Superencryption is a way of securing data by combining two or more cryptographic algorithms. In other words, it is the act of encrypting an already encrypted message.
Encryption is the standard method used to scramble data to render it unreadable by unauthorized parties. Traditional cryptography includes the use of one encryption algorithm. The concept of adding multiple layers of encryption was conceived in the 1980s to add multiple layers of security to already encrypted messages.
How superencryption works
Superencryption, also known as cascade encryption or multiple encryption, re-encrypts results from an encryption algorithm to create a stronger, more secure ciphertext. This makes the original plaintext much harder and more time-consuming to decrypt.
Superencryption uses two encryption algorithms in succession to further secure data against breaches and attacks. By running data through an encryption algorithm, the original information becomes encoded and very difficult to decipher. When the encoded message is encrypted through multiple algorithms, the resulting ciphertext is significantly more difficult to revert to the original plaintext.
Cascade encryption uses several different encryption algorithms. Effective combinations include:
- Monoalphabetic & XOR: This is a particularly strong combination with monoalphabetic (classical encryption) used in conjunction with XOR (a more modern encryption algorithm). In essence, monoalphabetic switches each letter in the plaintext (original message) by using a secret key. XOR, on the other hand, transforms the plaintext into decimal numbers and then converts those numbers into binaries. Thus, to super-encrypt the original message, one would first generate a monoalphabetic and then re-encrypt it with XOR.
- WAKE & IDEA: IDEA (International Data Encryption Algorithm) and WAKE (Word Auto Key Encryption) algorithms have solid security processes but when used in combination, they provide much higher security. As with the previous combination, two different keys are used, making the job of deciphering the original message more difficult and time-consuming.
One important feature for enhancing the security of cascade encryption is the use of different keys. Picking any two ciphers, if the key used is the same for both, the second cipher could possibly undo the first cipher, partly or entirely. This is true of ciphers where the decryption process is exactly the same as the encryption process—the second cipher would completely undo the first. If an attacker were to recover the key through cryptanalysis of the first encryption layer, the attacker could possibly decrypt all the remaining layers, assuming the same key is used for all layers. To prevent that risk, one can use keys that are statistically independent for each layer.
In its Cryptographic Message Syntax draft, the National Security Agency mentions superencryption as a standard procedure. In addition, the Agency used two layers of encryption algorithms in its secure mobile phone, Fishbowl. The phones use two layers of encryption protocols, IPsec and Secure Real-time Transport Protocol (SRTP), to protect voice communications.
Actually, Fishbowl is an implementation of the Rule of Two principle. The Rule of Two is a data security principle from the NSA's Commercial Solutions for Classified Program (CSfC). It specifies two completely independent layers of cryptography to protect data. For example, data could be protected by both hardware encryption at its lowest level and software encryption at the application layer.
The importance of vendor and/or model diversity between the layers of components centers around removing the possibility that the manufacturers or models will share a vulnerability. This way if one component is compromised there is still an entire layer of encryption protecting the information at rest or in transit.
Security of superencryption
The security of cascade encryption is an important and well-studied problem in theoretical cryptography with practical implications. Many results investigating the power of the cascade construction have been published. These results prove that double encryption does not significantly improve the security over single encryption due to the meet-in-the-middle attack. Researchers Even and Goldreich have proved that a cascade of ciphers is at least as strong as the strongest of the ciphers against attacks that are restricted to operating on full blocks.
As a result, triple encryption seems like the shortest reasonable cascade. In a recent paper, Bellare and Rogaway showed that in the ideal cipher model, triple encryption is significantly more secure than single and double encryption, leaving the security of longer cascades as an open question.
Triple encryption is the basis of all modern encrypted email services, such as Tutanota and ProtonMail. At first, the plaintext is encrypted using RSA encryption. The second layer of encryption is applied using AES and finally, the transport of the encrypted message is secured with TLS.
Although superencryption appears more secure than standard, single-algorithm encryption, it is still being developed and tested. Organizations need to research new encryption approaches carefully and consider how each may help protect against cyber threats, data theft, and other cryptographic attacks.