Hash for Rijndael a92 and 256

Werner Koch wk@gnupg.org
Fri Mar 2 19:00:10 2001

On Thu, 1 Mar 2001, Rich wrote:

> I actually DID reply to Werner's message about not understanding,
> but my emailer selected his email address instead of the mailing
> list's address so my reply and his response to that were never seen by
Feel free to re-post my mail if you think it is required,
> I'm not quite certain I understand what's going on with the above
> method. Do we get 256-bits of true security (assuming sufficiently
> random passphrase) by using that prescribed Open-PGP method?
No. The security is bound by the quality of your passphrase and has an upper limit of 160 bits due to the hash algorithms. Given that we have about 1.3 bit entropy per character in normal english, you need a 124 character passphrase. However it is still not secure as a random 160 bit string because a dictionary attack will be much more effective than brute forcing it. Public Key encryption is more secure than a symmetric encryption using a passphrase; however an attack would only reveal one message (or all messages encrypted with the same passphrase). A compromised secret key would reveal all message ever send using this key. So it might be clever to replace an encryption subkey from time to time and take the old secret subkey offline or destroy it. There are still practical problems, e.g. you are not able to read old archived and encrypted message or someone might have missed your key change and keeps sending you message encrypted to the old key. BTW, IMHO a 256 bit key (AES256) is ridiculous in practically all settings. Werner -- Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. -- Augustinus