The way I read it is something much simpler than attacking the encryption - it seams to be about operational procedures security.
Think if somebody mis-configures something on the first layer you still have the second layer. Now if you add two separate teams managing each layer then you have a good chance they will not do the same mistake. Or if I have to be a bit more cold war - if keying material managed in one of the layers leaks out then the other layer provides protection. So two teams, to operation procedure sets and two sets of keys (oversimplifying here) and an attacker has to be able to infiltrate both... Krassimir On Fri, Mar 2, 2012 at 6:48 AM, Steven Bellovin <s...@cs.columbia.edu> wrote: > > On Mar 2, 2012, at 2:59 AM, Marsh Ray wrote: > >> On 03/01/2012 09:31 PM, Jeffrey Walton wrote: >>> Interesting. I seem to recall that cascading ciphers is frowned upon >>> on sci.crypt. I wonder if this is mis-information.... >> >> Not mis-information. You could easily end up enabling a meet-in-the-middle >> attack just like double DES. >> >> https://en.wikipedia.org/wiki/Meet-in-the-middle_attack > > Meet-in-the-middle attacks don't weaken things; they merely don't give you as > much advantage as one might suppose. Note, though, that you need 2^n > storage. This is Suite B/Top Secret, which means 256-bit AES, which means > that you would need 2^260 bytes of storage. That's too much, even for NSA, > so those attacks aren't even relevant. > > Where NSA has a strong edge over most civilian crypto folks is that they > understand that they're dealing with a *system* -- not just a cipher, but key > exchange, key storage, timing attacks and other side channels, buggy > implementations, very fallible (or corrupt[ed]) people, etc. Maybe SRTP is > weak in a way they haven't found. Maybe IPsec is. They've looked at both > and don't think so, but they can't rule it out. But if you combine both > *and* you do it in a way you think actually buys you something, you've > protected yourself against a lot of those failures. Both would have to fail, > and in a compatible way, for there to be a weakness. > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
