I may be wrong as I'm no security researcher, but I was under the impression that combining things like this (and rolling your own crypto in general) could potentially make things weaker. Is this the case here?
There is no way this construction is weaker than the weakest of the three. To convince yourself of this, assume one of the ciphers is 100% broken and spits out all 0s. Then you're XOR'ing your ciphertext with all 0s (or some other known pad). So it's just a noop. As the FAQ says, because one cipher is not used as the input to another, there's no way a weakness can spread up or down the chain.
There was a discussion on twitter among cryptographers/security practitioners (search for @agl___), and in spite of some unnecessary flaming, we are almost certain now that the cipher cascade and the MAC scheme are both as strong as their strongest components.
Combining algorithms, if done properly, isn't necessarily going to make things weaker. But doing it properly isn't trivial (which goes for crypto in general) and the more complex the construction, the more opportunities for screwing it up.
But at the end of the day it's still trying to solve the wrong problem. The chance of a well studied algorithm like AES having a significant weakness is much, MUCH lower than the chance that a particular program using it has a security flaw. Any effort spent layering Twofish and Salsa20 on top of AES would almost certainly be better spent making sure the usage of AES is totally secure.
It wasn't trivial to write TripleSec, which I why we did it and open-sourced it.
Any encrypted data you put onto a remote-server will live there forever, so your encryption has to be future-proof. I think it pays to hedge your bets here.
All of our implementations are tested against known test vectors. Side-channel attacks could be a problem though.
I've been under the assumption from reading some crypto over the years that in particular what your thinking of is applying the "same" crypto multiple times. Offering the same cryptography scheme multiple times is horribly bad. Like 3DES is horribly bad when implemented because it eats up the keyspace reducing the issue for it.
If the schemes of cryptography that you use do not reduce the amount of permutations/possibilities that you are using I see no reason why it wouldn't at least add a bit of extra difficulty in attaining the calculations behind the results.
This does sound like the right way to deal with cryptography with Javascript as pointed out by Triplesec:
"authenticates with HMAC to protect against (adaptive) chosen-ciphertext attacks; and supplements the native entropy sources (window.crypto.getRandomValues in the browser and crypto.rng in Node.js) for fear they are weak."
But, I would still like to hear someone who knows more about using these three schemes back to back. Sometimes the permutations are effected in weird ways.
Passwords are bound to be weak, you are right. Running PBKDF2 only gives some protection against password-cracking, but a well-funded adversary can overcome that protection if the original password doesn't have enough entropy.
For passwords, I recommend using a sequence of 4-5 random words chosen from a ~20k word dictionary. This gives you about 58 to 72 bits of entropy.
I also recommend https://oneshallpass.com for giving random PWs to different Web sites, but that's a slightly different problem.
Passwords have always been a weak point. This has been widely discussed for the last two decades of security research. Solving the password dilemma is not his or her intention.
1) How do you do that? His random generator is not even controlled by him, it's a bunch of open source browsers.
2) That's basically bruteforcing. Considering he is running pbkdf2 thousands of times, good luck with that. You might get lucky with 5-6 character passwords and a bunch of servers.
3) How?
4) Passwords are usually stored either nowhere (inside user's head) or a program like KeePass. Good luck breaking either.
5) What would that give you? It's still triple-encrypted.
Again, I am open to valid criticisms. Those of the form "this is stupid because XSS isn't solved" aren't valid in my book because they are orthogonal problems, and progress along either axis is good.
What a weird comment. All Adam Langley seems to have to say about your system is that you didn't use a weak cipher composition but did use a weak MAC composition, and all I have to say in that thread is that I didn't think the Joux multicollision attack he was referring to applied. And yet somehow, presumably by ignoring the other cryptographers criticizing this design at the same time, you synthesized a narrative about how "my criticisms" were "debunked".
Here's the problem I have with your design: it doesn't make any sense to me. So worried are you about the NSA's ability to break AES or Salsa20 --- a worry not apparently shared by cryptographers, so far as I can tell --- that you resurrect Bruce Schneier's 1990s-era block cipher cascade, chaining Twofish(?!), a modified(?!) Salsa20, and AES. But so confident are you in the safety of Javascript crypto that... you deliver that code over an AES-encrypted TLS channel. I don't get it. What was the point of this again? How is anything you're doing making it harder for the NSA to subvert your comms? They're a single AES key away from rewriting your entire cryptosystem.
