On Fri, Jan 04, 2013 at 09:56:27PM +0100, Milan Broz wrote: > On 01/04/2013 09:20 PM, Heinz Diehl wrote: > > On 04.01.2013, Arno Wagner wrote: > > > >> I think the current state is that in absolute terms AES256 is at > >> least as secure than AES128, but maybe not more so. > > > > What's behind the "maybe", actually? Are there any serious attacks > > that can be carried out practically which reduces AES-256 to the > > strength of AES-128? Or are those weaknesses only of theoretical > > nature? > > I think it is about related key attacks Yes. > I will better > not try to interpret the papers. There is a nice summary: > > http://www.schneier.com/blog/archives/2009/07/another_new_aes.html Hmm, reading this again, and the discussion comments by Schneier, maybe we should use AES128 as default. AES256 might indeed be somewhat weaker than AES128. Not that either can be broken at this time. One idea: With AES256+XTS, the keyslot-area is larger. If somebody wants to re-encrypt AES256+CBC in place, they would need to use AES128+XTS anyways. Correct? That would be a second reason to use AES128. Well, things are never simple when security is concerned... Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt