I stumbled upon this yesterday. It seems to be some kind of show/podcast where Steve Gibson talks out of his ass. One of them particularly pissed me off.
And it comes from really that bungling attempt I made a couple weeks ago when, well, it was the issue of double encryption, the question we answered several Q&As ago where some guy said hey, you know, what if I encrypt something with one key, then I encrypt it again with another key? Isn’t that, like, much better than encrypting it just once? And I absolutely know that it is, and I know why it is.
Oh really?
I mean, I’ve implemented Rijndael, which is the AES standard, in Assembly language. I know exactly how it works.
Oh, man. In assembly. You really are an expert.
Now, Leo, I found some math genius somewhere on the Internet who she spent her whole life coming up with cool ways to do factorials. I have the size of that number, thanks to her.
This must be really hard, seems to take some kind of math genius. Let’s fire up MAGMA:
> R := RealField();
> N := 2^128;
> size := (N*Log(N) - N + Log(N*(1+4*N*(1+2*N)))/6 + Log(Pi(R))/2)/Log(10);
> size;
1.29639227739158973521399965250E40
Damn, that was hard. Thanks to that math genius called Ramanujan now i know the size of the thing…
Precisely, the size of the total number of possible mappings that 128-bit cipher can have, I mean, it’s just so ridiculously small.
Then he goes around talking about how 2^128 and 2^256 are not huge numbers. I’d love to know in what parallel universe that is.
So the idea is, essentially, you have a bunch of carefully chosen random data, and the key is used, mixed with and to select from a pool of random data. And this is, it’s random, but it’s always the same.
OK, that made sense.
So, for example, public keys, where we were talking about 128 bits being all the strength you would ever need, public keys need to be 1024 bits in order to have the equivalent strength.
So NSA’s suite B doesn’t exist, right? Where ECC-256, ECC-384 and ECC-521 match 128, 192 and 256-bit symmetric key sizes, respectively. The sizes are double the size because with public key number theoretic algorithms one can always use Pollard’s Rho which runs in average for 2^(n/2) iterations.
So again, the guys who did Rijndael said okay, we’re aware of side-channel attacks. We’re going to make what Rijndael does not key dependent.
Right.
Now, for the main point. Is double encryption a good idea? Steve here thinks it is:
So the fact is, the original question that was asked back on Episode 120 was, if I encrypt it twice, with different keys, isn’t that better than once? And it’s absolutely the case that it is because, remember, somebody would be looking at the output from the second encryption, and the only attack is a brute force attack trying keys, you know, like a dictionary attack. And they would be looking for it to get plaintext out of the decryption. But the plaintext out of the second encryption is the encryption from the first, which means there is never going to be any plaintext. And as we’ve seen, the key spaces are such that there’s just no chance another one of those keys, I mean, virtually no chance another one of those keys is going to magically perform the double encryption for you. That’s just not - you have no access to the total number of mappings that are possible through a 128-bit block cipher.
Once again, our friendly security expert is short of the facts. One can use a meet-in-the-middle attack to break double encryption in only 2^(n+1) iterations. Yes, double the keysize and only double, not squared security? Yeah that’s a great idea.
He also mentions 3DES as an example of multiple encryption. But he fails to mention 3DES people actually knew what they were doing. The actual 3DES key is 112, not 168 bit. Triple encryption is only used to thwart meet-in-the-middle attacks, which apparently our expert knows nothing about. So if your tinfoil hat makes you think your key is too short, don’t be an idiot and just use a cipher that allows larger keys.
Steve Gibson is a moron. QED.
