[Cryptography] Dumb question -> 3AES?
Natanael
natanael.l at gmail.com
Mon Aug 11 16:45:37 EDT 2014
Den 11 aug 2014 19:59 skrev "Dan McDonald" <danmcd at kebe.com>:
>
> Diffie's EDE algorithm for a block cipher would apply to AES, correct?
>
> Apart from "further pounding the rubble", is there any reason one couldn't
> (or shouldn't) consider 3AES for, say, long-term offline storage
encryption?
It is possible, but maybe won't have the effect you're looking for. The
reason for going with 3DES was that DES was strong for its keylength, but
the keylength and thus keyspace was too small = crackable with bruteforce.
Since it wasn't considered likely to fall to cryptoanalysis in a relatively
short period of time, and people demanded something compatible with
existing hardware implementations, 3DES was created rather than ditching
DES for another cipher. 3DES provided acceptable strength without massive
re-engineering.
And what about AES? It has a far greater strength, even with AES128 which
actually even have a smaller keyspace (3DES has 3*56 =168 bit keys but 112
bit strength due to attacks like meet-in-the-middle, but AES128 has close
to 128 bits in strength). And AES256 just isn't close to being cracked EVER
unless there's a massive cryptographic flaw found. So what is the worry?
Remember that it is because DES with 56 bit keys provides close to 56 bits
of security even still today that 3DES was considered strong enough.
However, a potential break in AES would not necessarily "just" reduce the
effective strength to above 50 bits per layer of AES (providing a similar
strength for 3AES which 3DES does today), it could trash it completely.
Which means your long term encryption failed.
So 3AES isn't good enough for hedging against flaws found in AES in the
future, unless your ONLY worry is for a PARTIAL reduction in strength. If
there's a total break, 3AES won't help you.
A much better option, if your plan is too hedge against individual
algorithms being cracked, is to use several different types of ciphers.
AES, blowfish, some stream cipher like ChaCha, or whatever else. Even if
you still don't get much more strength in total than the single strongest
cipher provides, all you need is for just one of them to not get broken (or
for the layers of encryption to make known-plaintext attacks impossible in
the worst case scenario where they all break).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/b92eb830/attachment.html>
More information about the cryptography
mailing list