F21 System Wide Change: System-wide crypto policy
Nikos Mavrogiannopoulos
nmav at redhat.com
Fri Feb 28 09:52:16 UTC 2014
On Thu, 2014-02-27 at 10:58 -0700, Andrew Lutomirski wrote:
> >> For reference, there isn't a well-established, widely accepted
> >> symmetric cipher with 256-bit security. AES-256 is weak [1] and
> >> should probably not be used at all, let alone by anyone who wants a
> >> 256-bit security level.
> >
> > AES-128 is broken too:
> > http://www.kuleuven.be/english/newsletter/newsflash/encryption_standard.html
> >
> > (in short it provides 126-bit security instead of 128).
> >
> > _However_, this and the attacks your describe on AES-256 don't matter
> > for practical purposes. Schneier explains in the blog you quote, but I
> > recap:
> >
> > 1. Related key attacks are nice for publishing papers, but they have
> > almost no practical relevance (AES or any other modern cipher isn't
> > designed to resist related key attacks).
> > 2. Attacking on reduced round variants of ciphers, doesn't matter either
> > except for academics and for getting the future trend of security of the
> > cipher. We use the full-round variants that resist the published
> > attacks.
> > 3. Breaking a cipher in the academic term means finding an attack that
> > is faster than brute force. The brute force level of AES-256 is terribly
> > high so "breaking" AES-256 in 2^245 steps is still very reassuring.
>
> So, in summary:
>
> - LEVEL-256 provides well under 256-bit security.
> - This is fine because no one actually needs 256-bit security.
>
> So *why on earth* would it make sense to implement this proposal? It
> sounds like we'd be offering options that (a) don't perform as
> advertised and (b) don't serve any purpose anyway.
I don't really understand what you are arguing about. Are you
complaining that AES-256 doesn't offer the advertized 256-bit security,
or that a consistent security policy isn't required?
regards,
Nikos
More information about the devel
mailing list