Multiple encryption: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 14:07, 17 June 2019 edit Narky Blert (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers 419,286 edits Link to DAB page removed (a surname) ← Previous edit		Latest revision as of 08:56, 9 August 2025 edit undo CortexFiend (talk \| contribs) 91 edits Link suggestions feature: 2 links added. Tags: Visual edit Newcomer task Suggested: add links
(42 intermediate revisions by 29 users not shown)
Line 1: {{Short description\|Process of encrypting message one or more times}} ~~{{Portal\|Cryptography}}~~ '''Multiple encryption''' is the process of [[encryption\|encrypting]] an already encrypted message one or more times, either using the same or a different algorithm. It is also known as '''cascade encryption''', '''cascade ciphering''', '''multiple encryption''', and '''superencipherment'''. '''Superencryption''' refers to the outer-level encryption of a multiple encryption. Some cryptographers, like Matthew Green of [[Johns Hopkins University]], say multiple encryption addresses a problem that mostly doesn't exist: ==Independent keys==▼ Picking any two [[cipher]]s, if the [[key (cryptography)\|key]] used is the same for both, the second cipher could possibly undo the first cipher, partly or entirely. This is true of ciphers where the decryption process is exactly the same as the encryption process—the second cipher would completely undo the first. If an attacker were to recover the key through [[cryptanalysis]] of the first encryption layer, the attacker could possibly decrypt all the remaining layers, assuming the same key is used for all layers.▼ {{Blockquote To prevent that risk, one can use keys that are [[statistical independence\|statistically independent]] for each layer (e.g. independent [[Random number generator\|RNGs]]).▼ \|text = Modern ciphers rarely get broken... You’re far more likely to get hit by malware or an implementation bug than you are to suffer a catastrophic attack on AES. \|title=~~= Example of~~ Multiple Encryption==▼ \|source=https://blog.cryptographyengineering.com/2012/02/02/multiple-encryption/ (February 2, 2012)}} However, from the previous quote an argument for multiple encryption can be made, namely poor implementation. Using two different cryptomodules and keying processes from two different vendors requires both vendors' wares to be compromised for security to fail completely. ▲==Independent keys== ~~==Importance of the first layer==~~ ▲Picking any two [[cipher]]s, if the [[key (cryptography)\|key]] used is the same for both, the second cipher could possibly undo the first cipher, partly or entirely. This is true of ciphers where the [[decryption]] process is exactly the same as the encryption process (a [[reciprocal cipher]]) &~~mdash~~ndash; the second cipher would completely undo the first. If an attacker were to recover the key through [[cryptanalysis]] of the first encryption layer, the attacker could possibly decrypt all the remaining layers, assuming the same key is used for all layers. ~~With the exception of the [[one-time pad]], no cipher has been theoretically proven to be unbreakable.~~ Furthermore, some recurring properties may be found in the [[Ciphertext\|ciphertexts]] generated by the first cipher. Since those ciphertexts are the plaintexts used by the second cipher, the second cipher may be rendered vulnerable to attacks based on known plaintext properties (see references below).▼ ▲To prevent that risk, one can use keys that are [[statistical independence\|statistically independent]] for each layer (e.g. independent [[~~Random~~random number generator\|RNGs]]). This is the case when the first layer is a program P that always adds the same string S of characters at the beginning (or end) of all ciphertexts (commonly known as a [[Magic number (programming)\|magic number]]). When found in a file, the string S allows an [[Kernel (operating system)\|operating system]] to know that the program P has to be launched in order to decrypt the file. This string should be removed before adding a second layer.▼ Ideally each key should have separate and different generation, sharing, and management processes. To prevent this kind of attack, one can use the method provided by [[Bruce Schneier]] in the references below: generate a random pad of the same size of the plaintext, then [[XOR]] the plaintext with the pad, resulting in a first ciphertext. Encrypt the pad and the first ciphertext with a different cipher and a different key, resulting in 2 more ciphertexts. [[Concatenate]] the last 2 ciphertexts in order to build the final ciphertext. A cryptanalyst must break both ciphers to get any information. This will, however, have the drawback of making the ciphertext twice as long as the original plaintext. ==Independent Initialization Vectors== Note, however, that a weak first cipher may merely make a second cipher that is vulnerable to a [[Chosen-plaintext attack\|chosen plaintext attack]] also vulnerable to a [[Known-plaintext attack\|known plaintext attack]]. However, a [[block cipher]] must not be vulnerable to a chosen plaintext attack to be considered secure. Therefore, the second cipher described above is not secure under that definition, either. Consequently, both ciphers still need to be broken. The attack illustrates why strong assumptions are made about secure block ciphers and ciphers that are even partially broken should never be used.