s2k-cipher-mode default
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jun 3 16:01:27 CEST 2015
On Tue 2015-06-02 18:15:21 -0400, NdK wrote:
> IIRC, I read (some years ago...) that AES-256 could be *weaker* than
> AES-128 because some mathematical structures express some properties
> only with the longer keys. I don't have the paper handy ATM, but I
> vaguely remember that shocking conclusion.
I think you're referring to:
http://eprint.iacr.org/2009/374
https://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
and
http://eprint.iacr.org/2009/374
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
These describe so-called "related-key" attacks, where the attacker knows
that two AES keys are related to one another in a specific way
(e.g. they know the XOR of the two keys), and can force operation of the
cipher with these two keys:
https://en.wikipedia.org/wiki/Related-key_attack
OpenPGP in general (and GnuPG in specific) does not have any mechanism
whereby an attacker can force a user to use two symmetric keys that it
knows to be related to one another. I don't think these attacks are
relevant.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150603/1ea30a80/attachment.sig>
More information about the Gnupg-users
mailing list