Double Encryption possible but is it more secure ?

Don't see a specific place for your hardware question? This is the forum for you!

Moderators: mac_h8r1, Nemesis

Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 12:38 am

Hi,

I just tried encrypting a Partition twice using two methods & it did so with no problem but is it really more secure ?

I used "Folder Lock" software to create a container & put the entire partition data in it.

Then I encrypted that partition using Windows BitLocker with a different password & it it all went smooth.

Then I tried to decrypt both of them to make sure that I do get all my data back & I did.

Thus this was a case of encrypting an encrypted container which made me think, is it more secure if I used two different password for each encryption ?

Need opinions please.

Thanks
dan99t
Gerbil First Class
 
Posts: 105
Joined: Thu Jan 19, 2012 7:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 8:06 am

Who ever is trying to decrypt the data would have to start over on the decryption process. The two methods should use two different salt keys, which should produce two different results, assuming the algorithm is well designed. Ideally two different algorithms should be used between the container and the partition encryption.

Yes, you should use two different passwords. :)

Have you tried moving the disk to a different computer to make sure you can still decrypt the data? Preferably, a fresh one that can be destroyed after the test. DBAN is a good way to wipe a hard drive if you don't want to destroy it.
Flatland_Spider
Gerbil Elite
 
Posts: 721
Joined: Mon Sep 13, 2004 7:33 pm
Location: The 918/539

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 8:44 am

As long as you use two completely different (and sufficiently long) passphrases, yes it should be more secure. But I doubt it is really worth the effort; assuming you've used decent encryption software to begin with, you're going from "very secure" to "paranoid level of security".

The only legitimate reason I can think of for doing this would be if you don't trust anyone, and want to require that two specific people be present in order to decrypt the data. Give one of the passphrases to each person, and neither one can decrypt the data themselves. But you could also accomplish nearly the same thing by encrypting the data only once, and giving half of the passphrase to each person.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 36893
Joined: Tue Aug 20, 2002 9:51 pm
Location: Somewhere, having a beer

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 8:48 am

It's not likely to be less secure, but that doesn't mean it's enough of an improvement to make it worth the trouble of a second password to keep track of. Also the standard recommendation is full disk encryption, which I think BitLocker can do, since then you don't need to worry as much about quirks in the operating system foiling your attempt to encrypt files.

What do you want to use encryption to protect from?
peartart
Gerbil
 
Posts: 41
Joined: Wed Mar 21, 2012 2:01 pm

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 10:55 am

peartart wrote:What do you want to use encryption to protect from?

This is the exact reason why thread-spawning is not helpful. :-?

OP: As mentioned in your original thread, there is no "100% absolute secure" encryption. Poor key management and other attack vectors (including the much more effective social engineering one) are always in effect. You can really just increase the time+effort+cost of brute-force decrypting the data against people who are doing it brute force. And for that, unless you are dealing with state-sponsored agencies, tools like TrueCrypt are usually good enough. I use TrueCrypt as well with key and password, and I make sure I keep them separate during transport (seriously all bets are off once the data is decrypted on the other end, unless the other end is not connected and you can erase the memories of the operator who touches the system).
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24141
Joined: Mon May 24, 2004 1:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 5:51 pm

http://xkcd.com/538/

This answers the question of whether double-encryption would make a difference. :)
NovusBogus
Gerbil XP
 
Posts: 410
Joined: Sat Jan 05, 2013 11:37 pm

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 7:13 pm

NovusBogus wrote:http://xkcd.com/538/

This answers the question of whether double-encryption would make a difference. :)


Yup- two levels of encryption is still just one factor of authentication.
Canon 6D||[24-105/4L IS USM|100/2.8L Macro IS USM|70-300/4-5.6 IS USM|40/2.8 STM|50/1.4 USM|85/1.8 USM|Samyang/Bower 14/2.8 Full-Manual Rectilinear Wide-angle|
Canon EOS-M|11-22/4-5.6 IS STM|22/2 STM|EF-M 18-55/3.5-5.6 IS STM|
For sale!|24/2.8 IS USM
|
Airmantharp
Maximum Gerbil
 
Posts: 4694
Joined: Fri Oct 15, 2004 9:41 pm

Re: Double Encryption possible but is it more secure ?

Postposted on Thu Apr 25, 2013 10:01 pm

just brew it! wrote:As long as you use two completely different (and sufficiently long) passphrases, yes it should be more secure. But I doubt it is really worth the effort; assuming you've used decent encryption software to begin with, you're going from "very secure" to "paranoid level of security".


