using multiple encryption algorithms 3

[rpk2006]

My question is regarding using "Multiple Encryption Programs or Algorithms".

To secure very important document or message, we use any Encryption Software like "PGP".

But, if we Encrypt the same file with multiple Encryption programs selecting different algorithms and different keys for e.g.,

Firstly, suppose, we encrypt a file with "PGP".

Then we again, encrypt this PGP file with any other Encryption program and selecting Encryption algorithm like "Rijndael" to encrypt this file.

Again we Encrypt this file with any other program using "TwoFish" algorithm.

And, finally we send this file to the recipient.

Suppose, the recipient knows that firstly which program he needs to decrypt, and he decrypts the file using those programs.

I have seen some programs which facilitates the user to select the Encryption Algorithm from a list of Algorithms to encrypt a file.

So, if we use this type of program and encrypt a file with various algorithms and different keys, does it make the encryption more stronger?

Thanks. There is always a new solution for the same problem.

Anonymous

 

[hnd]

Be aware of following
Most really strong algortithms are not cracked by kryptologic methods, but by stealing the passphrases or/and the decryption keys. Algorithms like Cast, Triple-DES or IDEA are Strong enough and they can resist very strong attacks.
The use of multiple Encryption makes not to much sense, because it increases the Average decryption time from let's say 1000000000 years to 2000000000 years.

And I have posted here earlier. The security elements of an encryption must not be placed in the Method but in the key, because the Method can be analized by reversal engineering methods.

And the next question: Why do you need encryption? For storing on your local computer or for data transport on unsecure lines?
In the second case you need a unsymmetric method and here is the weak point the unsymmetric encryption. That means if anybody finds a way to crack RSA or Diffie-Helman the AES, Triple DES encryption is void.

hnd
hasso55@yahoo.com

 

[rpk2006]

Hnd,

What exactly happened is that, in my Yahoo account, there were certain very important emails with attachments including compressed and encrypted projects.

Recently, I got some mails from unkown users, who referenced my attachment names in their email.

I am worried, that probably my Yahoo Email got hacked.
Also recently I heard of PGP Flaw.
Though my Emails are encrypted, but the email hack baffled me.

There is always a new solution for the same problem.

Anonymous

 

[hnd]

Up to now i have never heard of a real Hack of PGP. What happened are Trojan attacks to computers where PGP-Secretkeyrings are stored. Usually there are Attacks with Keyloggers. An other way is that: Some persons are protecting their Keyrings and Passphrases very less careful. In that cases each encryption may be worthless.
It makes not to much sense trying to invent a "new Kryptographic System". The current Algorithms are very good. But if you make compromises to Security Policies then you will get Trouble.
The Security Flaws of PGP are a question of Installation, not of PGP.

hnd
hasso55@yahoo.com

 

[hnd]

I forgot one thing: There are some PGP-Implementations like in Kmail under Linux, which do not encrypt Attachements automatically. Perhaps you should have a look onto this topic.

hnd
hasso55@yahoo.com

 

[jnicks]

Good stuff hnd, nicely put.

 

[Sapient2003]

hnd,
Actually, you are wrong with security based on the key. The encryption method used hase a HUGE part in the security of the file reguardless of the key. Crackers tend to break encryption method like IDEA, Triple-DES, etc. within an hour even if the key is considered "secure." I am not saying that the key used is pointless, but rather choosing a better encryption method with a decent key is best. Using encryption layering does increase the file security a million-fold, so what rpk doing is fine. --Sapient2003 - sapient@sapient2003.com
"The worst insecurity is beleiving you are too secure."

 

[rpk2006]

Sapient,

I posted this question at "SearchSecurity.com" forum also. Experts there are saying that using multiple encryption algorithms may even weaken the original encryption.

Please goto the following link:
"Re...Cryptography" Post #170 by Mencik

http://searchsecurity.discussions.t...BmdawhrpJT.0@.ee84076!viewtype=&skip=&expand=

What's the truth ? There is always a new solution for the same problem.

Anonymous

 

[hnd]

Sapient,
What I say: If the security of a cryptographic system would be based in the method (Software) it could be broken "easyly" by reassembling and analizing the method. Therefore the Security must be put into the key because a key could be kept secret if you handling a secret key policy.

Hackers have no real methods today to crack 128-bit encryption reliably.

I personally do not trust to any new encryption method, because there is no method to prove the security except the real live, and a good System must have proven that it can withstand even serious attacks. Means attacks by experts not by Script-Kiddies. And therefore I would be very careful by using own Cryptography especially if i were unexperienced in breaking codes.

I would not say that multiple Encryption would lower security, but in some cases it will not increase the security, because two linear transformations could be replaced by one. On the other side if you use multiple encryption you have to deal with a lot of keys, which you cannot keep in mind and therefore you have to write it down - a new security hole.

I repeat: Most successful attacks on real strong cryptography has been done by conspirative techniques like trojan horses, inserting Hardware into a keyboard and/or stealing keys and passphrases. The factor man has to be treated as weakest point in the security-chain, and therefore the security has to be handled in a very commod way that it is accepted by the users.


hnd
hasso55@yahoo.com

 

[jnicks]

Recommended are the pages and links on Roger Clarke's site

http://www.anu.edu.au/people/Roger.Clarke/

My sentiment is that if a strong encryption package is soundly implemented then additional encryption adds no appreciable privacy protection.

Repetitvely encrypting with badly implemented or designed packages is next to no protection.

If you look on the web, there are considerable problems trusting some encryption by some corporations whose histories show repetitve errors that are consistent with someone knowing what was up being able to read most peoples' encrypted material.

These subtle errors in very complex code on many platforms were rapidly repaired, patches released in 72 hours, once in 24 hours.

Think about it. It is possible. Is it likely? When was the testing done?

The question comes down more to "Who do you trust?" as the mathematics and coding for extremely good encryption is generally available.

Open Source is a pretty trustable way of getting encryption and the code has often been reviewd and tested (attacked) by some pretty competent people.

 

[hnd]

Jnicks 100 % Agreement

hnd
hasso55@yahoo.com

 

[hnd]

A way to make trouble to attackers could be to combine different security techniques like encryption with Steganos. That could increase security immens. But I am really in doubt if that would be necessary in real life.

hnd
hasso55@yahoo.com