Not sure if this is what you were referring to about their comments in
Practical Cryptography, but in that book they argue for use of 256-bit
keys on the basis that protocols and algorithms more frequently than
we'd like fall victim to variants of the meet-in-the-middle attack
where the key space ends up being half as many bits as you thought it
So personally I'm not sure I buy that particular argument, but I
happen to share the conclusion: 256-bit keys are a good idea.
Also I'd think the most suspect aspect of a 256-bit keyed cipher is
whether it truly achieves 256-bits of strength. I'd say it's much
less controversial however to say 256-bit AES provides a better margin
of security than 128-bit AES.
On Sun, Jun 01, 2003 at 03:27:24AM -0700, Jon Callas wrote:
Now Ferguson and Schneier have a new book out, "Practical Cryptography" and
their opinions are well worth paying close attention to, even if you don't
Personally, I stick with 128-bit keys, but that's because I think too many
people want more bits in their keys without understanding what's going on.
The question, "Will a key with more bits give me better security?" is a lot
like the question, "Will more cylinders in my car engine make me go faster?"
The answer to both is, "Ummm, well, maybe. Usually yes, but too many can
actually cause all sorts of troubles." It's not what people want to hear.