▼ For en/decryption processes that require sharing an [[Initialization Vector]] (IV) / [[Cryptographic nonce\|nonce]] these are typically, openly shared or made known to the recipient (and everyone else). Its good security policy never to provide the same data in both plaintext and ciphertext when using the same key and IV. Therefore, its recommended ''(although at this moment without specific evidence)'' to use separate IVs for each layer of encryption. ==~~The Rule~~Importance of ~~Two~~the first layer== ▲With the exception of the [[one-time pad]], no cipher has been theoretically proven to be unbreakable. Furthermore, some recurring properties may be found in the [[~~Ciphertext\|ciphertexts~~ciphertext]]s generated by the first cipher. Since those ciphertexts are the plaintexts used by the second cipher, the second cipher may be rendered vulnerable to attacks based on known plaintext properties (see references below). ▲This is the case when the first layer is a program P that always adds the same string S of characters at the beginning (or end) of all ciphertexts (commonly known as a [[Magic number (programming)\|magic number]]). When found in a file, the string S allows an [[Kernel (operating system)\|operating system]] to know that the program P has to be launched in order to decrypt the file. This string should be removed before adding a second layer. The '''Rule of Two''' is a data security principle from the [[National Security Agency\|NSA's]] Commercial Solutions for Classified Program (CSfC).<ref>{{cite web \|url=http://www.nsa.gov/ia/programs/csfc_program/ \|title=Commercial Solutions for Classified Program \|publisher=US National Security Agency \|access-date=24 December 2015 \|quote=}}</ref> It specifies two completely independent layers of cryptography to protect data. For example, data could be protected by both hardware encryption at its lowest level and software encryption at the application layer.▼ To prevent this kind of attack, one can use the method provided by [[Bruce Schneier]]:<ref>{{cite book \|last1=Schneier \|first1=Bruce \|title=Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C \|date=30 March 2015 \|publisher=Wiley Computer Publishing \|pages=368 \|isbn=9781119096726 \|url=https://books.google.com/books?id=VjC9BgAAQBAJ&q=15.8+Combining+Multiple+Block+Algorithms&pg=PA368}}</ref> The principle is practiced in the NSA's secure mobile phone called Fishbowl<ref name=":0" />. The phones use two layers of encryption protocols, [[IPsec]] and [[Secure Real-time Transport Protocol]] (SRTP), to protect voice communications. * Generate a random pad R of the same size as the plaintext. ▲== Example of Multiple Encryption== * Encrypt R using the first cipher and key. * [[XOR]] the plaintext with the pad, then encrypt the result using the second cipher and a different (!) key. * [[Concatenate]] both ciphertexts in order to build the final ciphertext. A cryptanalyst must break both ciphers to get any information. This will, however, have the drawback of making the ciphertext twice as long as the original plaintext. The figure shows from inside to outside the process of how the encrypted capsule is formed in the context of Echo Protocol, used by the Software Application GoldBug Messenger.<ref>http://goldbug.sf.net</ref> GoldBug has implemented a hybrid system for authenticity and confidentiality.<ref name=":0">Adams, David / Maier, Ann-Kathrin (2016): BIG SEVEN Study, open source crypto-messengers to be compared - or: Comprehensive Confidentiality Review & Audit of GoldBug, Encrypting E-Mail-Client & Secure Instant Messenger, Descriptions, tests and analysis reviews of 20 functions of the application GoldBug based on the essential fields and methods of evaluation of the 8 major international audit manuals for IT security investigations including 38 figures and 87 tables., URL: <nowiki>https://sf.net/projects/goldbug/files/bigseven-crypto-audit.pdf</nowiki> - English / German Language, Version 1.1, 305 pages, June 2016 (ISBN: DNB 110368003X - 2016B14779)</ref> ▲Note, however, that a weak first cipher may merely make a second cipher that is vulnerable to a [[Chosen-plaintext attack\|chosen plaintext attack]] also vulnerable to a [[Known-plaintext attack\|known plaintext attack]]. However, a [[block cipher]] must not be vulnerable to a chosen plaintext attack to be considered secure. Therefore, the second cipher described above is not secure under that definition, either. Consequently, both ciphers still need to be broken. The attack illustrates why strong assumptions are made about secure block ciphers and ciphers that are even partially broken should never be used. ~~[[File:Figure 02 GoldBug – Encrypted Message Format within the Echo- Protocol.png\|thumb\|500px]]~~ ==The Rule of Two== ~~'''<u>First layer of the encryption:</u>'''~~ ▲The '''Rule of Two''' is a [[data security]] principle from the [[National Security Agency\|NSA's]] Commercial Solutions for Classified Program (CSfC).