Practical Advice for those using AES256 cipher?
David Shaw
dshaw at jabberwocky.com
Wed Aug 19 19:24:08 CEST 2009
On Aug 19, 2009, at 9:28 AM, Kevin Hilton wrote:
> Although I usually get a wide range of responses, is there any
> practical advice an end-user should take away from the recent AES256
> attacks as described
> here:http://www.schneier.com/blog/archives/2009/07/another_new_aes.html?
> Should I continue to use AES256 (double AES) or default to single AES
> or simply default back to 3DES, or just sit tight? Although I found
> the article interesting (not sure if I understood a lot of the blog
> comments), is there any practical advice I should take away from it as
> it relates to GnuPG?
The brief summary is don't worry too much about it.
The less brief summary is that given a particular relationship between
the (session) keys in use, and multiple copies of the same plaintext
encrypted with these particular keys, an attacker can attack a
simplified version of AES256 in less time than it would take to attack
it via brute force (and amusingly enough, in less time than it would
take to attack AES128). The multiple catches here is that you usually
don't have special keys, you don't usually have multiple copies of the
same plaintext encrypted with the special keys, the amount of time it
would take to attack is still unfeasible, and GnuPG doesn't use a
simplified version of AES256 anyway (nobody does).
Is this bad for AES256? Absolutely. It's a crack in the armor. But
is it a problem in OpenPGP today? Not really, no.
So speaking about how it relates to GnuPG, I wouldn't bother to do
anything about it, personally, but if it worries you, you can easily
rank AES128 higher than AES256 in your preferences (or even remove
AES256 altogether if you like). Either way you're probably fine.
David
More information about the Gnupg-users
mailing list