Hash for Rijndael a92 and 256
Werner Koch
wk@gnupg.org
Fri Mar 2 19:00:10 2001
On Thu, 1 Mar 2001, Rich wrote:
> I actually DID reply to Werner's message about not understanding,
> but my emailer selected his email address instead of the mailing
> list's address so my reply and his response to that were never seen by
Feel free to re-post my mail if you think it is required,
> I'm not quite certain I understand what's going on with the above
> method. Do we get 256-bits of true security (assuming sufficiently
> random passphrase) by using that prescribed Open-PGP method?
No. The security is bound by the quality of your passphrase and has
an upper limit of 160 bits due to the hash algorithms. Given that
we have about 1.3 bit entropy per character in normal english, you
need a 124 character passphrase. However it is still not secure as
a random 160 bit string because a dictionary attack will be much
more effective than brute forcing it.
Public Key encryption is more secure than a symmetric encryption
using a passphrase; however an attack would only reveal one message
(or all messages encrypted with the same passphrase). A compromised
secret key would reveal all message ever send using this key. So it
might be clever to replace an encryption subkey from time to time
and take the old secret subkey offline or destroy it. There are
still practical problems, e.g. you are not able to read old archived
and encrypted message or someone might have missed your key change
and keeps sending you message encrypted to the old key.
BTW, IMHO a 256 bit key (AES256) is ridiculous in practically all
settings.
Werner
--
Omnis enim res, quae dando non deficit, dum habetur
et non datur, nondum habetur, quomodo habenda est.
-- Augustinus