He hasn't asked about blind drops and obfuscating communications or the origin of a package, so I don't think he's reached paranoid just yet.
Flatland_Spider
Gerbil Elite
 
Posts: 721
Joined: Mon Sep 13, 2004 7:33 pm
Location: The 918/539

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 2:39 am

Does it get harder to decrypt?

Regarding plain old theoretical cryptographical attacks, i.e., a nice playing attacker that has your encrypted data and also knows some bits of the plaintext: Yes, somewhat.

- Does it make sense in real life? Only if you consider attackers at the level of large governmental institutions like the NSA, GCHQ, Mossad and whatever the Russians have. SUPPOSING those institutions have a VERY HIGH interest in your data, we are talking state secrets and nuclear launch codes here. If they do, you obviously have other problems.

- Would it make a difference? Do you have the (military) power to protect you from them physically? If not, see http://xkcd.com/538/.

Stop trying to evaluate the most secure way to encrypt some data. Any product you can use worth its salt will implement secure enough crypto. If you have enemies motivated enough to go for that data, they will NOT attack the crypto. They will attack:
- your PASSWORD (it's not your birthday is it?),
- your systems, i.e., your network or even your PCs directly by installing a trojan or w/e,
- YOU.
Rübenschwein
Gerbil In Training
Gold subscriber
 
 
Posts: 7
Joined: Tue Dec 11, 2012 3:28 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 4:05 am

Double encryption can work, but if you Do It Wrong then it becomes easier to crack. It's best to use a reliable method of regular, single encryption.
Sheep Rustlers in the sky! <S> Slapt | <S> FUI | Air Warrior II/III
FireGryphon
Darth Gerbil
Gold subscriber
 
 
Posts: 7282
Joined: Sat Apr 24, 2004 6:53 pm
Location: the abyss into which you gaze

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:24 am

just brew it! wrote:As long as you use two completely different (and sufficiently long) passphrases, yes it should be more secure. But I doubt it is really worth the effort; assuming you've used decent encryption software to begin with, you're going from "very secure" to "paranoid level of security".

The only legitimate reason I can think of for doing this would be if you don't trust anyone, and want to require that two specific people be present in order to decrypt the data. Give one of the passphrases to each person, and neither one can decrypt the data themselves. But you could also accomplish nearly the same thing by encrypting the data only once, and giving half of the passphrase to each person.


You are right about giving half of the paraphrase but that is not what I had in mind.

More I read on this subject, less I am getting convinced that there is one single software that will do the job.

Can you comment on following ?

All of the software we discussed do only File System Encryption OR Folder Encryption & not encrypting the files themselves.

If so what is the solution ?
dan99t
Gerbil First Class
 
Posts: 105
Joined: Thu Jan 19, 2012 7:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:29 am

It doesn't really matter when the root kit is just copying your data in the clear over the Internet...
notfred
Grand Gerbil Poohbah
 
Posts: 3647
Joined: Tue Aug 10, 2004 9:10 am
Location: Ottawa, Canada

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:38 am

Flying Fox wrote:
peartart wrote:What do you want to use encryption to protect from?

This is the exact reason why thread-spawning is not helpful. :-?

OP: As mentioned in your original thread, there is no "100% absolute secure" encryption. Poor key management and other attack vectors (including the much more effective social engineering one) are always in effect. You can really just increase the time+effort+cost of brute-force decrypting the data against people who are doing it brute force. And for that, unless you are dealing with state-sponsored agencies, tools like TrueCrypt are usually good enough. I use TrueCrypt as well with key and password, and I make sure I keep them separate during transport (seriously all bets are off once the data is decrypted on the other end, unless the other end is not connected and you can erase the memories of the operator who touches the system).


Thread spawning wasn't my intent at all & I sincerely apologize if it came out like that.

I am just exploring & experimenting this subject with true intent of learning & eventually using ideas from this great forum.

I am learning a lot from every response & am truly grateful to you all.
dan99t
Gerbil First Class
 
Posts: 105
Joined: Thu Jan 19, 2012 7:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:41 am

dan99t wrote:If so what is the solution ?

Don't connect to the internet. Don't send HDDs over mail/courier. Don't tell the other guy your secret. Don't even record the information electronically. Fry+scramble your brain cells so even you don't remember what the data is (if you just kill yourself may be there are residual patterns that can be extracted from the dead brain cells), or may be, just vapourize yourself. That will be 100% absolute.

But if you have to go that far, what's the point?
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24141
Joined: Mon May 24, 2004 1:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:54 am

Flying Fox wrote: Fry+scramble your brain cells so even you don't remember what the data is (if you just kill yourself may be there are residual patterns that can be extracted from the dead brain cells), or may be, just vapourize yourself. That will be 100% absolute.


