It is more work if a secondary algorithm adds noise. It's like tunning a radio to a station in another language by ear, while a jackhammer is going off. Sure, you may hear enough to get close just to tunning it to a station if you can hear anything at all. The sound of the radio is still there. Unfortunately, it's mixed in with other noise.
If that example doesn't jibe, think of it like trying to read text across a mirror. It comes up backwards, but if you put some concentration behind it, sure, it's easier. Now put on a pair of glasses that aren't yours, maybe something that fish-eye's. it gets even harder. The information is there still, you just can't perceive it proplery unless you break one of the "encryptions", namely reversing the effect of the fisheye first.
in both cases, it's twice the work to get to what you once had. Encrypting twice, as long the tail end of the pipe (weak encrypt then hard encrypt) makes plaintext attacks harder. It compounds the problem.
You dont' have to trust me. I don't have over 2 decades of experience quite yet, but coming close. I am not a "crypto freak", though I am familiar with the topic through various studies. It is why I haven't disagreed with you since I do recognize things like MAC, or just not presenting the data at all. If it's not there, hiding even the clue that you are mapping a user (which by using a cookie, you kinda are breaking that rule), you have nothing to worry about. But, I do trust people like Bruce Schneier (author of A.C.) and various professors, who have minimally 13 years more experience and/or specializations in the topic.
Bart: God, Schmod. I want my monkey-man.
In reply to Re^9: Is this a secure way to prevent cookie tampering
by exussum0
in thread Is this a secure way to prevent cookie tampering
by EvdB
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |