'Re: Announce loop-AES-v1.3b file crypto package'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-crypto
Subject:    Re: Announce loop-AES-v1.3b file crypto package
From:       Sandy Harris <sandy () storm ! ca>
Date:       2001-07-12 3:30:52
[Download RAW message or body]

"IT3 Stuart B. Tener, USNR-R" wrote:
> 
> Mr. Touloumtzis:
> 
>         After reading your email I have surmised the following facts:
> 
> a) AES is a safe choice to use

Right.

> b) a safe choice would be to use a key of 256-bits or greater (as this will
> work for email, filesystems, long term public data, and SSH login passwords,
> etc.),

128 is likely enough. A bunch of well-known cryptographers did a paper a few
years back on key sizes:
http://www.counterpane.com/keylength.html
They suggested a 90-bit minimum, in 1996.

If Moore's Law holds and computers double their performance every 18 months,
then you need one more key bit every 18 months. 128 bits should be secure
until 2047. 3DES (112-bit work factor for meet-in-the middle attack) until
2023.

Another way to look at it is in the FreeS/WAN glossary entry for "brute force":
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/glossary.html#brute

| ... the EFF's DES Cracker searches a 56-bit key space in an average
| of a few days. Let us assume an attacker that can find a 64-bit key (256 times
| harder) by brute force search in a second (a few hundred thousand times faster).
| For a 96-bit key, that attacker needs 2^32 seconds, just over a century.
| Against a 128-bit key, he needs 2^32 centuries or about 400,000,000,000 years.
| Your data is then obviously secure against brute force attacks. Even if our
| estimate of the attacker's speed is off by a factor of a million, it still
| takes him 400,000 years to crack a message.

That said, I'd take the 256-bit version and the large safety margin.

Ross Anderson's excellent book "Security Engineering"
http://www.cl.cam.ac.uk/~rja14/book.html
recommends using 256-bit keys for AES.

> I will choose 128 for the moment, unless I am told a faster key will
> not damage noticeably the speed with witch a filesystem or other device can
> be read and written to given the additional overhead of the encryption
> technology

The extra overhead is not huge. AES varies the number of rounds with the
key size. 10 for 128-bit keys, 16 for 256-bit. Encryption speed depends
directly on the number of rounds, so 256-bit AES is 1.6 times as expensive
as 128-bit. Against brute force it's 2^128 times as secure!
 
> As well in paragraph three of your reply you state "AES is not needed
> because 3DES is insecure; it's needed mainly because 3DES is _slow_,
> especially in software." This statement appears to absolutely make little
> sense.

What I think he meant was:

The reason we need AES is not that 3DES is insecure (it isn't), but that
3DES is slow.

Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic