Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
2003-05-30 16:48:45
With all due respect, Jon, I would like to see a quote from a recognized
crypto expert who feels that AES-128 is "safer" than AES-256.
AES-256 may not be *more* secure than AES-128, and, as a practical
matter, I don't think that it is. However, the addition of more rounds
*cannot* make it weaker. The differences in the key schedule could
theoretically make AES-256 weaker than AES-128, but there is no reason
to believe this is the case, and there are good reasons to believe that
the key schedule of AES-256 makes the cipher at least as strong as or
stronger than AES-128. One should NEVER fix any bytes of the key to be
zero, in order to use a 128-bit key with AES-256; this may not make the
cipher vulnerable, if it is resistant to related-key attacks, but it is
not good practice.
If the choice for standardization is between AES-128 and AES-256, and
the sole criterion is algorithm strength, I would recommend AES-256,
because is might be stronger, and there is very little chance that it is
weaker. If, however, there are other reasons, such as compatibility with
other deployed applications, speed or effeciency, there seems little to
differentiate the two security-wise, and one should choose the more
compatible/deployable one.
Of course, 3DES is still the most trusted block cipher of all, and there
are really no security advantages to other ciphers (including AES) for
encrypting less than 2^32 blocks (32 GB) of data. 3DES is the MUST
implement algorithm, and this is appropriate given the widespread
confidence in its design.
Since most security products are advertized on the basis of their
security, and many uninformed users would instinctively prefer AES-256
to AES-128 or 3DES, if we *must* migrate away from 3DES for some reason,
it may be adviseable to make AES-256 the "standard" algorithm, just to
make these people happy, and avoid their switching to another
application with better support for AES-256 or...<shudder>...2048-bit
RC4. Of course, if ultimate algorithm confidence is the goal, I think a
better use of our time would be moving to double-encryption of the
message key with RSA-KEM and ACE-KEM, as recommended by the Nessie
project. Come to think of it, a much better use of our time would be
implementing a form of authenticated encryption. 3DES followed by
HMAC-SHA1, anyone? :)
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Suggested DER Prefixes, (continued)
- AES-256 vs AES-128 (Re: Suggested DER Prefixes), Adam Back
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes), Derek Atkins
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes), Adam Back
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes),
John Wilkinson <=
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes), Hironobu SUZUKI
- Re: AES-256 vs AES-128, Werner Koch
- Re: AES-256 vs AES-128, Bodo Moeller
- Re: AES-256 vs AES-128, John Wilkinson
- Re: AES-256 vs AES-128, Ian Grigg
- Re: AES-256 vs AES-128, John Wilkinson
- Re: AES-256 vs AES-128, Jon Callas
- Re: AES-256 vs AES-128, David Shaw
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes), David Shaw
- Re: Suggested DER Prefixes, Jon Callas
|
|
|