

Vinayak
  • 129
  • 7
  • perhaps if you encrypted it with several different strong methods rather than the same one each time, it would probably not matter if your AES key were strong enough though – Jeff Clayton Sep 03 '14 at 03:50

1 Answers1

1

So you are asking about a straight brute force attack here.

The simple answer is yes.

Assuming the attacker knew the details of how you encrypted the data (which is not a bad assumption to make) the answer is that it is only as secure as encrypting it with a password of length the same as the number of times around the loop (in other words combining the three passwords used).

If the attacker does not know how you encrypted the data, and you used different algorithms at each stage, the problem becomes slightly larger due to the range of possible cryptographic that could be used. But it does not significantly improve the chances of a successful brute force attack.

Either way, the weakness is probably in the security you implement around the passwords you have used.

Unless you are thinking of storing nuclear launch codes in there, you have nothing to worry about. In the event that you ARE a missile silo commander, you might want to reconsider the cloud anyway, since it might not be available when you need the data.

DodgyG33za
  • 765
  • 3
  • 6
  • I'd assume nuclear launch codes are stored **much** more safely, hah. I'm actually only looking to store confidential information like bank passwords, 2-Factor Authentication backup keys and such. – Vinayak Sep 03 '14 at 14:58
  • 1
    Encrypting 3 times with password of length n is less secure than encrypting once with password of length 3n. x^3n is much greater than 3 * x^n. – Brice M. Dempsey Dec 24 '14 at 08:31
  • @BriceM.Dempsey, the number of permutations to be tested with 3 keys of length n is 3 * x^n, provided that there is no way to know whether the first and second decryptions were successful (no hash/CRC etc. for each stage) without doing the three decryptions. – John B. Lambe Jul 16 '16 at 13:51