Practical Advice for those using AES256 cipher?

David Shaw dshaw at jabberwocky.com
Wed Aug 19 19:24:08 CEST 2009


On Aug 19, 2009, at 9:28 AM, Kevin Hilton wrote:

> Although I usually get a wide range of responses, is there any
> practical advice an end-user should take away from the recent AES256
> attacks as described
> here:http://www.schneier.com/blog/archives/2009/07/another_new_aes.html?
> Should I continue to use AES256 (double AES) or default to single AES
> or simply default back to 3DES, or just sit tight?  Although I found
> the article interesting (not sure if I understood a lot of the blog
> comments), is there any practical advice I should take away from it as
> it relates to GnuPG?

The brief summary is don't worry too much about it.

The less brief summary is that given a particular relationship between  
the (session) keys in use, and multiple copies of the same plaintext  
encrypted with these particular keys, an attacker can attack a  
simplified version of AES256 in less time than it would take to attack  
it via brute force (and amusingly enough, in less time than it would  
take to attack AES128).  The multiple catches here is that you usually  
don't have special keys, you don't usually have multiple copies of the  
same plaintext encrypted with the special keys, the amount of time it  
would take to attack is still unfeasible, and GnuPG doesn't use a  
simplified version of AES256 anyway (nobody does).

Is this bad for AES256?  Absolutely.  It's a crack in the armor.  But  
is it a problem in OpenPGP today?  Not really, no.

So speaking about how it relates to GnuPG, I wouldn't bother to do  
anything about it, personally, but if it worries you, you can easily  
rank AES128 higher than AES256 in your preferences (or even remove  
AES256 altogether if you like).  Either way you're probably fine.

David




More information about the Gnupg-users mailing list