[Cryptography] The paranoid approach to crypto-plumbing

Mon Sep 16 12:44:01 EDT 2013

After Rijndael was selected as AES, someone suggested the really 
paranoid should super encrypt with all 5 finalests in the 
competition. Five level super encryption is probably overkill, 
but two or three levels can offer some real advantages. So 
consider simple combinations of techniques which are at least as 
secure as the better of them.

Unguessable (aka random) numbers:

   Several generators, each reseeded on its own schedule, combined
   with XOR will be as good as the best of them.

Symmetric encryption:

   Two algorithms give security equal to the best of them. Three
   protect against meet-in-the-middle attacks. Performing the
   multiple encryption at the block level allows block cyphers to
   be combined with stream cyphers. RC4 may have problems, but
   adding it to the mix isn't very expensive.

Key agreement:

   For forward security, using both discrete log and elliptic
   curve Diffie-Hellman modes combined with XOR to calculate
   keying material is as good as the better of them. Encrypting a
   session key with one public key algorithm and then encrypting
   the result with another algorithm has the same advantage for
   "the normal mode" of TLS key agreement if you don't want
   forward security (which I very much want).

MACs:

   Two MACs are better than one. :-)

All this has costs, some of them significant, but those costs 
should be weighted against the security risks. Introducing a new 
algorithm with interesting theoretical security properties is a 
lot safer if the data is also protected with a well-examined 
algorithm which does not have those properties.

Cheers - Bill (who has finally caught up with the list)

---------------------------------------------------------------------------
Bill Frantz        | Re: Computer reliability, performance, and security:
408-356-8506       | The guy who *is* wearing a parachute is 
*not* the
www.pwpconsult.com | first to reach the ground.  - Terence Kelly