[dm-crypt] Re2: Cascading two plain dm-crypt volumes

Arno Wagner arno at wagner.name
Fri Nov 29 06:17:31 CET 2013


[...]
> That is not how it works, unfortunately. While your idea is
> somewhat intuitive, there is no way to brute-force even 
> a 128 bit AES key. Hence such an attacker must know some
> weakness in the cipher. But the thing is that possibly
> there is a key k3 so that
> 
>    aes(k1, aes(k2, data)) = aes(k3, data)
> 
> and hence layering the same cipher may completely worthless.
> AFAIK this type of approach was abandoned quite a while ago
> in the research community.
> 
> Just use a single AES layer and pump up the passphrase entropy
> by doing 
> 
>    aes(k1+k2, data)
> 
> which is massively more secure unless k1, k2 have entropy in 
> the size of the key-length.

Just found a reference:
http://en.wikipedia.org/wiki/Meet-in-the-middle_attack

The gist is that breaking aes(k1, aes(k2, data)) 
takes only twice as long as breaking aes(k3, data),
i.e. adds one bit of entropy and is meanigless security-wise.

If you have less than the maximum entropy in your keys,
then doing aes(k1+k2, data) doubles the entropy, i.e.
_squares_ the effort needed, up to 2^(number of key bits).

So, really, do not do this.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list