Or even better, go back in time and erase yourself from existence.
Venii, vidii, vicii
Wii came, Wii saw , Wii conquered
Sargent Duck
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3059
Joined: Thu Mar 13, 2003 7:05 pm
Location: In my secret cave that has bats

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:55 am

Sargent Duck wrote:Or even better, go back in time and erase yourself from existence.

Only happens when you get hit by the light from the cracks in the universe.
Usacomp2k3
Gerbil God
 
Posts: 21240
Joined: Thu Apr 01, 2004 3:53 pm
Location: Orlando, FL

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 6:58 am

NovusBogus wrote:http://xkcd.com/538/

This answers the question of whether double-encryption would make a difference. :)


Information with entertainment. What more can I ask for.

Please keep it coming.
dan99t
Gerbil First Class
 
Posts: 105
Joined: Thu Jan 19, 2012 7:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 9:19 am

dan99t wrote:All of the software we discussed do only File System Encryption OR Folder Encryption & not encrypting the files themselves.

Not sure what your point is here. With products like Bitlocker, the entire file system (the disk partition, actually) is encrypted; therefore the files it contains are implicitly encrypted as well.

Are you saying that you would rather have something that lets you encrypt individual files, possibly with different passphrases for different files?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 36893
Joined: Tue Aug 20, 2002 9:51 pm
Location: Somewhere, having a beer

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 10:41 am

In his other thread, dan99t wrote:When you open Fully encrypted disk OR a Partition that is encrypted, is data now decrypted and act just like regular non encrypted data ?

Also if I copy some data from encrypted partion to another HDD or removable media, is that data in decrypted form & act like regular data ?

Also how vulnerable is the disk that was encypted but you opened it to work on it ?
So the OP worries about ease of use, copying, and on the other end when the other party "work on it".
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24141
Joined: Mon May 24, 2004 1:19 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 11:01 am

Focus on the weak aspects of encryption: Humans. Focus on how you store your keys. Who has physical access to any device you use?

These are areas that will be penetrated far faster than any modern tested encryption method.

It means a lot of hassle, too. Who really has full ownership 24/7 of those keys except memory? And then who really checks ports/software for keyloggers every use?
indeego
Gerbil First Class
Silver subscriber
 
 
Posts: 110
Joined: Thu Feb 27, 2003 7:42 am

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 11:11 am

FWIW, layering encryption to increase the time to compromise is what 3DES does.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3450
Joined: Thu Dec 27, 2001 6:00 pm
Location: Marietta, GA

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 11:42 am

Ryu Connor wrote:FWIW, layering encryption to increase the time to compromise is what 3DES does.

Yes. But there's not much point unless you're using an obsolete (and therefore easier to crack) form of encryption like DES in the first place.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 36893
Joined: Tue Aug 20, 2002 9:51 pm
Location: Somewhere, having a beer

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 11:58 am

just brew it! wrote:
Ryu Connor wrote:FWIW, layering encryption to increase the time to compromise is what 3DES does.

Yes. But there's not much point unless you're using an obsolete (and therefore easier to crack) form of encryption like DES in the first place.

For the record, 3DES is now officially deprecated in the financial institution world. Doesn't mean it isn't still used, but it's day job time to go hunting for existing implementations and nicely ask them to get rid of it.
There are people that embrace the Oxford comma and people who don't. Never get between these people when drink has been taken. I use the Oxford comma and always will. The rest can sod off.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 19740
Joined: Wed Jan 16, 2002 6:00 pm
Location: Vermont, USA

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 11:59 am

Keep in mind the age of DES. 1979 for 56bit DES and 1998 for 3DES.

40 and 56bit was still relevant even in the late 90s. It wasn't until 2000 or so that the limited export of cryptography was lifted allowing for 128bit encryptions or greater to leave the US. It wasn't until October of 2000 that AES finally won the competition to replace DES.

My point is that layering encryption has precedent as a method to improve difficulty. Taking 3DES and applying it to 2013 misses my point.

Since such pedantry is in the air, let me also detail that my statement doesn't mean I condone what dan99t is doing.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3450
Joined: Thu Dec 27, 2001 6:00 pm
Location: Marietta, GA

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 12:08 pm

Ryu Connor wrote:My point is that layering encryption has precedent as a method to improve difficulty. Taking 3DES and applying it to 2013 misses my point.

Perhaps you missed my point -- i.e., provided you're using a good (and current) encryption algo to begin with, there's generally no reason to double- or triple-encrypt. So unless he's worried about keeping the contents of this drive secure for several times the likely lifetime of the drive itself, there's little benefit.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 36893
Joined: Tue Aug 20, 2002 9:51 pm
Location: Somewhere, having a beer

Re: Double Encryption possible but is it more secure ?

