[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]
ianG
iang at iang.org
Thu May 15 22:00:28 CEST 2014
On 15/05/2014 19:39 pm, Joe St Sauver wrote:
> That said, I also totally get folks who might want something more "just
> in case."
I don't. When was an attack ever launched against a strong crypto
algorithm? We never even heard of DES being crunched in a real attack.
Those folks who need something stronger than AES-128 need to stop using
TLS ;-)
Strawman Hypothesis: If we had accepted a single 40 bit algorithm in
1995 instead of fighting the Empire, we'd have covered more of the
planet in crypto, have defeated mass surveillance, and be in a far
better position in say 2005 to replace a 40 bit with 128 bit.
> Conservatively choosing AES-256 doesn't strike me as being
> at all crazy (at least if you worry about quantum crypto, or you just
> like running with a safety margin, or the unknowns are overwhelming
> folks, or it's more about the optics than the math, etc.)
There have been some older disturbing results coming out that attacked
AES-256, although I haven't followed it. The suggestion has been that
probably AES-128 is sufficient for all purposes.
If it comes down it, I'd ask what the major compatibility win was, and
if it errs in favour of AES-128, I'd go for that.
As, in the future, we're going to be drifting towards another set of
algorithms entirely. First ChaCha and then likely CAESAR.
> All that said, I'm not sure I see a lot driving folks towards doing
> AES-196.
Right... Every algorithm needs to be justified, and being an older
less-famous brother doesn't get an invite to my party.
iang
More information about the Ach
mailing list