No, not correct. Suppose I know the message that was encrypted (i.e. a known plaintext attack). Then what I can do is to build a table of the decryption of the ciphertext under all possible keys (i.e. a brute-force attack on one cipher), then encrypt the known plaintext under all possible keys with the other cipher (a second brute-force attack) and see where I get "hits" in the table. Those hits are candidate keys for the composed cipher; if the ciphers are secure then there will be a small number of hits. The total running time is simply the sum of the time required to attack the component ciphers, which only adds one bit of security.
So, it seems like you're saying that if you can brute-force two ciphers, you can brute-force the composition of ciphers.
It's still twice as hard, correct? And if you have two ciphers, one of which is compromised in some way, wouldn't this composition mean that you're at least as secure as the most secure of the two ciphers?
Also, how does 3DES get away with this? I read on wikipedia (after I looked up the meet in the middle attack) that 3DES encrypts, then decrypts with a second key, then encrypts, and presumably decrypts-encrypts-decrypts on 3DES-decryption -- how is this different?
(Thanks for answering these questions; it's contributed to my knowledge of crypto and I really appreciate it.)
"So, it seems like you're saying that if you can brute-force two ciphers, you can brute-force the composition of ciphers. It's still twice as hard, correct?"
Exactly, and "twice as hard" is another way to say "one extra bit of security."
"It's still twice as hard, correct? And if you have two ciphers, one of which is compromised in some way, wouldn't this composition mean that you're at least as secure as the most secure of the two ciphers?"
It took me some time to locate this, but it is relevant:
You can think of it this way: the meet-in-the-middle attack is generic and does not exploit the structure of the ciphers at all, whereas attacks that do exploit the structure of the ciphers might exist and might do better when the ciphers are composed. In general you should avoid carelessly composing cryptosystems (for that matter, you should avoid carelessly composing cryptosystems with other systems; e.g. the Skype attack).
"Also, how does 3DES get away with this?"
The security of 3DES is twice the security of single DES; the attack still works, but it can only remove one of the DES applications. Note also that 3DES is DES composed with itself, and so attacks on the structure of the components would imply weaknesses in DES itself.