Rijndael class>>#keySize

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Rijndael class>>#keySize

Chris Muller
Hellooooooooooo...  (It's been pretty quiet here).
 
 I would like to propose an increment to Rijndael's keySize as recommended in Practical Cryptography.  From Chapter 4, section 5.8 (p. 65):
 
     "A 128-bit key would be great except for one problem:  collision attacks.  Time and time again we find systems that can be attacked by a birthday attack or a meet-in-the-middle attack.  We know these attacks exist."
 ...
     "Design rule 3.  For a security level of n bits, every cryptographic value should be at least 2n bits long."
 ...
     "For 128-bit security we really want to use a block cipher witha block size of 256 bits, but all the common block ciphers have a block size of 128 bits."
 ...
     "Still, at least we can use the large keys that all AES candidate block ciphers support.  Therefore:  use 256-bit keys!"
 
 (I hope I don't get in trouble for quoting this much text).
 
 Furthermore, later on in chapter 22 about securing long-term secrets with passphrases, it recommends to "salt and stretch" the passphrase to a 256-bit value and use that to encrypt your secrets (i.e., keyring).  The only way Rijndael can do is with a keySize of 256 bits.
 
 If anyone objects, please let me know, otherwise I will post this change in the near future.
 
 Thanks,
   Chris


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Rijndael class>>#keySize

Ron Teitelbaum
Thanks Chris.  That makes sense.  Other opinions are welcome of course.  As
for the quiet, yeah it has been but there is still work going on behind the
scenes, just nothing to show for it yet.  

Will you or anyone else be available to look into and work with Paul's ASN.1
implementation once it is completed?  Paul is on his 4th or maybe 5th
iteration.

I talked to Hans-Martin and he's been way to busy to work on his projects.
Maybe soon.  If there is something we should be working on in the mean time
please feel free to suggest it.

Ron Teitelbaum

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Chris Muller
> Sent: Friday, March 24, 2006 1:34 PM
> To: [hidden email]
> Subject: [Cryptography Team] Rijndael class>>#keySize
>
> Hellooooooooooo...  (It's been pretty quiet here).
>
>  I would like to propose an increment to Rijndael's keySize as recommended
> in Practical Cryptography.  From Chapter 4, section 5.8 (p. 65):
>
>      "A 128-bit key would be great except for one problem:  collision
> attacks.  Time and time again we find systems that can be attacked by a
> birthday attack or a meet-in-the-middle attack.  We know these attacks
> exist."
>  ...
>      "Design rule 3.  For a security level of n bits, every cryptographic
> value should be at least 2n bits long."
>  ...
>      "For 128-bit security we really want to use a block cipher witha
> block size of 256 bits, but all the common block ciphers have a block size
> of 128 bits."
>  ...
>      "Still, at least we can use the large keys that all AES candidate
> block ciphers support.  Therefore:  use 256-bit keys!"
>
>  (I hope I don't get in trouble for quoting this much text).
>
>  Furthermore, later on in chapter 22 about securing long-term secrets with
> passphrases, it recommends to "salt and stretch" the passphrase to a 256-
> bit value and use that to encrypt your secrets (i.e., keyring).  The only
> way Rijndael can do is with a keySize of 256 bits.
>
>  If anyone objects, please let me know, otherwise I will post this change
> in the near future.
>
>  Thanks,
>    Chris
>
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography