I had someone wonder why the FAQ recommends avoiding CAST, BLOWFISH, IDEA, or 3DES for bulk encryption. It occurs to me that this is a pretty reasonable question and probably should get placed in the FAQ. So, here's proposed new content -- please feel free to chime in with thoughts or criticism.
For the technically inclined, yes, this explanation simplifies things an awful lot -- maybe too far, I don't know. If you can come up with better phrasings *that are still understandable to non-technical users*, I'd love to hear them. :) ===== Q: Why should some ciphers be avoided for bulk encryption? A: Ciphers are deterministic. This means that for the same inputs, you get the same outputs. The OpenPGP standard requires that ciphers run in what's called a "feedback mode," where the ciphertext of one block becomes an input to the next block. But what happens if two identical ciphertext blocks are found? Since the cipher is deterministic, the cipher will begin repeating its output. This creates a distinctive pattern which a cryptanalyst can exploit. For a 64-bit cipher, you'll probably wind up repeating a block after about 32 gigabytes. In order to reduce the risk of this happening, we recommend that if you use a 64-bit cipher you don't use it to encrypt more than a single DVD's worth of data -- about four gigabytes. A 128-bit cipher will begin to repeat after about 100 exabytes. This is a number so mind-bogglingly large it's unlikely to ever become a problem for even the most demanding of users.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
