-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote:
I beg to differ, but extra rounds do not necessarily improve
the security. You still have a 2^128 brute-force attack
against the cipher if you use a 128-bit key. It doesn't matter
what happens to the other bits.
Regardless, I believe that AES-128 has had significantly more
peer review than the larger elements, and "bigger is not necessarily
better". As a security engineer you need to use prudence in
choosing which tools to use in which situation. Based on the
state-of-the-art in 2003, and forseeable for the next few years,
I believe that AES-128 is sufficient for our needs.
Adding additional ciphers will just decrease interoperability, which
will reduce security because people wont use it. "The perfect is
the enemy of the good". Let's get it out there, get it deployed,
make it ubiquitous. Until that happens, I don't feel we should
be entertaining additional ciphers.
Just to clarify what I thought I was reading: are you suggesting that
AES-256 (and presumably AES-192) be dropped from OpenPGP, or is that
just a general comment?
I was in favor of dropping TIGER, MD2, SAFER, etc, but AES-192 and 256
are already widely implemented and deployed (PGP 7 and later, GnuPG
1.0.4 and later). Removing those two ciphers now would cause pretty
serious interoperability problems.
Perhaps I misunderstood your thrust, in which case, my apologies.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+2AZD4mZch0nhy8kRAuxFAJ9W2XXEbJVO7VEYerXJsK9FtwunWQCgmkG7
EnaQn5QSpZoVLZjja6He7HQ=
=aEtu
-----END PGP SIGNATURE-----