Re: AES-256 vs AES-1282003-06-26 07:37:16
And, I just picked up Bruce Schnier's new book, and he recomends AES-256 to
get 128-bit actual strength in light of birthday attacks and
meet-in-the-middle attacks.
Mike Markowitz
<markowitz(_at_)infosecco To:
moeller(_at_)cdc(_dot_)informatik(_dot_)tu-darmstadt(_dot_)de (Bodo Moeller)
rp.com> cc:
ietf-openpgp(_at_)imc(_dot_)org
Sent by: Subject: Re: AES-256 vs
AES-128
owner-ietf-openpgp(_at_)m
ail.imc.org
06/24/2003 03:54 PM
At 03:10 PM 5/31/2003 +0200, Bodo Moeller wrote:
Of course arguably 128 bits are by far enough so that you don't really have to worry about anything of this -- unless you think that quantum attacks might become realistic. Just when you thought this thread was dead... <g> Here NSA's current view of the matter (from the recent "CNSS Policy No. 15, FS-1" document: http://csrc.nist.gov/cryptval/CNSS15FS.pdf): "(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." -mjm
|
|
||||||||||||||||