
TripleSec - Symmetric Encryption combining AES, Salsa20, and Twofish - jonbaer
https://keybase.io/triplesec/
======
zeckalpha
I may be wrong as I'm no security researcher, but I was under the impression
that combining things like this (and rolling your own crypto in general) could
potentially make things weaker. Is this the case here?

Edit: Reading it more, I'm more convinced. It looks like there was a
discussion a few days ago:
[https://news.ycombinator.com/item?id=6401057](https://news.ycombinator.com/item?id=6401057)

~~~
rainsford
Combining algorithms, if done properly, isn't necessarily going to make things
weaker. But doing it properly isn't trivial (which goes for crypto in general)
and the more complex the construction, the more opportunities for screwing it
up.

But at the end of the day it's still trying to solve the wrong problem. The
chance of a well studied algorithm like AES having a significant weakness is
much, MUCH lower than the chance that a particular program using it has a
security flaw. Any effort spent layering Twofish and Salsa20 on top of AES
would almost certainly be better spent making sure the usage of AES is totally
secure.

~~~
maxtaco
It wasn't trivial to write TripleSec, which I why we did it and open-sourced
it.

Any encrypted data you put onto a remote-server will live there forever, so
your encryption has to be future-proof. I think it pays to hedge your bets
here.

All of our implementations are tested against known test vectors. Side-channel
attacks could be a problem though.

------
blake8086
I like this idea to reduce dependence on trusting any given algorithm.

If I'm a global passive adversary, I would try to attack your blobs in these
ways:

1) weaken your random number generators

2) guess your password by running massive dumps of passwords and passwords
mutated with rules against pbkdf2 (why didn't you use scrypt?)

3) try to convince you or your system to decrypt a blob and reveal the
plaintext to me surreptitiously (not so passive)

4) try to get your password from security flaws in wherever you store it

5) conduct traffic analysis on who is storing blobs where and when, and how
long their blobs are

My bet is that the password is the weak point. Can you do anything to address
that?

~~~
maxtaco
Passwords are bound to be weak, you are right. Running PBKDF2 only gives some
protection against password-cracking, but a well-funded adversary can overcome
that protection if the original password doesn't have enough entropy.

For passwords, I recommend using a sequence of 4-5 random words chosen from a
~20k word dictionary. This gives you about 58 to 72 bits of entropy.

I also recommend [https://oneshallpass.com](https://oneshallpass.com) for
giving random PWs to different Web sites, but that's a slightly different
problem.

------
oakwhiz
Didn't Bruce Schneier publish a provably secure scheme in which multiple
encryption algorithms could be combined such that a weakness in any single one
of them was not sufficient to reduce the security of the message?

~~~
maxtaco
Yes, it's in Section 15.8 of the 2nd edition of Applied Cryptography. This is
basically that scheme, but we're not inflating ciphertexts as he suggests
(which is a good thing).

------
tptacek
Don't use this thing.

~~~
maxtaco
Is there any justification to your comments? Your criticisms on the crypto
have all been debunked by those who know the crypto. See here for an example:
[http://d3j5vwomefv46c.cloudfront.net/photos/large/810438785....](http://d3j5vwomefv46c.cloudfront.net/photos/large/810438785.png?1379813991)

Again, I am open to valid criticisms. Those of the form "this is stupid
because XSS isn't solved" aren't valid in my book because they are orthogonal
problems, and progress along either axis is good.

~~~
tptacek
What a weird comment. All Adam Langley seems to have to say about your system
is that you didn't use a weak cipher composition but did use a weak MAC
composition, and all I have to say in that thread is that I didn't think the
Joux multicollision attack he was referring to applied. And yet somehow,
presumably by ignoring the other cryptographers criticizing this design at the
same time, you synthesized a narrative about how "my criticisms" were
"debunked".

Here's the problem I have with your design: it doesn't make any sense to me.
So worried are you about the NSA's ability to break AES or Salsa20 --- a worry
not apparently shared by cryptographers, so far as I can tell --- that you
resurrect Bruce Schneier's 1990s-era block cipher cascade, chaining
Twofish(?!), a modified(?!) Salsa20, and AES. But so confident are you in the
safety of Javascript crypto that... you deliver that code over an AES-
encrypted TLS channel. I don't get it. What was the point of this again? How
is anything you're doing making it harder for the NSA to subvert your comms?
They're a single AES key away from rewriting your entire cryptosystem.

~~~
agwa
> a modified(?!) Salsa20

Other concerns aside, XSalsa20 is undeserving of your indignant reaction: it
was created by DJB himself and was proven by him to be secure if Salsa20 is.

~~~
maxtaco
Agwa, thanks for coming to DJB's and my defense. Unfortunately, anyone who
disagrees with tptacek gets an automatic downvote.

~~~
tptacek
You have never in your life seen me criticize anything Bernstein said. You've
once again deliberately mischaracterized something I said in order to replace
rational discussion with emotional appeals. Here you've done it on two
dimensions, first by suggesting that you're standing shoulder to shoulder with
Daniel Bernstein, which you are not, and then by attempting to personalize the
discussion to make it appear that you have a specific conflict with me, when
in fact I just pointed out upthread 3 cryptographers, all of them smarter than
me, who also had negative things to say about your design.

I don't think this style of argumentation is helping you. I think it makes it
sound like you don't have good responses to technical criticism. But that's
just me.

------
atoponce
This is cool, but it lacks plausible deniability with the header, which is
unfortunate. With that said, I'll be keeping an eye on it, and how it stands
in the crypto community.

------
marshray
Don't upvote advice without explanation.

~~~
maxtaco
Agreed. I am open to valid criticisms on the crypto and/or implementation
shortfalls, but unjustified comments don't help.

