Ask a Professor: Does Double Encryption Strengthen Security?

Ask a professor: If you encrypt something that is already encrypted, would that make it more difficult to crack?

Sometimes it helps a little. But if you really want more security, use long passwords.

When you encrypt something — a document, say — with a secret password, here’s roughly what happens: The document, which to a computer is just a sequence of numbers, is transformed by applying a mathematical operation to each number. A simple example is the rotation cipher, used by Julius Caesar to encrypt military memos. It converts each letter to a number, from 0 to 25, and “rotates” it a (secret) number of steps. If the secret is one step, then A rotates to B, B to C, and Z wraps around to A.

An encryption algorithm is secure when the transformation is hard to undo without knowing the password; the only way to crack it is to try all possible passwords. The rotation cipher is easy to crack; just try all 25 possible rotations.

So what happens when you encrypt a document twice? In some cases, it offers no additional security. That’s because for some encryption algorithms, encrypting first with password A and then with password B is equivalent to encrypting just once with a password that is a combination of A and B. This is true for the rotation cipher; rotating first with two steps and then rotating with three steps is the same as rotating the original message five steps. This is also true for the RSA algorithm, which plays a key role in HTTPS, the protocol that encrypts web browsing. For other algorithms, encrypting twice makes it roughly twice as difficult to crack. In contrast, adding just one more letter to your original password would make it about 50 times more difficult.

While encrypting twice may not help much, layered security is generally a good thing. This is why many sites ask for not only your password but also a security code that is sent to you via text message. This “two-factor authentication” adds a layer of security because a hacker must not only obtain your password but also intercept your phone messages.

Michael Hay, associate professor of computer science, researches technologies for data privacy and teaches courses on discrete structures, databases, and data science. His most important account passwords can be found on a sticky note posted on his laptop.

Do you have a big-picture question for a faculty member? Write to us at: magazine@colgate.edu.