Advice Request Double (or triple) encryption - Is it advisable?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,022
Hi

Is double (or triple) encryption advisable? Will it double (or triple) the security? Or will it weaken it?

Let's say you compose a message with a text editor and encrypts it. Then you attach the password-protected file to your secure email (like ProtonMail or Tutanota) which further encrypts it.

Another example would be if you encrypt your file and then store it on your external HDD/SSD which is further disk encrypted.

Would using the same encryption or different encryption methods be better?

Thanks
 
Last edited:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I assume that doubling or tripling encryption may improve the security of the protected file because one must decrypt the first encryption (the outer layer) before decrypting the second, and then the third.

VeraCrypt (and TrueCrypt) has this option. For instance, it has an option for Serpent+AES, which would mean that the file is first encrypted in the AES format, then this encrypted file is encrypted again using Serpent.

But in normal circumstances, I believe one encryption is enough. Doubling or tripling encryption is only for criminals, big businesses, and top gov, especially security, agencies. :D
 

iangcarroll

Level 1
Jan 24, 2016
9
No, layering encryption algorithms does not weaken anything. It technically protects you against any one layer being weak if you use multiple algorithms, but realistically you are fine using one trustworthy one and switching as needed.

Google (more or less) does this to test out post-quantum cryptography; the PQ algorithm CECPQ1 is used over an already secure connection established with ECDH, a "safe" key exchange algorithm.
 

iangcarroll

Level 1
Jan 24, 2016
9
However, someone over at Wilders Security Forums got screwed up with double encryption. A possibility here

Does dual-encryption weakens the encryption?
Don't buy the flash drive he was using! ;)

I do not know what happened there. But the cryptographic construct itself ( such as doing ChaCha(AES(data)) ) is safe, provided at least one is securely implemented. You literally just get random data from (properly designed) ciphers, so there is nothing special about encrypting encrypted bytes.
 

iangcarroll

Level 1
Jan 24, 2016
9
Having read a bit more, there are a couple of asterisks for my previous statement. I won't regurgitate the entirety of Matthew Green's article, but essentially:
  • If you use the same key, you may seriously screw yourself over. He gives AES-CTR as an example, where CTR(K, CTR(K, M)) (where M is the message and K is the key) will not actually encrypt anything, because encryption and decryption are the same operation.
  • The construct might become somewhat malleable if one algorithm is weak. Malleability is not too relevant for the encryption of documents and such.
  • The construct may not be stronger than its first layer, assuming you can coerce patterns into it. It is _extremely_ unlikely you are going to be able to do that with a modern cipher like AES-CBC, but the point is there.

But yeah, if you upload an encrypted document to ProtonMail and it's re-encrypted by them, the worst case is that ProtonMail did nothing to encrypt it.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,022
Having read a bit more, there are a couple of asterisks for my previous statement. I won't regurgitate the entirety of Matthew Green's article, but essentially:
  • If you use the same key, you may seriously screw yourself over. He gives AES-CTR as an example, where CTR(K, CTR(K, M)) (where M is the message and K is the key) will not actually encrypt anything, because encryption and decryption are the same operation.
  • The construct might become somewhat malleable if one algorithm is weak. Malleability is not too relevant for the encryption of documents and such.
  • The construct may not be stronger than its first layer, assuming you can coerce patterns into it. It is _extremely_ unlikely you are going to be able to do that with a modern cipher like AES-CBC, but the point is there.

But yeah, if you upload an encrypted document to ProtonMail and it's re-encrypted by them, the worst case is that ProtonMail did nothing to encrypt it.
But if the encryption method for the attached file is different from ProtonMail would that strengthen the overall?
 
  • Like
Reactions: Deleted member 2913

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Most cryptographers don't recommend using 2 ciphers 1 on top of each other to encrypt files.

Using 2 ciphers to encrypt the same file does not offer more security.

AES 256 is fine by itself. Even with Quantum computers AES 256 would still be fine because the key length would only get cut in half to 128.
 
  • Like
Reactions: Deleted member 2913

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,022
H
Most cryptographers don't recommend using 2 ciphers 1 on top of each other to encrypt files.

Using 2 ciphers to encrypt the same file does not offer more security.

AES 256 is fine by itself. Even with Quantum computers AES 256 would still be fine because the key length would only get cut in half to 128.
However, encryption software like VeraCrypt allows the use of up to 3 encryption algorithms. Of course speed will be affected in the process. See below

VeraCrypt & how-to basics - BestVPN.com

I think if you encrypt a file with AES and then stored in a HDD/SSD which is disk encrypted again with AES then the benefit will not be there. But if you store the AES-encrypted file in a HDD/SSD with Serpent-Twofish encryption then I believe this will strengthen the file overall.

What do you think?

Thanks
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top