s2k-cipher-mode default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 3 16:01:27 CEST 2015


On Tue 2015-06-02 18:15:21 -0400, NdK wrote:

> IIRC, I read (some years ago...) that AES-256 could be *weaker* than
> AES-128 because some mathematical structures express some properties
> only with the longer keys. I don't have the paper handy ATM, but I
> vaguely remember that shocking conclusion.

I think you're referring to:

  http://eprint.iacr.org/2009/374

  https://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html

and

  http://eprint.iacr.org/2009/374

  https://www.schneier.com/blog/archives/2009/07/another_new_aes.html


These describe so-called "related-key" attacks, where the attacker knows
that two AES keys are related to one another in a specific way
(e.g. they know the XOR of the two keys), and can force operation of the
cipher with these two keys:

  https://en.wikipedia.org/wiki/Related-key_attack

OpenPGP in general (and GnuPG in specific) does not have any mechanism
whereby an attacker can force a user to use two symmetric keys that it
knows to be related to one another.  I don't think these attacks are
relevant.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150603/1ea30a80/attachment.sig>


More information about the Gnupg-users mailing list