Postposted on Fri Apr 26, 2013 12:09 pm

Did I not just state that I don't condone what he's doing?

I fully understand the relevance of your point. It doesn't negate my point nor does it imply that I condone his actions as sound.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3450
Joined: Thu Dec 27, 2001 6:00 pm
Location: Marietta, GA

Re: Double Encryption possible but is it more secure ?

Postposted on Sat Apr 27, 2013 7:12 am

Captain Ned wrote:
just brew it! wrote:
Ryu Connor wrote:FWIW, layering encryption to increase the time to compromise is what 3DES does.

Yes. But there's not much point unless you're using an obsolete (and therefore easier to crack) form of encryption like DES in the first place.

For the record, 3DES is now officially deprecated in the financial institution world. Doesn't mean it isn't still used, but it's day job time to go hunting for existing implementations and nicely ask them to get rid of it.


Hi,
while AES is a more secure and newer encryption standard, 3DES should be more that enought to protect even classified data: it provide 112 bit of security that, combined with the intrinsic resilience of the DES algorithm, should be very difficult to crack.

Do you have any reference pointing to the financial institute migrating away from 3DES? In my experience, while AES-128 is both stronger and faster then plain software based 3DES implementation, many mid-large corporation uses VPN-concentrators with hardware 3DES acceleration and so are reluctant to swith to other protocols.

Regards.
www.ilsistemista.net - test & bench :)
shodanshok
Gerbil
 
Posts: 23
Joined: Thu May 31, 2012 2:39 am

Re: Double Encryption possible but is it more secure ?

Postposted on Sat Apr 27, 2013 7:14 am

Ryu Connor wrote:FWIW, layering encryption to increase the time to compromise is what 3DES does.


Sure. Moreover, standard GNU C crypt(3) function use a 25-fold DES encryption scheme, among other protocols as well (MD5, SHA1, ecc.).

http://en.wikipedia.org/wiki/Crypt_(C)
www.ilsistemista.net - test & bench :)
shodanshok
Gerbil
 
Posts: 23
Joined: Thu May 31, 2012 2:39 am

Re: Double Encryption possible but is it more secure ?

Postposted on Sat Apr 27, 2013 8:38 am

I feel that the primary purpose of data encryption is to keep honest people, honest. It will not stop a determined group or individual from obtaining your data or at least the destroying the data (denial of service) and if you are paranoid enough you will probably have no back-ups.

Unless you have state and trade secrets on hand. You shouldn't have to go to great lengths to protect and encrypt your data. The vast majority can get by with standard encryption schemes and suites to protect their personal information as long as you deal with parties that you can trust. Don't deal with shady emails and groups (phishing schemes).

Physical security the final and most important layer of defence. It doesn't matter how good your encryption scheme is. An attacker who has sufficient motivation will circumvent the encryption or destroy the data out of spite.
Ivy Bridge i5-3570K@4.0Ghz, Gigabyte Z77X-UD3H, 2x4GiB of PC-12800, EVGA 660Ti, Corsair CX-600 and Fractal Refined R4 (W). Kentsfield Q6600@3Ghz, HD 4850 2x2GiB PC2-6400, Gigabyte EP45-DS4P, OCZ Modstream 700W, and PC-7B.
Krogoth
Maximum Gerbil
Silver subscriber
 
 
Posts: 4380
Joined: Tue Apr 15, 2003 2:20 pm
Location: somewhere on Core Prime

Re: Double Encryption possible but is it more secure ?

Postposted on Sun Apr 28, 2013 12:08 pm

One thing you could do if you just really want more than single-password encryption is look into TrueCrypt's hidden volume feature, where you can have an encrypted file/drive/whatever whose empty-space 'noise' is actually a second drive and which one you get when you mount the drive depends on which of two passwords you feed TrueCrypt. The idea is that you can load the outer volume with things that are embarrassing or socially deviant but not (or less) illegal in your jurisdiction so that if/when you are forced to reveal the password you can convincingly say that this is what you have. The crypto is never the weak point so plausible deniability is infinitely more useful than fretting about fancypants algorithms.

Another thing you could look at depending on how much data you've got is an enterprise-class secure USB stick with a hardware-based security system. I have a 4GB Lexar drive (sadly discontinued it seems) that bricks itself after five incorrect attempts, it's not very big but great for passwords and financial stuff. Obviously you need to be triply careful to remember the PW with one of these since you can't just guess until you get the right one.
NovusBogus
Gerbil XP
 
Posts: 410
Joined: Sat Jan 05, 2013 11:37 pm

Next

Return to General Hardware

Who is online

Users browsing this forum: Bing [Bot] and 2 guests