Hacker News new | ask | show | jobs
by schoen 3319 days ago
I thought I heard some presentation about superencipherment with AES + some cipher (maybe derived from AES) with per-session randomized S-boxes. You would include the S-boxes in the message as a sort of salt.

The goal of this is that if there is a cryptanalytic attack that gives brute force a 2⁴⁰ speedup and hence attackers build custom hardware to implement it, their hardware is still not effective against the other cipher and they have to do something different (maybe hard to characterize how difficult the different thing would be anticipated to be).
1 comments
tptacek 3319 days ago
Don't ever do this. The interaction of different crypto algorithms can be counterintuitive (in the sense that you won't gain what you think you're gaining), it's extraordinarily expensive in ways unbalanced against defenders, and it introduces new implementation errors that can weaken the whole system.

If you're paranoid about AES, use Chapoly (or just use Chapoly because it's in many ways more convenient to use than AES). Don't build elaborate cascades (all cascades qualify), and don't randomize S-boxes.

It is hard enough getting these systems right when you're playing exactly by the book. If you're designing a cryptosystem and you're not a professional cryptographer, the list of things you should be worried about getting wrong is very long and very scary.

link
schoen 3318 days ago
By "don't build elaborate cascades (all cascades qualify)", do you mean "no cascade construction is preferable to any other", or "every cascade is too elaborate to be worthwhile"? (The second implies the first, but the first doesn't imply the second.)
link
tptacek 3318 days ago
Every symmetric cipher cascade is bad.
link
_qbxp 3318 days ago
So the cascading cypher options (AES-Serpent-Blowfish) for VeraCrypt volumes are less safe than a simple AES encrypted volume?

Serious question. I know nothing about crypto, just assumed "more is better, but slower".

link
tptacek 3318 days ago
Anything that uses Blowfish since 2010 is incompetently designed (Blowfish has an 8-byte block size).

AES-Serpent is probably not less safe than AES; it's just not necessarily as much more safe as you'd expect.

A much bigger concern than which precise ciphers you're using is which block cipher mode you're operating under; Truecrypt/Veracrypt uses XTS --- like most disk encryption --- which (among other things) isn't authenticated.

The funniest thing about TC/VC's cascades is that the keys are derived from passwords anyways: a giant clunking complicated block cipher cascade resting on top of a low-entry password secret. It's just a silly design.

link
wakkaflokka 3318 days ago
What would be your ultimate recommendation on storing sensitive data, if not TC/VC?
link