s2k-cipher-mode default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 2 19:29:42 CEST 2015 

On Tue 2015-06-02 12:41:40 -0400, Robert J. Hansen wrote:
> Right now pretty much everyone is content with RSA-3072, which has an
> estimated work factor comparable to AES-128.  So if 128-bit crypto is
> enough, I don't understand the motivation behind jumping to AES-256.
> There needs to be something motivating this besides "bigger is better".

I agree with you that these comparisons are a decent rough estimate when
considering attacking a single ciphertext.  But i don't think the
argument holds looking at the bigger picture.

Let's consider an adversary that can store as many OpenPGP-encrypted
messages as it has access to.  Maybe it sniffs SMTP traffic as well?  If
the attacker is interested in breaking the crypto of any *one* of these
messages, it can reduce the amount of work it has to do significantly.

As djb put it:

>> There are standard attacks that break _all_ of 2^50 AES-128 keys using a
>> _total_ of 2^128 easy computations. Even worse, there are standard
>> attacks that find _at least one_ of the keys using just 2^78 easy
>> computations, a feasible computation today.

 -- http://thread.gmane.org/gmane.ietf.irtf.cfrg/3427

Note that he's describing a known-plaintext attack; this might be
relevant, for example, if there is a standard prefix of the data being
encrypted (perhaps a common MIME header?  or if you're doing regular
backups of a standard filesystem, the beginning of the tar format?).

Of course, there aren't 2^50 AES-128-encrypted known-plaintext OpenPGP
messages today that such an attack would work on.  but why would we want
to leave users open to this?

> Let me turn the question around, dkg.  (Completely serious here, not
> snark.)  What problem do we have with AES-128 that switching to AES-256
> will solve?

Is the above argument enough for you?  Remember that these AES128
ciphertexts are likely to exist well into the future, and attacks only
get better with time.

Regards,

            --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150602/415193f4/attachment.sig>

More information about the Gnupg-users mailing list