this post was submitted on 26 Sep 2024
11 points (100.0% liked)

Technology

58513 readers
4195 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
11
NIST proposes barring some of the most nonsensical password rules (arstechnica.com)
submitted 1 week ago by Amicitas@lemmy.world to c/technology@lemmy.world
163 comments fedilink hide all child comments
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] Buddahriffic@lemmy.world 0 points 1 week ago (1 children)

I remember hearing to not layer encryptions or hashes on top of themselves. It didn't make any sense to me at the time. It was presented as if that weakened the encryption somehow, though wasn't elaborated on (it was a security focused class, not encryption focused, so didn't go heavy into the math).

Like my thought was, if doing more encryption weakened the encryption that was already there, couldn't an attacker just do more encryption themselves to reduce entropy?

The class was overall good, but this was still a university level CS course and I really wish I had pressed on that bit of "advice" more. Best guess at this point is that I misunderstood what was really being said because it just never made any sense at all to me.

[โ€“] orclev@lemmy.world 0 points 1 week ago

It's because layering doesn't really gain you anything so it only has downsides. It's important to differentiate encryption and hashing from here on since the dangers are different.

With hashing, layering different hashing algorithms can lead to increased collision chance and if done wrong a reduced entropy (for instance hashing a 256 bit hash with a 16 bit hashing algorithm). Done correctly it's probably fine and in fact rehashing a hash with the same algorithm is standard practice, but care should be taken.

With encryption things get much worse. When layering encryption algorithms a flaw in one can severely compromise them all. Presumably you're using the same secret across them all. If the attacker has a known piece of input or can potentially control the input a variety of potential attack vectors open up. If there's a flaw in one of the algorithms used that can make the process of extracting the encryption key much easier. Often times the key is more valuable than any single piece of input because keys are often shared across many encrypted files or data streams.