Default hash
Aaron Toponce
aaron.toponce at gmail.com
Sat Feb 26 15:10:44 CET 2011
On 02/25/2011 08:46 PM, Robert J. Hansen wrote:
> On 2/25/11 10:27 PM, Aaron Toponce wrote:
>> On 02/25/2011 07:39 PM, Robert J. Hansen wrote:
>>> Bruce himself recommends AES over TWOFISH.
>>
>> [citation needed]
>
> _Practical Cryptography_. Read it. Other people on this list can
> provide a page ref: I'm at a funeral in the middle of nowhere and don't
> have my books handy.
>
>> I know that he's recommended AES-128 over AES-256, but I've not read
>> where he's recommended AES over TWOFISH.
>
> Many times. It's not hard to find these recommendations: Google is your
> friend.
I'm using Google. I'm not seeing it. I'll keep digging. Best I can find
is in 2008, he recommends Twofish over Blowfish: http://goo.gl/D3Diq
> Regardless, you really need to pay attention to the fine print. First,
> the numbers you cite are for *two*-key 3DES, and OpenPGP specifies
> *three*-key 3DES be used. 3DES's meet-in-the-middle is at 112 bits of
> security -- plenty enough for almost any purpose.
>
> Second, that meet-in-the-middle on 3DES requires 2**32 known plaintexts,
> 2**113 operations, 2**90 encryptions and 2**88 memory. This is so
> unrealistic it deserves to be called fantasy. Miss any of those and
> you're up to a work factor of 2**168.
>
> So, yeah. 3DES's effective security is 168 bits, unless you're up
> against the space aliens from Zarbnulax, in which case you're SOL no
> matter what algorithm you use.
Heh. I don't believe in aliens. So, good luck with that.
I'm not saying 3DES isn't practical, I just said I'm not interested in
using it, and I stated why. I'm also not interested in using SHA1 for my
signing hash, but for all _practical_ purposes, it fits the bill just fine.
Did you know OpenSSH uses SHA1 by default for their hash, and for the
MAC it's MD5 or SHA1! Then again, what's the _practicality_ of your
OpenSSH connection being broken by the baddies?
The fact of the matter is, GnuPG supports these stronger algorithms, so
why not use them? If you have the hardware that can do the math in
trivial time, I don't see why you shouldn't use 256-bit or 512-bit
crypto. I understand just looking at just key length for security is
retarded, but GnuPG ships solid, well researched, highly available,
strong crypto.
> 3DES's history is instructive. NIST has declared it "dead in 20 years"
> more often than Netcraft has declared BSD to be dying.[*] At this
> point, I'm unaware of anyone who seriously believes 3DES will be gone in
> 20 years. Most people seem to be of the belief that in about fifteen
> years NIST will say, "and 3DES is believed strong through 2050."
Great! If it has that sort of security, then maybe I'll give it a second
thought. I was always under the impression that due to DES being cracked
by the EFF in what, 9 months?, that 3DES, just using 3 of the same
56-bit key, wasn't long before we had the hardware to break it in 9
months also. I'll give reconsideration.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 591 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110226/37865240/attachment.pgp>
More information about the Gnupg-users
mailing list