<ref>{{cite web \|url=http://www.nsa.gov/ia/programs/csfc_program/ \|title=Commercial Solutions for Classified Program \|publisher=US National Security Agency \|access-date=24 December 2015 \|quote= \|archive-url=https://web.archive.org/web/20151225183650/https://www.nsa.gov/ia/programs/csfc_program/ \|archive-date=25 December 2015 \|url-status=dead }}</ref> It specifies two completely independent layers of cryptography to protect data. For example, data could be protected by both hardware encryption at its lowest level and software encryption at the application layer. It could mean using two [[Federal Information Processing Standards\|FIPS]]-validated software cryptomodules from different vendors to en/decrypt data. ~~The ciphertext of the original readable message is hashed, and subsequently the symmetric keys are encrypted via the asymmetric key - e.g. deploying the algorithm RSA.~~ ~~In an intermediate step the ciphertext, and the hash digest of the ciphertext are combined into a capsule, and packed together.~~ It follows the approach: [[w:Authenticated encryption#Encrypt-then-MAC\|Encrypt-then-MAC]]. In order for the receiver to verify that the ciphertext has not been tampered with, the digest is computed before the ciphertext is decrypted. The importance of vendor and/or model diversity between the layers of components centers around removing the possibility that the manufacturers or models will share a vulnerability. This way if one components is compromised there is still an entire layer of encryption protecting the information at rest or in transit. The CSfC Program offers solutions to achieve diversity in two ways. "The first is to implement each layer using components produced by different manufacturers. The second is to use components from the same manufacturer, where that ~~'''<u>Second layer of encryption:</u>'''~~ manufacturer has provided NSA with sufficient evidence that the implementations of the two components are independent of one another."<ref>{{cite web \|url=https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/capability-packages/MACPv2_1.pdf/ \|title=Mobile Access Capability Package \|publisher=US National Security Agency \|access-date=28 February 2020 \|quote=}}</ref> Optionally it is still possible, therefore to encrypt the capsule of the first layer in addition with an [[w:Advanced Encryption Standard\|AES-256]], - comparable to a commonly shared, 32-character long symmetric password. Hybrid Encryption is then added to multiple encryption. The principle is practiced in the NSA's secure mobile phone called Fishbowl.<ref name=":0">{{cite book \| last=Adams \| first=David \| last2=Maier \| first2=Ann-Kathrin \| title=Big Seven Study (2016): 7 open source Crypto-Messengers to be compared (English/Deutsch) \| publisher=BoD – Books on Demand \| publication-place=Norderstedt \| date=2019-10-23 \| isbn=978-3-7504-0897-5 \| url=https://phoenixnap.dl.sourceforge.net/project/goldbug/bigseven-crypto-audit.pdf}}</ref> The phones use two layers of encryption protocols, [[IPsec]] and [[Secure Real-time Transport Protocol]] (SRTP), to protect voice communications. The Samsung [[Galaxy S9]] Tactical Edition is also an approved CSfC Component. ~~'''<u>Third layer of the encryption:</u>'''~~ ~~Then, this capsule is transmitted via a secure [[w:Transport Layer Security\|SSL/TLS]] connection to the communication partner~~ ==References== Line 45 ⟶ 48: ==Further reading == {{refbegin}} ~~<small>~~ * "Multiple encryption" in [~~http~~https://www.ciphersbyritter.com/GLOSSARY.HTM#MultipleEncryption "Ritter's Crypto Glossary and Dictionary of Technical Cryptography"] * Confidentiality through Multi-Encryption, in: Adams, David / Maier, Ann-Kathrin (2016): BIG SEVEN Study, open source crypto-messengers to be compared -– or: Comprehensive Confidentiality Review & Audit of GoldBug, Encrypting E-Mail-Client & Secure Instant Messenger, Descriptions, tests and analysis reviews of 20 functions of the application GoldBug based on the essential fields and methods of evaluation of the 8 major international audit manuals for IT security investigations including 38 figures and 87 tables., URL: https://sf.net/projects/goldbug/files/bigseven-crypto-audit.pdf -– English / German Language, Version 1.1, 305 pages, June 2016 (ISBN: ~~DNB~~ 110368003X -– DNB: 2016B14779). * A "way to combine multiple block algorithms" so that "a cryptanalyst must break both algorithms" in §15.8 of ''Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C'' by Bruce Schneier. Wiley Computer Publishing, John Wiley & Sons, Inc. * S. Even and O. Goldreich, On the power of cascade ciphers, ACM Transactions on Computer Systems, vol. 3, pp. 108–116, 1985. * M. Maurer and J. L. Massey, Cascade ciphers: The importance of being first, Journal of Cryptology, vol. 6, no. 1, pp. 55–61, 1993. {{refend}} ~~</small>~~ {{DEFAULTSORT:Multiple Encryption}}