On 5/29/03 7:44 AM, "Richard Laager" <rlaager(_at_)wiktel(_dot_)com> wrote:
Any particular reason(s)? Is there any merit to these reason(s)?
The main reason is that before the AES competition, no one ever built a
128-bit block, nor a 256-bit key. If there is a new way to analyze the
mixing of key, data, and blocksize, you would expect a design oops to show
up on the combination of more key and more blocksize.
Is there merit? What do you mean by merit?
The above concerns are reasonable. Otherwise sane security experts have said
these things. Do I share them myself? Not really. Do I think that even if
there's a weakness in AES-256, it will be *weaker* than AES-128? No.
However, on the other hand, I think that the instant leap to longer keys is
a sign of not understanding crypto. For example, I think that using Blowfish
with a 448 bit key is the sign of a crypto-duffer. There is *nothing* wrong
with a 128 bit key. Let's face it, whatever weakness there is in your system
will almost certainly *not* be in the cipher parts of the system. The cipher
system is the *strongest* part of the system, once you're at 128 bits.
Any OpenPGP-approved cipher is likely to be the strongest link of the chain
of whatever crypto system you're using. A chain is only as strong as its
weakest link, and people who fuss over ciphers are fussing about
strengthening the strongest parts. It's like putting stronger lock on a door
that still hollow wood frame.
The odds are that for any given user, their passphrase is the weakest link
in their OpenPGP use. 128-bit keys are probably the strongest.
Jon