On 01/04/2013 11:05 PM, Arno Wagner wrote: > On Fri, Jan 04, 2013 at 09:56:27PM +0100, Milan Broz wrote: >> On 01/04/2013 09:20 PM, Heinz Diehl wrote: >>> On 04.01.2013, Arno Wagner wrote: >>> >>>> I think the current state is that in absolute terms AES256 is at >>>> least as secure than AES128, but maybe not more so. >>> >>> What's behind the "maybe", actually? Are there any serious attacks >>> that can be carried out practically which reduces AES-256 to the >>> strength of AES-128? Or are those weaknesses only of theoretical >>> nature? >> >> I think it is about related key attacks > > Yes. > >> I will better >> not try to interpret the papers. There is a nice summary: >> >> http://www.schneier.com/blog/archives/2009/07/another_new_aes.html > > Hmm, reading this again, and the discussion comments by > Schneier, maybe we should use AES128 as default. > AES256 might indeed be somewhat weaker than AES128. But please note this is from 2009. There are some new recent papers related even to AES128. To cite the same source... http://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html Dunno. aes128-xts is perhaps enough (and the keyslot size remains the same). > > Not that either can be broken at this time. > > One idea: With AES256+XTS, the keyslot-area is larger. > If somebody wants to re-encrypt AES256+CBC in place, > they would need to use AES128+XTS anyways. Correct? reencrypt tool supports data shift, so you just need to add some space or reduce fs in advance. But yes, it is more complicated. > That would be a second reason to use AES128. > > Well, things are never simple when security is concerned... I think there is only one simple situation in cryptography... Once is something broken, it remains broken forever :-) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