The adversary we are most worried about is a government agency in 2023 demanding a large Website turnover of all live data, backup data, and backup tapes. If a weakness in AES is found sometime before then, the agency can decipher secret data offline and in parallel, regardless of when it was uploaded to the server. In other words, the attack window for encrypted data stored on a server is infinite. If we're encouraging the upload of encrypted data to the server, the encryption has to be future proof, since server-side data is in practice never thrown away.
In the attack you mentioned, the secrecy of TLS via AES isn't at issue since there is nothing secret about our open-source libraries. If the integrity of TLS is broken (due to a real-time exploitable weakness of SHA1-HMAC or of the public key system used in session negotiation), then only those who upload data in the attack window are vulnerable. Those who downloaded and used TripleSec code before the discovery of the attack are not at risk, and of course those who use it after TLS is fixed are also OK.
Finally, I see no problems with older (i.e., 90s era) crypto constructions that haven't been broken. RSA from the 70s is still useful. The cipher cascade here is essentially a one-time pad, so predates Schneier and is better attributed to Shannon 1949: http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf
Nobody has told you that cipher cascades are insecure. They're just silly.
The problem with your threat model is that it handwaves away the actual NSA threat --- that they will actively intercept your data and decrypt it on the fly by breaking TLS --- and then doubles down on an imaginary threat (that they will break AES and Salsa20 but find themselves foiled by the cascade that added Twofish). Then you take that weird construction and advertise it as a way for developers to NSA-proof their applications. Cryptocat does a better job!
Also, again: Twofish? Huh?
Here's what Nate Lawson had to say about this system:
Item! NSA is attacking implementations, of which there are too many and too diffuse an interest from cryptographers to secure.
Solution! another implementation of JS crypto, with triple redundancy for the only thing the NSA can't break.
Or, how about Matthew Green?
People: while I appreciate that you are earnest, we do not need to encrypt with AES+Salsa20+Twofish. Especially not in Javascript.
Composing three ciphers in Javascript crypto is like building a survival bunker, then locking your keys inside.
But who knows, maybe they don't "know the crypto" either.
And, for what it's worth, when you wrote your dismissive (and incorrect) blurb about my "rant" about Javascript cryptography, you might have considered reading Nate Lawson's as well. For that matter, you might try to find any professional cryptographer with something good to say about doing crypto in browser Javascript.
Well, I am done here. I imagine if we ever met each other in person we'd find each other reasonable people, but over these channels it's not coming across. Until then, good luck.
And I can't resist: you'd be hard pressed to find a better cryptographer than Dan Boneh, one of the authors of SJCL.
Have you read the front page of SJCL? It includes a warning about the relative insecurity of browser Javascript cryptography.
You do this a lot: weird little namedrops (Langley, Boneh) that aren't quite saying what you want them to say, and smug dismissals, such as your characterization of "my rant" about Javascript cryptography as (a) the sum total of all arguments against Javascript crypto and (b) disproven by modern browsers†, or things like "look at what Adam Langley, who knows the crypto, says". What's more annoying is that you use both tactics as a smokescreen, as if to suggest that you were responding to the criticisms I've offered, when you are in fact dodging them.
You want more consideration from me than you're willing to extend to me. No, I don't think the conversation would be much different in person.
That's fine, by the way. I'm not a gatekeeper and you don't need my approval to do anything. I simply stand by my recommendation: I don't right now think people should use the tool you've built, or anything like it.
† You've since edited this page, but we both know what it said.
Other concerns aside, XSalsa20 is undeserving of your indignant reaction: it was created by DJB himself and was proven by him to be secure if Salsa20 is.
You have never in your life seen me criticize anything Bernstein said. You've once again deliberately mischaracterized something I said in order to replace rational discussion with emotional appeals. Here you've done it on two dimensions, first by suggesting that you're standing shoulder to shoulder with Daniel Bernstein, which you are not, and then by attempting to personalize the discussion to make it appear that you have a specific conflict with me, when in fact I just pointed out upthread 3 cryptographers, all of them smarter than me, who also had negative things to say about your design.
I don't think this style of argumentation is helping you. I think it makes it sound like you don't have good responses to technical criticism. But that's just me.
Didn't Bruce Schneier publish a provably secure scheme in which multiple encryption algorithms could be combined such that a weakness in any single one of them was not sufficient to reduce the security of the message?
Yes, it's in Section 15.8 of the 2nd edition of Applied Cryptography. This is basically that scheme, but we're not inflating ciphertexts as he suggests (which is a good thing).
This is cool, but it lacks plausible deniability with the header, which is unfortunate. With that said, I'll be keeping an eye on it, and how it stands in the crypto community.
Edit: Reading it more, I'm more convinced. It looks like there was a discussion a few days ago: https://news.ycombinator.com/item?id=6401057